Configure Docker authentication to Harbor registry instances

After you authenticate using Identity-Aware Proxy (IAP) and log into the Harbor interface for the first time, use Docker or the Helm CLI to access Harbor.

The Docker and Helm CLIs cannot handle redirection for IAP, so Harbor provides a CLI secret to use when logging in from Docker or Helm. This is only available when Harbor uses IAP authentication.

Before you begin

To configure Docker authentication to Harbor registry instances, you must have the necessary identity and access role. Ask your Organization IAM Admin to grant you the Harbor Instance Viewer (harbor-instance-viewer) role.

Configure Harbor to trust Docker or Helm

Follow these steps to use the Docker or Helm CLI:

Sign in to Harbor with an IAP user account.
Click your username and select User Profile.
Click Copy to copy the CLI secret associated with your account.
Optional: Click the ellipses in your user profile to display buttons for automatically generating or manually creating a new CLI secret.

Note: A user can only have one CLI secret, when a new secret is generated or created, the old one becomes invalid.
If you generated a new CLI secret, click Copy to copy it.
You can now use your CLI secret as the password when logging in to Harbor from the Docker or Helm CLI:

    docker login -u USERNAME -p CLI_SECRET HARBOR_INSTANCE_URL

Replace the following:

USERNAME: the Harbor account username
CLI_SECRET: the generated CLI secret.
HARBOR_INSTANCE_URL: the URL of the Harbor instance.