Skip to Content

Wiki source code of Harbor 2.7 Robot Accounts

Last modified by DevOps-as-a-Service Operator on 2025/02/05 11:33
Show last authors
1 A project robot account authenticates to your Harbor instance using a secret.  Robot Accounts cannot log in to the Harbor UI, but can be used to
2
3 * connect to the Docker Registry using the {{code language="none"}}docker {{/code}}command or any OCI client
4 * connect to the Helm chart repository using the {{code language="none"}}helm {{/code}}command
5 * connect to the Harbor API for any other automation tasks
6
7 {{info title="**ℹ Jenkins Users**"}}
8 The DevOps Portal will automatically create a Robot Account for each Project and inject the credentials automatically into Jenkins. Therefore, esp. when using the [[doc:Jenkins.Jenkins Shared Library.WebHome]], you don't need to manually create a Harbor Robot Account as long as you just want to pull or push from Jenkins to the same project in Harbor.
9
10 See [[doc:Jenkins.Automatically provided Credentials.WebHome]] for more details. If you want to pull or push to another project, create a robot account as described below and use it as documented at [[doc:Jenkins.Push Artifacts.WebHome]].
11 {{/info}}
12
13 {{toc/}}
14
15 = {{id name="create_robot_account"/}}Create Robot Account =
16
17 The robot Account can be created by a Project Admin in the Harbor project console.
18
19 Go to Projects in Harbor, select your Project and switch to the tab named "Robot Accounts":
20
21 [[image:attach:Screenshot 2024-02-21 092808.png||queryparams="effects=drop-shadow" height="282" width="797"]]
22
23 Click **+ NEW ROBOT ACCOUNT **and enter the following details (adjust as needed):
24
25 [[image:attach:image-2024-2-21_9-48-19.png||queryparams="effects=drop-shadow" width="500"]]
26
27 Description of the fields:
28
29 (% class="table-bordered" %)
30 (% class="active" %)|=(((
31 Field
32 )))|=(((
33 Remark
34 )))
35 |(((
36 Name
37 )))|(((
38 The final robot name will consist of the fixed prefix "doaas-", the project key and the name you have chosen here
39 )))
40 |(((
41 Description
42 )))|(((
43 Short description of robot user purpose
44 )))
45 |(((
46 Expiration time
47 )))|(((
48 Number of days the robot account is valid, -1 for Never Expires
49 )))
50 |(((
51 Permissions
52 )))|(((
53 Permissions to choose, by default all permissions are chosen
54 )))
55
56 To choose permissions, click on the arrow near **19 PERMISSION(S)** field:
57
58 [[image:attach:image-2024-2-21_10-27-59.png||queryparams="effects=drop-shadow" height="285" width="283"]]
59
60 There will be 19 permissions to choose from. We recommend to** Unselect all** and then choose the appropriate project permission (remember to follow the principle of the least privilege)**:**
61
62 (% class="table-bordered" %)
63 (% class="active" %)|=(((
64 Repository
65 )))|=(((
66 Artifact
67 )))|=(((
68 Tag
69 )))|=(((
70 Scan
71 )))|=(((
72 Helm Chart
73 )))
74 |(((
75 List Repository
76
77 Pull Repository
78
79 Push Repository
80
81 Delete Repository
82 )))|(((
83 List Artifact
84
85 Delete Artifact
86
87 Create Artifact label
88
89 Delete Artifact label
90 )))|(((
91 Create Tag
92
93 Delete Tag
94
95 List Tag
96 )))|(((
97 Create Scan
98
99 Stop Scan
100 )))|(((
101 Read Helm Chart
102
103 Create Helm Chart Version
104
105 Delete Helm Chart Version
106
107 Create Helm Chart label
108
109 Delete Helm Chart label
110 )))
111
112 As a minimum, one permission should be chosen to create the robot account. 
113
114 __**In the most cases, pull and push permissions are sufficient for the standard use cases**__ like using the robot account for docker push and docker pull.
115
116 The **Push Repository** permission must be assigned with the **Pull Repository** permission. You are not able to assign the Push Repository permission by itself.
117
118 {{info title="**ℹ Final Robot Username**"}}
119 The final Robot Username will be constructed by Harbor in the following way: "**doaas-{project_key}+{robot_name}**". For example, in the case above, the result would be **"doaas-projectkey+test"**.
120 {{/info}}
121
122 After choosing the permissions, click **ADD**:
123
124 [[image:attach:image-2024-2-21_10-43-34.png||queryparams="effects=drop-shadow" height="250"]]
125
126 You need to click copy secret or export secret to file to be able to finalize the robot account creation. Store the secret only in safe places like an encrypted KeePassXC password database.
127
128 **Harbor does not store robot secret tokens, so you must either download the secret or copy it now!** There is no way to get the secret from Harbor after you have created the robot account. However, you are able to refresh the secret after the robot account is created. That means you can get a new secret for an existing robot account.
129
130 = Edit, Deactivate, or Delete a Project Robot Account =
131
132 You are able to edit, deactivate, or delete a project robot account.
133
134 1. From a project’s **Robot Account** page, select the checkbox next to the robot account you are updating.
135 1. Select **Action** and then **Edit**, **Deactivate**, or **Delete**.
136
137 [[image:attach:image-2024-2-7_16-22-6.png||queryparams="effects=drop-shadow" height="250"]]
138
139 Deactivated robot account can be reactivated at any time and will use the old secret without the need to update it. Additionally, project permissions can be changed at any time.
140
141 = Refresh Project Robot Account Secret =
142
143 You can refresh a robot account’s secret after it's created in the event that you need a new one.
144
145 1. (((
146 On the **Robot Account** page, select the checkbox next to the robot account you are updating.
147 )))
148 1. (((
149 Select **Action** and then **Refresh Secret**.
150 )))
151 1. (((
152 By default, Harbor will generate a new secret randomly. As an alternative, you can choose to enable manually specifying the secret, then enter it and click** REFRESH**. Optionally, you can view the hidden secret by clicking the eye icon.
153 )))
154
155 [[image:attach:image-2024-2-7_16-24-33.png||queryparams="effects=drop-shadow" width="450"]]
156
157 = Authenticate with a Project Robot Account =
158
159 To use a robot account in an automated process, use {{code language="none"}}docker login{{/code}} and provide the credentials of the robot account before you issues additional commands like {{code language="none"}}docker pull{{/code}} or {{code language="none"}}docker push{{/code}}.
160
161 {{code language="none"}}
162 docker login https://registry-CUSTOMER.devops.t-systems.net
163      Username: <prefix><project_name>+<account_name>
164 Password: <secret>
165 {{/code}}
166
167 Be cautious about the robot account name, it can be misinterpreted by the command line if, for example, the name contains a $ sign!
168
169 When done working with the robot account, you can use {{code language="none"}}docker logout{{/code}} to remove cached credentials from the file-system where your docker commands are executed.
170
171 See [[https:~~/~~/goharbor.io/docs/2.7.0/working-with-projects/project-configuration/create-robot-accounts/>>url:https://goharbor.io/docs/2.7.0/working-with-projects/project-configuration/create-robot-accounts/||shape="rect"]] for additional information.
© 2018-2025 T-Systems International GmbH