This page describes how to manage access control in the Harbor-as-a-Service registry while adhering to the principles of least privilege. Google Distributed Cloud (GDC) air-gapped Organization IAM Administrators control who can be authenticated and authorized to use Harbor-as-a-Service APIs. For authorizing APIs and access in a Harbor instance, use Harbor's built-in role-based access control in each Harbor project. For more information, see https://goharbor.io/docs/2.8.0/administration/managing-users/.
Configure access for Harbor-as-a-Service APIs
Every GDC Harbor-as-a-Service API requires that the principal making the request has the required permissions to use the API resource. Permissions are given to principals by setting policies that grant the principal a predefined role on the resource.
Predefined Harbor-as-a-Service roles
Harbor-as-a-Service provides predefined roles that grant access to related API resources and prevent unauthorized access to other resources.
Use the following predefined roles for managing the Harbor Instance resources and creating Harbor Project resources:
- Harbor Instance Viewer: views and gets the Harbor instance. Ask your
Organization IAM Admin to grant you the Harbor Instance Viewer
(
harbor-instance-viewer) role. - Harbor Instance Admin: creates and manages the Harbor instance, and
creates Harbor projects in the Harbor instance. Ask your Organization IAM
Admin to grant you the Harbor Instance Admin (
harbor-instance-admin) role. - Harbor Project Creator: creates Harbor projects in the Harbor instance.
Ask your Organization IAM Admin to grant you the Harbor Project Creator
(
harbor-project-creator) role.
Configure access for APIs and within a Harbor instance
Within a Harbor instance, use Harbor's built-in role-based access control in each Harbor project to control who is authorized to use the APIs and access resources in the Harbor project. For more information, see https://goharbor.io/docs/2.8.0/administration/managing-users/.
The user that creates the Harbor project is automatically assigned the
ProjectAdmin role for the Harbor project. The ProjectAdmin user can assign
roles for the Harbor project to other users. For all of the available roles, see
https://goharbor.io/docs/2.8.0/administration/managing-users/user-permissions-by-role/.
Use service accounts to interact with MHS
You can use service accounts to interact with MHS. Using a project service account integrates your automation directly into the GDC IAM authentication flow, allowing your workloads to generate short-lived tokens automatically without manually managing static credentials.
To set up, activate the identity, and grant project permission to automate authentication for MHS, follow the steps in Manage service accounts.
After completing these setup steps, your service account identity can securely interact with your Harbor instances and manage container repositories.
What's next
After configuring your command-line tools and access controls for the project service account, review standard practices for rotating keys and managing long-term service account security: