goharbor
Error when creating project Robot Accounts using System Robot Accounts
If you are reporting a problem, please make sure the following information are provided:
Expected behavior and actual behavior: We have tried to use a System Robot Account to create Robot Accounts at the project level, but we have encountered the following problem:
- When trying to create a project Robot Account using the credentials of a System Robot Account, the system returns a denied error.
- This behavior occurs both when the System Robot Account has custom permissions and when it has all permissions enabled.
- However, when performing the same action using the admin user credentials, the creation of the project Robot Account works correctly.
Steps to reproduce the problem:
- Create a System Robot Account in Harbor with custom permissions or all permissions enabled.
- Attempt to create a project Robot Account for a given project using the System Robot Account credentials.
- Observe that the operation fails with a denied error.
- Perform the same action with the admin user and verify that it works correctly.
Versions: Please specify the versions of following systems.
- harbor version: 2.12.1
- kubernetes: AKS 1.30.6
- Postgresql: 16.4
Additional context:
{ "errors": [ { "code": "DENIED", "message": "denied" } ] }
@EduGoma can you check the issue https://github.com/goharbor/harbor/issues/21251, and see if that is related if so, it should be already fixed in 2.12.1
Could you share the request for creating a project-level robot account, along with the permission scope of your system robot?
I attach a txt with the permissions of the system robot, the curl I use to create the project robot and the outputs I get with the admin (201) as with the system robot (denied).
Harbor version 2.12.1.
robothcmx.txt
With the user admin:
curl -X 'POST' \
'https:///api/v2.0/robots' \
-H 'accept: application/json' \
-H 'authorization: Basic ' \
-H 'Content-Type: application/json' \
-H 'X-Harbor-CSRF-Token: ' \
-d '{
"secret": "string",
"description": "string",
"disable": false,
"duration": -1,
"level": "project",
"name": "testingapi",
"permissions": [
{
"access": [
{
"action": "push",
"resource": "repository"
},
{
"action": "pull",
"resource": "repository"
}
],
"kind": "project",
"namespace": "epcclo-1"
}
]
}'
Response body
{
"creation_time": "2025-01-14T08:21:30.374Z",
"expires_at": -1,
"id": 375648,
"name": "robotepcclo-1+testingapi",
"secret": ""
}
Response with the robot system:
{
"errors": [
{
"code": "DENIED",
"message": "denied"
}
]
}
This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue is being marked stale due to a period of inactivity. If this issue is still relevant, please comment or remove the stale label. Otherwise, this issue will close in 30 days.
This is still an issue in v2.13.0-db1569ae. My robot account has all permissions on all projects and is still getting a 403 when trying to create a project robot account. If I instead use the harbor admin account to create the project robot it works as expected.
Are there any action taken ? Can we only use the admin user to create robot accounts ?
hi. I encountered the same issue today. Since there is no way to refresh a project level robot account I wanted to create a script to automatically recreate a robot account with the same permissions, but I am having a hard time since I get the same 403 using a system level robot account with all permissions.
any news on this bug?
hi, I've reproduced this issue and got the root cause. I will fix it in the next minor and patch release, thanks.
Any chance this could be released soon as 2.14.1 ? I think this issue is currently blocking my terraform harbor pipelines
