Configure access control

This page describes how to manage access control in the Harbor-as-a-Service registry while adhering to the principles of least privilege. Google Distributed Cloud (GDC) air-gapped Organization IAM Administrators control who can be authenticated and authorized to use Harbor-as-a-Service APIs. For authorizing APIs and access in a Harbor instance, use Harbor's built-in role-based access control in each Harbor project. For more information, see https://goharbor.io/docs/2.8.0/administration/managing-users/.

Configure access for Harbor-as-a-Service APIs

Every GDC Harbor-as-a-Service API requires that the principal making the request has the required permissions to use the API resource. Permissions are given to principals by setting policies that grant the principal a predefined role on the resource.

Predefined Harbor-as-a-Service roles

Harbor-as-a-Service provides predefined roles that grant access to related API resources and prevent unauthorized access to other resources.

Use the following predefined roles for managing the Harbor Instance resources and creating Harbor Project resources:

  • Harbor Instance Viewer: views and gets the Harbor instance. Ask your Organization IAM Admin to grant you the Harbor Instance Viewer (harbor-instance-viewer) role.
  • Harbor Instance Admin: creates and manages the Harbor instance, and creates Harbor projects in the Harbor instance. Ask your Organization IAM Admin to grant you the Harbor Instance Admin (harbor-instance-admin) role.
  • Harbor Project Creator: creates Harbor projects in the Harbor instance. Ask your Organization IAM Admin to grant you the Harbor Project Creator (harbor-project-creator) role.

Configure access for APIs and within a Harbor instance

Within a Harbor instance, use Harbor's built-in role-based access control in each Harbor project to control who is authorized to use the APIs and access resources in the Harbor project. For more information, see https://goharbor.io/docs/2.8.0/administration/managing-users/.

The user that creates the Harbor project is automatically assigned the ProjectAdmin role for the Harbor project. The ProjectAdmin user can assign roles for the Harbor project to other users. For all of the available roles, see https://goharbor.io/docs/2.8.0/administration/managing-users/user-permissions-by-role/.