Skip to content

Integrate Service Accounts with Robot Accounts in Container Registry

Last updated on

This guide explains how to integrate STACKIT Service Accounts with Robot Accounts within the STACKIT Container Registry. Linking a Service Account gives you the opportunity to replace legacy, static Robot Account credentials with secure, token-based authentication managed centrally through STACKIT.

You need an active STACKIT Service Account, to begin integration. If you have not created one yet, follow the official documentation:

  1. Navigate to the STACKIT Portal and open your target Service Account.

  2. Go to the Overview section.

  3. Locate and copy the following two fields:

    • ID (e.g., fbb2743f-7fb5-4091-9d36-6e8cabe75347)
    • E-mail (e.g., testcrsa-2c3zt7i8@sa.stackit.cloud)

Step 2: Configure the Robot Account in Container Registry

Section titled “Step 2: Configure the Robot Account in Container Registry”
  1. Open the Container Registry application.

  2. Navigate to the Robot Accounts section.

  3. Open either the Create wizard or the Update/Edit dialog of an existing robot account.

  4. Locate the association fields for the STACKIT Service Account. You can use the Edit or Clean buttons to modify this mapping.

  5. Provide the details copied in the previous step and click OK:

    • Email: Paste the copied Service Account email.
    • ID: Paste the copied Service Account ID.

The permissions assigned to this robot account remain fully governed by the Container Registry application.

  • Configure standard Harbor robot account permissions during the final step of the creation/update wizard.
  • The linked STACKIT Service Account inherits these exact scopes upon successful authentication.

Depending on whether a STACKIT Service Account is linked, the authentication method for the robot account changes dynamically.

If the Robot Account remains unassociated, authentication falls back to standard legacy credentials provided natively by Harbor:

Terminal window
docker login -u <robot_name> -p <robot_credentials>

Activate your service account using your locally saved JSON key file:

Terminal window
stackit auth activate-service-account --service-account-key-path <path_to_your_json_file>

Retrieve the current access token:

Terminal window
stackit auth get-access-token

Log in to the Container Registry via Docker using the Service Account email as the username and the generated token as your password:

Terminal window
docker login <registry server> -u <service_account_email> -p <token>