Harbor for Beginners, Part 8: Create a Robot Account

Create a login for scripts and pipelines so they never use your password. Make a robot account, scope its permissions, grab its one-time secret, and use it to pull, all by yourself as Project Admin.

Harbor for Beginners · Part 8 of 12

In Part 7 you saw that adding a person needs an account that already exists. This part is about the one login you can create entirely on your own: a robot account. It is a credential built for scripts and pipelines, so automation never has to borrow your personal password.

Why a robot instead of your password

If a build script needs to push an image, it needs a login. Putting your password in a script is a bad idea: it can do everything you can, it does not expire, and if it leaks you have a real problem. A robot account fixes all three. It can do only what you allow, it has an expiry date, and if it is ever exposed you delete that one robot and nothing else is affected.

Create the robot

Open your project and click the Robot Accounts tab. It starts empty.

The empty Robot Accounts tab with a New Robot Account button
The Robot Accounts tab. Nothing here yet, and a button to make one.

Now build one:

  1. Click + New Robot Account.
  2. Give it a name that says what it is for, like ci-pusher. Set an Expiration time; 30 days is sensible. Click Next.
    The robot account basic information step with a name and 30 day expiry
    Step 1: name it, and give it an expiry. Robots should not live forever.
  3. On Select Permissions, find the Repository row and tick Pull and Push. Leave everything else unticked. This robot can move images, and nothing more. Click Finish.
    The permissions step with Pull and Push ticked on the Repository row
    Step 2: give it the least it needs. Pull and Push on Repository, that is all.

Copy the secret right now

Harbor creates the robot and shows you two things: its full name (something like robot$pranay-project+ci-pusher) and its secret. The secret is shown once. Copy it, or click Export to File, before you close this box. There is no way to see it again.

The success dialog showing the robot name and a hidden secret
The one-time secret. I have hidden mine here, but copy yours immediately. You only get this moment.

If you miss it, do not worry. You cannot recover the old secret, but you can generate a fresh one for the same robot from the Robot Accounts tab. Treat the secret like a password, because that is exactly what it is.

Use it from a script

Now log in as the robot instead of yourself. The username is the full robot name, and the password is that secret. Use your real registry host where the example shows registry.lab.internal.

./crane auth login registry.lab.internal -u 'robot$pranay-project+ci-pusher' -p 'YOUR_SECRET' --insecure

That login on its own does not prove much, it just stores the credential. The real test is to actually use it. Pull an image while logged in as the robot:

./crane pull registry.lab.internal/pranay-project/hello-world:v1 robot-test.tar --insecure

If that comes down with no error, your robot is working with exactly the Pull and Push rights you gave it, and your own password was never involved.

Find and manage it later

Back on the Robot Accounts tab, your robot is now listed, with its permissions count, when it was created, and how long until it expires.

The Robot Accounts tab now listing the ci-pusher robot
The robot in the list, with 2 permissions and an expiry counting down.

Delete it when you are done

This is the best habit a robot account teaches. When a robot is no longer needed, or its secret has been on a screen during a demo, get rid of it.

  1. On the Robot Accounts tab, tick the robot.
  2. Click Action.
  3. Choose Delete, or disable it if you only want to pause it.

Throwing away a leaked robot costs you nothing. Throwing away your own leaked password costs you a lot. That difference is the whole reason robot accounts exist.

Quick recap

  1. Robot accounts are logins for scripts, not people, and you can make them yourself.
  2. Scope them to the least they need, and give them an expiry.
  3. The secret appears once. Copy it immediately.
  4. If one leaks, delete it. Nothing else is affected.

Harbor for Beginners, Part 8 of 12. Product names belong to their owners. The host and secret shown are stand-ins, not real values.

About The Author


Discover more from Journal of Intelligent Infrastructure – By Dr Pranay Jha

Subscribe to get the latest posts sent to your email.

Leave a Reply

Your email address will not be published. Required fields are marked *

Architect’s Toolkit

About the Author

Dr. Pranay Jha is a Cloud and AI Consultant with 18+ years of experience in hybrid cloud, virtualization, and enterprise infrastructure transformation. He specializes in VMware technologies, multi-cloud strategy, and Generative AI solutions. He holds a PhD in Computer Applications with research focused on Cloud and AI, has published multiple research papers, and has been a VMware vExpert since 2016 and a VMUG Community Leader.

Discover more from Journal of Intelligent Infrastructure - By Dr Pranay Jha

Subscribe now to keep reading and get access to the full archive.

Continue reading