Privileged robot accounts
By default, the Robot account creation process in the Harbor web interface only allows for a limited permission scope when creating new Robot accounts. As of Harbor v.2.5.2, this is still the case.
In order to circumvent this limitation, one can create robot accounts through the API with system resource permissions that go beyond the options offered in the web interface.
Info
This page is based on this comment by Harbor developer wy65701436. Also check out the Harbor source code for more information on all the possible resource permissions that can be granted to Robot accounts.
Example: Robot with project creation privileges
Following the example provided in the GitHub comment above, harborapi
provides HarborAsyncClient.create_robot
to achieve the same functionality.
When creating privileged robot accounts, HarborAsyncClient
must be instantiated with a privileged user's credentials.
from harborapi.models import RobotCreate, RobotPermission, Access
# Client is instantiated with administrator account.
# This is required to create robot accounts with system resource permissions.
await client.create_robot(
RobotCreate(
name="from_api",
description="Created from harborapi Python client",
secret="Secret1234",
level="system",
duration=30,
permissions=[
RobotPermission(
kind="system",
namespace="/",
access=[
Access(resource="project", action="create"),
],
)
],
)
)
Produces:
RobotCreated(
id=11,
name='robot$from_api',
secret='tBuDZ700tPkKLNQ0z1EAYndMOFEzvgM8',
creation_time=datetime.datetime(2022, 7, 14, 10, 3, 40, 906000, tzinfo=datetime.timezone.utc),
expires_at=1660385020,
)
Saving credentials to a file
The resulting Robot account can be saved to a Harbor credentials file by providing an argument to the path
parameter specifying the location to save the credentials to. The path
argument can be either a string or a pathlib.Path object.
By default, the file must not already exist. This can be overriden by adding overwrite=True
, which overwrites the file if it already exists.
The resulting file can then be used when instantiating HarborAsyncClient
to authenticate with the Robot account.
from harborapi import HarborAsyncClient
client = HarborAsyncClient(
url="https://your-harbor-instance.com/api/v2.0",
credentials_file="/path/to/file.json",
)
For more information, see HarborAsyncClient.create_robot
and HarborAsyncClient.__init__