Harbor incorporates the concept of system-wide robot accounts. An administrator can create a system-wide robot account covering multiple projects. System robot accounts are used to create non-user-scoped credentials to perform operations and API calls across multiple projects.

Each system robot account can have multiple system permissions and multiple project level permissions across multiple projects.

The Permission References contains a list of permission and their operations. These permissions can be combined and assigned to a system robot account, allowing it to execute the desired tasks via an OCI client or the Harbor API. Robot Accounts cannot be used to log into the user interface.

You can also create project-scoped robot accounts that have access limited to a single project. Read more about project robot accounts.

View System Robot Accounts

  1. Log into your Harbor instance as an administrator.
  2. In the sidebar select Robot Accounts in the Administration section.
System robot account page

This page contains the lists of all existing system robot accounts in your Harbor instance. The table contains the following information for each system robot account:

  • The name of a system account. This is derived from robot account prefix configured for your Harbor instance and the name assigned to the account when it was created. A robot account name follows the format <prefix><account_name>. If you use the search function on this page, you only need to search for the account name without the prefix.

  • Enabled status indicates whether an account is active or deactivated.

  • The count of system permissions an account is assigned to. To see a full set of the assigned system permissions, click on the PERMISSIONS link.

    View all the system permissions
  • The number of projects an account is associated with. Click on the PROJECT(S) link to see a full list of projects associated with an account.

    View list of all projects associated with a system robot account
  • The created time shows when the robot account was created.

  • The account expiration time. Calculated based on the created time and the expiration time set when creating the robot account.

  • The manually added description for the system robot account.

Add a System Robot Account

  1. Log in to the Harbor interface, with system administrator privileges.

  2. Go to Administration, select a project, and select Robot Accounts.

  3. Click New Robot Account.

    Create system robot account window
  4. Enter a name and an optional description for this robot account.

  5. Set Expiration time for this robot account. By default the system configured expiration time is used. You can also select Never Expired from the dropdown if you want to create a never expiring robot account.

  6. Select the system permissions for this robot account.

  7. Select Cover all projects if you want to use this system robot account across all projects. Using this option means that this system robot account will be able to access all existing and future projects in your Harbor instance. You can select which permission to grant to the robot account.

    Cover all projects and select permissions
  8. If you want this robot account to only cover certain projects or be granted certain permissions, use the project table to select the projects and permissions you want to assign to the system robot account. This table shows the each project name, the project creation time, and a dropdown list of permissions to assign the system robot account for that project.

    Project table for assigning robot accounts

    Click the checkbox next to the project name to associate this robot account.

    By default the table shows all projects in your Harbor instance. You are able to filter for projects using the filter icon to the right of Project Name header. Note that the project table may be broken into pages and only display a subset of projects at one time depending on how many projects you have in your Harbor instance and how many projects match your filter criteria.

    Filter project names

    Use the Permissions dropdown to choose which permissions to assign to a particular project. You are able to control which permissions to assign to an individual robot account by project, allowing you fine grained control over each robot account. You can select Select All or Unselect All to quickly add or remove all permissions from a robot account.

    The Push Repository permission must be assigned with the Pull Repository permission. You are not able to assign the Push Repository permission by itself.

    Set project permission

    Click the Reset All Project Permissions dropdown to control which permissions are available for each project. Selecting or unselecting a permission will add or remove the permission for every project. Using this option will adjust permissions for all projects, not just the projects shown if you have filtered for a specific project name.

    Reset robot account permissions

    Click Select All Projects to associate the system robot account with all of the projects shown in the table. If you are filtering by project name, this option will only select the filtered projects.

  9. Click FINISH.

  10. In the confirmation window, click Export to File to download the secret as a JSON file, or click the clipboard icon to copy its contents to the clipboard.

    Copy system robot account token

    Harbor does not store robot account secrets, so you must either download the secret or copy and paste its contents into a text file. There is no way to get the secret from Harbor after you have created the robot account.

    The new robot account appears as <prefix>account_name in the list of robot accounts. Read more about robot account prefixes.

Administration System Robot Account

You are able to edit, deactivate, or delete a system robot account.

  1. From the administrator Robot Account page, select the checkbox next to the robot account you are updating.
  2. Select Action and then Edit, Deactivate, or Delete.
deactivate or delete a robot account

Refresh System Robot Account Secret

You can refresh a robot account’s secret after its created in the event that you need a new one.

  1. From the administrator Robot Account page, select the checkbox next to the robot account you are updating.

  2. Select Action and then Refresh Secret.

  3. By default Harbor will generate a new secret randomly, or you can choose to enable manually reseting the secret and entering the New Secret then Confirm Secret. Optionally, you can view the secret by clicking the eye icon.

    Refresh system robot account secret
  4. Click Refresh. If you created a secret randomly, download the secret JSON file or copy and paste its contents.

Configure the Expiry Period of Robot Accounts

By default, robot accounts expire after 30 days. You can set a longer or shorter lifespan for robot accounts by modifying the expiry period for robot account tokens. The expiry period applies to all robot accounts in all projects.

  1. Log in to the Harbor interface with an account that has Harbor system administrator privileges.

  2. Go to Configuration and select System Settings.

  3. In the Robot Token Expiration (Days) row, modify the number of days after which robot account tokens expire.

    Set robot account token expiry

Configure Robot Account Prefix

By default, robot account names use a prefix of robot$. Harbor uses this prefix to distinguish a robot account from a user account. The full name of a system robot account is the prefix and the name you provide when creating the robot account. For example if you create a new robot system account with the name test, the full name is robot$test.

The same prefix is used for all robot accounts, including both system and project robot accounts. When you update this value, it will apply to all existing and future system and project robot accounts, except robot accounts created in Harbor v2.1 and earlier which will continue to use the prefix robot$.

  1. Log in to the Harbor interface with an account that has Harbor system administrator privileges.

  2. Go to Configuration and select System Settings.

  3. In the Robot Name Prefix row, modify the prefix.

    Set robot account prefix

Authenticate with a System Robot Account

To use a robot account in an automated process, for example a script, use docker login and provide the credentials of the robot account.

  1. docker login <harbor_address<>
  2. Username: <prefix><account_name>
  3. Password: <secret>

Permission References

The below tables explain what a robot account can do with a specified permission.

System permissions

Permission (an action + a resource)Abilities
List Audit log (audit-log)1. GET /audit-logs
Read Catalog (catalog)1. GET /v2/_catalog
Read Garbage Collection (garbage-collection)1. GET /system/gc/{gc_id}/log
2. GET /system/gc/schedule
List Garbage Collection (garbage-collection)1. GET /system/gc
Create Garbage Collection (garbage-collection)1. POST /system/gc/schedule
Stop Garbage Collection (garbage-collection)1. PUT /system/gc/{gc_id}
Update Garbage Collection (garbage-collection)1. PUT /system/gc/schedule
List Job Service Monitor (jobservice-monitor)1. GET /jobservice/pools
2. GET /jobservice/pools/{pool_id}/workers
3. GET /jobservice/jobs/{job_id}/log
4. GET /jobservice/queues
Stop Job Service Monitor (jobservice-monitor)1. PUT /jobservice/jobs/{job_id}
2. PUT /jobservice/queues/{job_type}
Read Label (label)1. GET /labels/{global_label_id}
Create Label (label)1. POST /labels?scope=g
Update Label (label)1. PUT /labels/{global_label_id}
Delete Label (label)1. DELETE /labels/{global_label_id}
Read Preheat Instance (preheat-instance)1. POST /preheat/instances/ping
2. GET /p2p/preheat/instances/{preheat_instance_name}
List Preheat Instance (preheat-instance)1. GET /p2p/preheat/providers
2. GET /p2p/preheat/instances
Create Preheat Instance (preheat-instance)1. POST /p2p/preheat/instances
Update Preheat Instance (preheat-instance)1. PUT /p2p/preheat/instances/{preheat_instance_name}
Delete Preheat Instance (preheat-instance)1. DELETE /p2p/preheat/instances/{preheat_instance_name}
List Project (project)1. GET /projects
Create Project (project)1. POST /projects
Read Purge Audit (purge-audit)1. GET /system/purgeaudit/{purge_id}/log
2. GET /system/purgeaudit/schedule
3. GET /system/purgeaudit/{purge_id}
List Purge Audit (purge-audit)1. GET /system/purgeaudit
Create Purge Audit (purge-audit)1. POST /system/purgeaudit/schedule
Stop Purge Audit (purge-audit)1. PUT /system/purgeaudit/{purge_id}
Update Purge Audit (purge-audit)1. PUT system/purgeaudit/schedule
Read Registry (registry)1. POST /registries/ping
2. GET /registries/{id}
3. GET /registries/{id}/info
List Registry (registry)1. GET /registries
Create Registry (registry)1. POST /registries
Update Registry (registry)1. PUT /registries/{id}
Delete Registry (registry)1. DELETE /registries/{id}
Read Replication (replication)1. GET /replication/executions/{id}
2. GET /replication/executions/{id}/tasks/{task_id}/log
List Replication (replication)1. GET /replication/executions
2. GET /replication/executions/{id}/tasks
Create Replication (replication)1. POST /replication/executions
2. PUT /replication/executions/{id}
List Replication Adapter (replication-adapter)1. GET /replication/adapters
2. GET /replication/adapterinfos
Read Replication Policy (replication-policy)1. GET /replication/policies/{id}
List Replication Policy (replication-policy)1. GET /replication/policies
Create Replication Policy (replication-policy)1. POST /replication/policies
Update Replication Policy (replication-policy)1. PUT /replication/policies/{id}
Delete Replication Policy (replication-policy)1. DELETE /replication/policies/{id}
Read Scan All (scan-all)1. GET /scans/all/metrics
2. GET /scans/schedule/metrics
Create Scan All (scan-all)1. POST /system/scanAll/schedule
Stop Scan All (scan-all)1. POST /system/scanAll/stop
Update Scan All (scan-all)1. PUT /system/scanAll/schedule
Read Scanner (scanner)1. POST /scanners/ping
2. GET /scanners/{registration_id}
3. GET /scanners/{registration_id}/metadata
List Scanner (scanner)1. GET /scanners
Create Scanner (scanner)1. POST /scanners
Update Scanner (scanner)1. PUT /scanners/{registration_id}
Delete Scanner (scanner)1. DELETE /scanners/{registration_id}
Read Security Hub (security-hub)1. GET /security/summary
List Security Hub (security-hub)1. GET /security/vul
Read System Volumes (system-volumes)1. GET /systeminfo/volumes
List Robot Account1. GET /robots
Create Robot Account1. POST /robots
Read Robot Account1. GET /robots/{robot_id}
Update Robot Account1. PUT /robots/{robot_id}
Delete Robot Account1. DELETE /robots/{robot_id}
Create User1. POST /users
Read User1. GET /users/{user_id}
Update User1. PUT /users/{user_id}
Delete User1. DELETE /users/{user_id}
Create LDAP User1. POST /ldap/users/import
List LDAP User1. GET /ldap/users/search
Create Export CVE job1. POST /export/cve
Read Export CVE execution1. GET /export/cve/download/{execution_id}
2. GET /export/cve/execution/{execution_id}
Update Quota1. PUT /quotas/{id}
Create User Group1. POST /usergroups
Read User Group1. GET /usergroups/{group_id}
Update User Group1. PUT /usergroups/{group_id}
List User Group1. GET /usergroups
Delete User Group1. DELETE /usergroups/{group_id}

Project permissions

Permission (an action + a resource)Abilities
List Accessory (accessory)1. GET /projects/{project_name}/repositories/{repository_name}/artifacts/{reference}/accessories
Read Artifact (artifact)1. GET /projects/{project_name}/repositories/{repository_name}/artifacts/{reference}
List Artifact (artifact)1. GET /projects/{project_name}/repositories/{repository_name}/artifacts
Create Artifact (artifact)1. POST /projects/{project_name}/repositories/{repository_name}/artifacts
Delete Artifact (artifact)1. DELETE /projects/{project_name}/repositories/{repository_name}/artifacts/{reference}
Read Artifact Addition (artifact-addition)1. GET /projects/{project_name}/repositories/{repository_name}/artifacts/{reference}/additions/vulnerabilities
2. GET /projects/{project_name}/repositories/{repository_name}/artifacts/{reference}/additions/{addition}
Create Artifact Label (artifact-label)1. POST /projects/{project_name}/repositories/{repository_name}/artifacts/{reference}/labels
Delete Artifact Label (artifact-label)1. DELETE /projects/{project_name}/repositories/{repository_name}/artifacts/{reference}/labels/{label_id}
List Immutable Tag (immutable-tag)1. GET /projects/{project_name_or_id}/immutabletagrules
Create Immutable Tag (immutable-tag)1. POST /projects/{project_name_or_id}/immutabletagrules
Update Immutable Tag (immutable-tag)1. PUT /projects/{project_name_or_id}/immutabletagrules/{immutable_rule_id}
Delete Immutable Tag (immutable-tag)1. DELETE /projects/{project_name_or_id}/immutabletagrules/{immutable_rule_id}
Read Label (label)1. GET /labels/{project_label_id}
List Label (label)1. GET /labels?scope=p&project_id={project_id}
Create Label (label)1. POST /labels?scope=p&project_id={project_id}
Update Label (label)1. PUT /labels/{project_label_id}
Delete Label (label)1. DELETE /labels/{project_label_id}
List Log (log)1. GET /projects/{project_name}/logs
Read Project Metadata (metadata)1. GET /projects/{project_name_or_id}/metadatas/{meta_name}
List Project Metadata (metadata)1. GET /projects/{project_name_or_id}/metadatas
Create Project Metadata (metadata)1. POST /projects/{project_name_or_id}/metadatas
Update Project Metadata (metadata)1. PUT /projects/{project_name_or_id}/metadatas/{meta_name}
Delete Project Metadata (metadata)1. DELETE /projects/{project_name_or_id}/metadatas/{meta_name}
Read Notification Policy (notification-policy)1. GET /projects/{project_name_or_id}/webhook/policies/{webhook_policy_id}
2. GET /projects/{project_name_or_id}/webhook/lasttrigger
3. GET /projects/{project_name_or_id}/webhook/events
4. GET /projects/{project_name_or_id}/webhook/policies/{webhook_policy_id}/executions
5. GET /projects/{project_name_or_id}/webhook/policies/{webhook_policy_id}/executions/{execution_id}/tasks
6. GET /projects/{project_name_or_id}/webhook/policies/{webhook_policy_id}/executions/{execution_id}/tasks/{task_id}/log
List Notification Policy (notification-policy)1. GET /projects/{project_name_or_id}/webhook/policies
2. GET /projects/{project_name_or_id}/webhook/jobs
Create Notification Policy (notification-policy)1. POST /projects/{project_name_or_id}/webhook/policies
Update Notification Policy (notification-policy)1. PUT /projects/{project_name_or_id}/webhook/policies/{webhook_policy_id}
Delete Notification Policy (notification-policy)1. DELETE /projects/{project_name_or_id}/webhook/policies/{webhook_policy_id}
Read Preheat Policy (preheat-policy)1. GET /projects/{project_name}/preheat/policies/{preheat_policy_name}
2. POST /projects/{project_name}/preheat/policies/{preheat_policy_name}
3. GET /projects/{project_name}/preheat/policies/{preheat_policy_name}/executions/{execution_id}
4. GET /projects/{project_name}/preheat/policies/{preheat_policy_name}/executions/{execution_id}/tasks/{task_id}/logs
List Preheat Policy (preheat-policy)1. GET /projects/{project_name}/preheat/policies
2. GET /projects/{project_name}/preheat/providers
Create Preheat Policy (preheat-policy)1. POST /projects/{project_name}/preheat/policies
Update Preheat Policy (preheat-policy)1. PUT /projects/{project_name}/preheat/policies/{preheat_policy_name}
2. PATCH /projects/{project_name}/preheat/policies/{preheat_policy_name}/executions/{execution_id}
Delete Preheat Policy (preheat-policy)1. DELETE /projects/{project_name}/preheat/policies/{preheat_policy_name}
Read Project (project)1. GET /projects/{project_name_or_id}
Update Project (project)1. PUT /projects/{project_name_or_id}
Delete Project (project)1. DELETE /projects/{project_name_or_id}
2. GET /projects/{project_name_or_id}/_deletable
Read Repository (repository)1. GET /projects/{project_name}/repositories/{repository_name}
List Repository (repository)1. GET /projects/{project_name}/repositories
Update Repository (repository)1. PUT /projects/{project_name}/repositories/{repository_name}
Delete Repository (repository)1. DELETE /projects/{project_name}/repositories/{repository_name}
Pull Repository (repository)1. Pull artifacts from the project
Push Repository (repository)1. Push artifacts to the project
Read Scan (scan)1. GET /projects/{project_name}/repositories/{repository_name}/artifacts/{reference}/scan/{report_id}/log
Create Scan (scan)1. POST /projects/{project_name}/repositories/{repository_name}/artifacts/{reference}/scan
Stop Scan (scan)1. POST /projects/{project_name}/repositories/{repository_name}/artifacts/{reference}/scan/stop
Read Scanner (scanner)1. GET /projects/{project_name_or_id}/scanner
Create Scanner (scanner)1. PUT /projects/{project_name_or_id}/scanner
2. GET /projects/{project_name_or_id}/scanner/candidates
List Tag (tag)1. GET /projects/{project_name}/repositories/{repository_name}/artifacts/{reference}/tags
Create Tag (tag)1. POST /projects/{project_name}/repositories/{repository_name}/artifacts/{reference}/tags
Delete Tag (tag)1. DELETE /projects/{project_name}/repositories/{repository_name}/artifacts/{reference}/tags/{tag_name}
Read Tag Retention (tag-retention)1. GET /retentions/{id}
2. GET /retentions/{id}/executions/{eid}/tasks/{tid}
List Tag Retention (tag-retention)1. GET /retentions/{id}/executions
2. GET /retentions/{id}/executions/{eid}/tasks
Create Tag Retention (tag-retention)1. POST /retentions
Update Tag Retention (tag-retention)1. PUT /retentions/{id}
2. POST /retentions/{id}/executions
3 PATCH /retentions/{id}/executions/{eid}
Delete Tag Retention (tag-retention)1. DELETE /retentions/{id}
List Robot Account1. GET /robots
Create Robot Account1. POST /robots
Read Robot Account1. GET /robots/{robot_id}
Update Robot Account1. PUT /robots/{robot_id}
Delete Robot Account1. DELETE /robots/{robot_id}
Add Project Member1. POST /projects/{project_name_or_id}/members
Read Project Member1. GET /projects/{project_name_or_id}/members/{mid}
Update Project Member1. PUT /projects/{project_name_or_id}/members/{mid}
Delete Project Member1. DELETE /projects/{project_name_or_id}/members/{mid}

Apart from configuration-related permissions and not exceeding the permissions of the creator, system-level and project-level robot accounts can have all permissions after Harbor v2.12.0. Public APIs are not included in the tables above because they can be accessed by anyone.