Harbor incorporates the concept of system-wide robot accounts. An administrator can create a system-wide robot account covering multiple projects. System robot accounts are used to create non-user-scoped credentials to perform operations and API calls across multiple projects.
Each system robot account can have multiple system permissions and multiple project level permissions across multiple projects.
The Permission References contains a list of permission and their operations. These permissions can be combined and assigned to a system robot account, allowing it to execute the desired tasks via an OCI client or the Harbor API. Robot Accounts cannot be used to log into the user interface.
You can also create project-scoped robot accounts that have access limited to a single project. Read more about project robot accounts.
View System Robot Accounts
- Log into your Harbor instance as an administrator.
- In the sidebar select Robot Accounts in the Administration section.
This page contains the lists of all existing system robot accounts in your Harbor instance. The table contains the following information for each system robot account:
The name of a system account. This is derived from robot account prefix configured for your Harbor instance and the name assigned to the account when it was created. A robot account name follows the format
<prefix><account_name>
. If you use the search function on this page, you only need to search for the account name without the prefix.Enabled status indicates whether an account is active or deactivated.
The count of system permissions an account is assigned to. To see a full set of the assigned system permissions, click on the PERMISSIONS link.
The number of projects an account is associated with. Click on the PROJECT(S) link to see a full list of projects associated with an account.
The created time shows when the robot account was created.
The account expiration time. Calculated based on the created time and the expiration time set when creating the robot account.
The manually added description for the system robot account.
Add a System Robot Account
Log in to the Harbor interface, with system administrator privileges.
Go to Administration, select a project, and select Robot Accounts.
Click New Robot Account.
Enter a name and an optional description for this robot account.
Set Expiration time for this robot account. By default the system configured expiration time is used. You can also select Never Expired from the dropdown if you want to create a never expiring robot account.
Select the system permissions for this robot account.
Select Cover all projects if you want to use this system robot account across all projects. Using this option means that this system robot account will be able to access all existing and future projects in your Harbor instance. You can select which permission to grant to the robot account.
If you want this robot account to only cover certain projects or be granted certain permissions, use the project table to select the projects and permissions you want to assign to the system robot account. This table shows the each project name, the project creation time, and a dropdown list of permissions to assign the system robot account for that project.
Click the checkbox next to the project name to associate this robot account.
By default the table shows all projects in your Harbor instance. You are able to filter for projects using the filter icon to the right of Project Name header. Note that the project table may be broken into pages and only display a subset of projects at one time depending on how many projects you have in your Harbor instance and how many projects match your filter criteria.
Use the Permissions dropdown to choose which permissions to assign to a particular project. You are able to control which permissions to assign to an individual robot account by project, allowing you fine grained control over each robot account. You can select Select All or Unselect All to quickly add or remove all permissions from a robot account.
The Push Repository permission must be assigned with the Pull Repository permission. You are not able to assign the Push Repository permission by itself.
Click the Reset All Project Permissions dropdown to control which permissions are available for each project. Selecting or unselecting a permission will add or remove the permission for every project. Using this option will adjust permissions for all projects, not just the projects shown if you have filtered for a specific project name.
Click Select All Projects to associate the system robot account with all of the projects shown in the table. If you are filtering by project name, this option will only select the filtered projects.
Click FINISH.
In the confirmation window, click Export to File to download the secret as a JSON file, or click the clipboard icon to copy its contents to the clipboard.
Harbor does not store robot account secrets, so you must either download the secret or copy and paste its contents into a text file. There is no way to get the secret from Harbor after you have created the robot account.
The new robot account appears as
<prefix>account_name
in the list of robot accounts. Read more about robot account prefixes.
Administration System Robot Account
You are able to edit, deactivate, or delete a system robot account.
- From the administrator Robot Account page, select the checkbox next to the robot account you are updating.
- Select Action and then Edit, Deactivate, or Delete.
Refresh System Robot Account Secret
You can refresh a robot account’s secret after its created in the event that you need a new one.
From the administrator Robot Account page, select the checkbox next to the robot account you are updating.
Select Action and then Refresh Secret.
By default Harbor will generate a new secret randomly, or you can choose to enable manually reseting the secret and entering the New Secret then Confirm Secret. Optionally, you can view the secret by clicking the eye icon.
Click Refresh. If you created a secret randomly, download the secret JSON file or copy and paste its contents.
Configure the Expiry Period of Robot Accounts
By default, robot accounts expire after 30 days. You can set a longer or shorter lifespan for robot accounts by modifying the expiry period for robot account tokens. The expiry period applies to all robot accounts in all projects.
Log in to the Harbor interface with an account that has Harbor system administrator privileges.
Go to Configuration and select System Settings.
In the Robot Token Expiration (Days) row, modify the number of days after which robot account tokens expire.
Configure Robot Account Prefix
By default, robot account names use a prefix of robot$
. Harbor uses this prefix to distinguish a robot account from a user account. The full name of a system robot account is the prefix and the name you provide when creating the robot account. For example if you create a new robot system account with the name test
, the full name is robot$test
.
The same prefix is used for all robot accounts, including both system and project robot accounts. When you update this value, it will apply to all existing and future system and project robot accounts, except robot accounts created in Harbor v2.1 and earlier which will continue to use the prefix robot$
.
Log in to the Harbor interface with an account that has Harbor system administrator privileges.
Go to Configuration and select System Settings.
In the Robot Name Prefix row, modify the prefix.
Authenticate with a System Robot Account
To use a robot account in an automated process, for example a script, use docker login
and provide the credentials of the robot account.
docker login <harbor_address<>
Username: <prefix><account_name>
Password: <secret>
Permission References
The below tables explain what a robot account can do with a specified permission.
System permissions
Permission (an action + a resource) | Abilities |
---|---|
List Audit log (audit-log) | 1. GET /audit-logs |
Read Catalog (catalog) | 1. GET /v2/_catalog |
Read Garbage Collection (garbage-collection) | 1. GET /system/gc/{gc_id}/log 2. GET /system/gc/schedule |
List Garbage Collection (garbage-collection) | 1. GET /system/gc |
Create Garbage Collection (garbage-collection) | 1. POST /system/gc/schedule |
Stop Garbage Collection (garbage-collection) | 1. PUT /system/gc/{gc_id} |
Update Garbage Collection (garbage-collection) | 1. PUT /system/gc/schedule |
List Job Service Monitor (jobservice-monitor) | 1. GET /jobservice/pools 2. GET /jobservice/pools/{pool_id}/workers 3. GET /jobservice/jobs/{job_id}/log 4. GET /jobservice/queues |
Stop Job Service Monitor (jobservice-monitor) | 1. PUT /jobservice/jobs/{job_id} 2. PUT /jobservice/queues/{job_type} |
Read Label (label) | 1. GET /labels/{global_label_id} |
Create Label (label) | 1. POST /labels?scope=g |
Update Label (label) | 1. PUT /labels/{global_label_id} |
Delete Label (label) | 1. DELETE /labels/{global_label_id} |
Read Preheat Instance (preheat-instance) | 1. POST /preheat/instances/ping 2. GET /p2p/preheat/instances/{preheat_instance_name} |
List Preheat Instance (preheat-instance) | 1. GET /p2p/preheat/providers 2. GET /p2p/preheat/instances |
Create Preheat Instance (preheat-instance) | 1. POST /p2p/preheat/instances |
Update Preheat Instance (preheat-instance) | 1. PUT /p2p/preheat/instances/{preheat_instance_name} |
Delete Preheat Instance (preheat-instance) | 1. DELETE /p2p/preheat/instances/{preheat_instance_name} |
List Project (project) | 1. GET /projects |
Create Project (project) | 1. POST /projects |
Read Purge Audit (purge-audit) | 1. GET /system/purgeaudit/{purge_id}/log 2. GET /system/purgeaudit/schedule 3. GET /system/purgeaudit/{purge_id} |
List Purge Audit (purge-audit) | 1. GET /system/purgeaudit |
Create Purge Audit (purge-audit) | 1. POST /system/purgeaudit/schedule |
Stop Purge Audit (purge-audit) | 1. PUT /system/purgeaudit/{purge_id} |
Update Purge Audit (purge-audit) | 1. PUT system/purgeaudit/schedule |
Read Registry (registry) | 1. POST /registries/ping 2. GET /registries/{id} 3. GET /registries/{id}/info |
List Registry (registry) | 1. GET /registries |
Create Registry (registry) | 1. POST /registries |
Update Registry (registry) | 1. PUT /registries/{id} |
Delete Registry (registry) | 1. DELETE /registries/{id} |
Read Replication (replication) | 1. GET /replication/executions/{id} 2. GET /replication/executions/{id}/tasks/{task_id}/log |
List Replication (replication) | 1. GET /replication/executions 2. GET /replication/executions/{id}/tasks |
Create Replication (replication) | 1. POST /replication/executions 2. PUT /replication/executions/{id} |
List Replication Adapter (replication-adapter) | 1. GET /replication/adapters 2. GET /replication/adapterinfos |
Read Replication Policy (replication-policy) | 1. GET /replication/policies/{id} |
List Replication Policy (replication-policy) | 1. GET /replication/policies |
Create Replication Policy (replication-policy) | 1. POST /replication/policies |
Update Replication Policy (replication-policy) | 1. PUT /replication/policies/{id} |
Delete Replication Policy (replication-policy) | 1. DELETE /replication/policies/{id} |
Read Scan All (scan-all) | 1. GET /scans/all/metrics 2. GET /scans/schedule/metrics |
Create Scan All (scan-all) | 1. POST /system/scanAll/schedule |
Stop Scan All (scan-all) | 1. POST /system/scanAll/stop |
Update Scan All (scan-all) | 1. PUT /system/scanAll/schedule |
Read Scanner (scanner) | 1. POST /scanners/ping 2. GET /scanners/{registration_id} 3. GET /scanners/{registration_id}/metadata |
List Scanner (scanner) | 1. GET /scanners |
Create Scanner (scanner) | 1. POST /scanners |
Update Scanner (scanner) | 1. PUT /scanners/{registration_id} |
Delete Scanner (scanner) | 1. DELETE /scanners/{registration_id} |
Read Security Hub (security-hub) | 1. GET /security/summary |
List Security Hub (security-hub) | 1. GET /security/vul |
Read System Volumes (system-volumes) | 1. GET /systeminfo/volumes |
Project permissions
Public APIs are not included in the tables above because they can be accessed by anyone.