Integrate Service Accounts with Robot Accounts in Container Registry
Last updated on
This guide explains how to integrate STACKIT Service Accounts with Robot Accounts within the STACKIT Container Registry. Linking a Service Account gives you the opportunity to replace legacy, static Robot Account credentials with secure, token-based authentication managed centrally through STACKIT.
Prerequisites
Section titled “Prerequisites”You need an active STACKIT Service Account, to begin integration. If you have not created one yet, follow the official documentation:
Step-by-step integration guide
Section titled “Step-by-step integration guide”Step 1: Retrieve Service Account details
Section titled “Step 1: Retrieve Service Account details”-
Navigate to the STACKIT Portal and open your target Service Account.
-
Go to the Overview section.
-
Locate and copy the following two fields:
- ID (e.g.,
fbb2743f-7fb5-4091-9d36-6e8cabe75347) - E-mail (e.g.,
testcrsa-2c3zt7i8@sa.stackit.cloud)
- ID (e.g.,
Step 2: Configure the Robot Account in Container Registry
Section titled “Step 2: Configure the Robot Account in Container Registry”-
Open the Container Registry application.
-
Navigate to the Robot Accounts section.
-
Open either the Create wizard or the Update/Edit dialog of an existing robot account.
-
Locate the association fields for the STACKIT Service Account. You can use the Edit or Clean buttons to modify this mapping.
-
Provide the details copied in the previous step and click OK:
- Email: Paste the copied Service Account email.
- ID: Paste the copied Service Account ID.
Step 3: Define permissions
Section titled “Step 3: Define permissions”The permissions assigned to this robot account remain fully governed by the Container Registry application.
- Configure standard Harbor robot account permissions during the final step of the creation/update wizard.
- The linked STACKIT Service Account inherits these exact scopes upon successful authentication.
Critical rules & constraints
Section titled “Critical rules & constraints”Authentication workflows
Section titled “Authentication workflows”Depending on whether a STACKIT Service Account is linked, the authentication method for the robot account changes dynamically.
If the Robot Account remains unassociated, authentication falls back to standard legacy credentials provided natively by Harbor:
docker login -u <robot_name> -p <robot_credentials>As soon as a STACKIT Service Account is linked to the Robot Account, legacy credentials are permanently discarded for safety.
Examples
Section titled “Examples”Activate your service account using your locally saved JSON key file:
stackit auth activate-service-account --service-account-key-path <path_to_your_json_file>Retrieve the current access token:
stackit auth get-access-tokenLog in to the Container Registry via Docker using the Service Account email as the username and the generated token as your password:
docker login <registry server> -u <service_account_email> -p <token>You can also use the service account email and retrieved token to authenticate and call the Container Registry API (Harbor API) directly:
curl -X 'GET' \ 'https://<registry server>/api/v2.0/projects?page=1&page_size=10&with_detail=true' \ -H 'accept: application/json' \ -u '<service_account_email>:<token>' | jq