Stay organized with collections
Save and categorize content based on your preferences.
This page provides an overview of Harbor backup repositories and how to create
backup repositories in Google Distributed Cloud (GDC) air-gapped.
A backup repository represents an S3-compatible storage location for your
backups.
Before you begin
To create a backup repository, you must have the following:
An S3-compatible endpoint available and a storage bucket to use as the
backup repository.
The necessary identity and access roles:
Harbor Instance Admin: has full access to manage Harbor instances in a project. Ask your Organization IAM Admin to grant you the Harbor Instance Admin (harbor-instance-admin) role.
Secret Admin: required for operating in the GDC console. Ask your Organization IAM Admin to grant you the Secret Admin (secret-admin) role.
Create a backup repository
Create a repository in the GDC console or the API.
Console
Sign in to the GDC console.
In the navigation menu, click Backup for harbor instance.
Click Repositories.
Click Create repository.
In the Zone menu, select the zone where the backup repository is
created.
In the Repository name field, enter a repository name.
Optional: In the Repository description field, enter a description
to distinguish this backup repository.
In the S3 URI endpoint field, enter an endpoint containing the fully
qualified domain name of your object storage site. For example,
https://storagegrid.zone.DOMAIN.SUFFIX:PORT.
In the Bucket FQN field, enter a fully qualified name (FQN) for the
bucket.
In the Access Key ID field, enter the access key ID for your bucket.
In the Access key field, enter the access key for your bucket.
BACKUP_REPO_NAME: the name of the backup
repository. The repository must be in the same namespace with the Harbor
instance to backup.
INSTANCE_NAMESPACE: the namespace of the Harbor
instance that is created in
Create a Harbor registry instance.
The backup repository must be in the same namespace as the Harbor instance
being backed up.
BUCKET_SECRET_NAME: the name of the secret
that contains access credentials for the endpoint. The secret must be placed in the same namespace as the Harbor instance
repository. The secret must contain the fields access-key-id and access-key. For more information on getting access to buckets, see
Grant and obtain storage bucket access.
BUCKET_ENDPOINT: the fully qualified domain
name for the storage system, such as
https://storagegrid.zone.DOMAIN.SUFFIX:PORT.
BUCKET REGION: the region containing the
bucket, such as us-east-1. The region is storage system specific.
BUCKET_NAME: the name of the storage bucket.
The bucket name is found in the status of the GDC bucket custom resource.
REPORSITORY_DESCRIPTION: a text description of
the backup repository.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis page explains how to create and manage Harbor backup repositories, which are S3-compatible storage locations for your backups within Google Distributed Cloud (GDC) air-gapped.\u003c/p\u003e\n"],["\u003cp\u003eCreating a backup repository requires an S3-compatible endpoint, a storage bucket, and specific access roles: Harbor Instance Admin and Secret Admin.\u003c/p\u003e\n"],["\u003cp\u003eYou can create a backup repository in the GDC console by providing details such as the zone, repository name, S3 URI endpoint, bucket FQN, access key ID, and access key.\u003c/p\u003e\n"],["\u003cp\u003eAlternatively, backup repositories can be created using the API by defining specifications like the namespace, secret reference, endpoint, region, bucket, and description.\u003c/p\u003e\n"]]],[],null,["# Create a backup repository\n\nThis page provides an overview of Harbor backup repositories and how to create\nbackup repositories in Google Distributed Cloud (GDC) air-gapped.\n\nA backup repository represents an S3-compatible storage location for your\nbackups.\n\nBefore you begin\n----------------\n\nTo create a backup repository, you must have the following:\n\n- An S3-compatible endpoint available and a storage bucket to use as the backup repository.\n- The necessary identity and access roles:\n\n - Harbor Instance Admin: has full access to manage Harbor instances in a project. Ask your Organization IAM Admin to grant you the Harbor Instance Admin (`harbor-instance-admin`) role.\n - Secret Admin: required for operating in the GDC console. Ask your Organization IAM Admin to grant you the Secret Admin (`secret-admin`) role.\n\nCreate a backup repository\n--------------------------\n\nCreate a repository in the GDC console or the API. \n\n### Console\n\n1. Sign in to the GDC console.\n2. In the navigation menu, click **Backup for harbor instance**.\n3. Click **Repositories**.\n4. Click **Create repository**.\n5. In the **Zone** menu, select the zone where the backup repository is created.\n6. In the **Repository name** field, enter a repository name.\n7. Optional: In the **Repository description** field, enter a description to distinguish this backup repository.\n8. In the **S3 URI endpoint** field, enter an endpoint containing the fully qualified domain name of your object storage site. For example, `https://storagegrid.zone.DOMAIN.SUFFIX:PORT`.\n9. In the **Bucket FQN** field, enter a fully qualified name (FQN) for the bucket.\n10. In the **Access Key ID** field, enter the access key ID for your bucket.\n11. In the **Access key** field, enter the access key for your bucket.\n12. Click **Create**.\n\n### API\n\n apiVersion: artifactregistry.gdc.goog/v1\n kind: HarborInstanceBackupRepository\n metadata:\n name: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eBACKUP_REPO_NAME\u003c/span\u003e\u003c/var\u003e\n namespace: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eINSTANCE_NAMESPACE\u003c/span\u003e\u003c/var\u003e\n spec:\n secretReference:\n namespace: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eINSTANCE_NAMESPACE\u003c/span\u003e\u003c/var\u003e\n name: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eBUCKET_SECRET_NAME\u003c/span\u003e\u003c/var\u003e\n endpoint: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eBUCKET_ENDPOINT\u003c/span\u003e\u003c/var\u003e\n region: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eBUCKET_REGION\u003c/span\u003e\u003c/var\u003e\n bucket: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eBUCKET_NAME\u003c/span\u003e\u003c/var\u003e\n description: \u003cvar translate=\"no\"\u003e\u003cspan class=\"devsite-syntax-l devsite-syntax-l-Scalar devsite-syntax-l-Scalar-Plain\"\u003eREPORSITORY_DESCRIPTION\u003c/span\u003e\u003c/var\u003e\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eBACKUP_REPO_NAME\u003c/var\u003e: the name of the backup repository. The repository must be in the same namespace with the Harbor instance to backup.\n- \u003cvar translate=\"no\"\u003eINSTANCE_NAMESPACE\u003c/var\u003e: the namespace of the Harbor instance that is created in [Create a Harbor registry instance](/distributed-cloud/hosted/docs/latest/gdch/platform-application/pa-ao-operations/create-harbor-instances#create-a-harbor-registry-instance). The backup repository must be in the same namespace as the Harbor instance being backed up.\n- \u003cvar translate=\"no\"\u003eBUCKET_SECRET_NAME\u003c/var\u003e: the name of the secret that contains access credentials for the endpoint. The secret must be placed in the same namespace as the Harbor instance repository. The secret must contain the fields `access-key-id` and `access-key`. For more information on getting access to buckets, see [Grant and obtain storage bucket access](/distributed-cloud/hosted/docs/latest/gdch/platform/pa-user/grant-obtain-storage-access).\n- \u003cvar translate=\"no\"\u003eBUCKET_ENDPOINT\u003c/var\u003e: the fully qualified domain name for the storage system, such as `https://storagegrid.zone.DOMAIN.SUFFIX:PORT`.\n- \u003cvar translate=\"no\"\u003eBUCKET REGION\u003c/var\u003e: the region containing the bucket, such as `us-east-1`. The region is storage system specific.\n- \u003cvar translate=\"no\"\u003eBUCKET_NAME\u003c/var\u003e: the name of the storage bucket. The bucket name is found in the status of the GDC bucket custom resource.\n- \u003cvar translate=\"no\"\u003eREPORSITORY_DESCRIPTION\u003c/var\u003e: a text description of the backup repository.\n\nWhat's next\n-----------\n\n- [Create a backup plan](/distributed-cloud/hosted/docs/latest/gdch/platform-application/pa-ao-operations/harbor-backup/create-backup-plan-harbor)"]]
