Skip to Content

Harbor 2.7 Robot Accounts

Last modified by DevOps-as-a-Service Operator on 2025/02/05 11:33

A project robot account authenticates to your Harbor instance using a secret.  Robot Accounts cannot log in to the Harbor UI, but can be used to

  • connect to the Docker Registry using the docker command or any OCI client
  • connect to the Helm chart repository using the helm command
  • connect to the Harbor API for any other automation tasks
Information
ℹ Jenkins Users

The DevOps Portal will automatically create a Robot Account for each Project and inject the credentials automatically into Jenkins. Therefore, esp. when using the Jenkins Shared Library, you don't need to manually create a Harbor Robot Account as long as you just want to pull or push from Jenkins to the same project in Harbor.

See Automatically provided Credentials for more details. If you want to pull or push to another project, create a robot account as described below and use it as documented at Push Artifacts.

Create Robot Account

The robot Account can be created by a Project Admin in the Harbor project console.

Go to Projects in Harbor, select your Project and switch to the tab named "Robot Accounts":

Screenshot 2024-02-21 092808.png

Click + NEW ROBOT ACCOUNT and enter the following details (adjust as needed):

image-2024-2-21_9-48-19.png

Description of the fields:

Field

Remark

Name

The final robot name will consist of the fixed prefix "doaas-", the project key and the name you have chosen here

Description

Short description of robot user purpose

Expiration time

Number of days the robot account is valid, -1 for Never Expires

Permissions

Permissions to choose, by default all permissions are chosen

To choose permissions, click on the arrow near 19 PERMISSION(S) field:

image-2024-2-21_10-27-59.png

There will be 19 permissions to choose from. We recommend to Unselect all and then choose the appropriate project permission (remember to follow the principle of the least privilege):

Repository

Artifact

Tag

Scan

Helm Chart

List Repository

Pull Repository

Push Repository

Delete Repository

List Artifact

Delete Artifact

Create Artifact label

Delete Artifact label

Create Tag

Delete Tag

List Tag

Create Scan

Stop Scan

Read Helm Chart

Create Helm Chart Version

Delete Helm Chart Version

Create Helm Chart label

Delete Helm Chart label

As a minimum, one permission should be chosen to create the robot account.  

In the most cases, pull and push permissions are sufficient for the standard use cases like using the robot account for docker push and docker pull.

The Push Repository permission must be assigned with the Pull Repository permission. You are not able to assign the Push Repository permission by itself.

Information
ℹ Final Robot Username

The final Robot Username will be constructed by Harbor in the following way: "doaas-{project_key}+{robot_name}". For example, in the case above, the result would be "doaas-projectkey+test".

After choosing the permissions, click ADD:

image-2024-2-21_10-43-34.png

You need to click copy secret or export secret to file to be able to finalize the robot account creation. Store the secret only in safe places like an encrypted KeePassXC password database.

Harbor does not store robot secret tokens, so you must either download the secret or copy it now! There is no way to get the secret from Harbor after you have created the robot account. However, you are able to refresh the secret after the robot account is created. That means you can get a new secret for an existing robot account.

Edit, Deactivate, or Delete a Project Robot Account

You are able to edit, deactivate, or delete a project robot account.

  1. From a project’s Robot Account page, select the checkbox next to the robot account you are updating.
  2. Select Action and then Edit, Deactivate, or Delete.

image-2024-2-7_16-22-6.png

Deactivated robot account can be reactivated at any time and will use the old secret without the need to update it. Additionally, project permissions can be changed at any time.

Refresh Project Robot Account Secret

You can refresh a robot account’s secret after it's created in the event that you need a new one.

  1. On the Robot Account page, select the checkbox next to the robot account you are updating.

  2. Select Action and then Refresh Secret.

  3. By default, Harbor will generate a new secret randomly. As an alternative, you can choose to enable manually specifying the secret, then enter it and click REFRESH. Optionally, you can view the hidden secret by clicking the eye icon.

image-2024-2-7_16-24-33.png

Authenticate with a Project Robot Account

To use a robot account in an automated process, use docker login and provide the credentials of the robot account before you issues additional commands like docker pull or docker push.

      docker login https://registry-CUSTOMER.devops.t-systems.net
      Username: <prefix><project_name>+<account_name>
      Password: <secret> 

Be cautious about the robot account name, it can be misinterpreted by the command line if, for example, the name contains a $ sign!

When done working with the robot account, you can use docker logout to remove cached credentials from the file-system where your docker commands are executed.

See https://goharbor.io/docs/2.7.0/working-with-projects/project-configuration/create-robot-accounts/ for additional information.

© 2018-2025 T-Systems International GmbH