Stay organized with collections
Save and categorize content based on your preferences.
This page describes how to sign in to Docker or Helm using the Managed Harbor Service (MHS) credential helper or CLI secrets.
To provide flexibility, Google Distributed Cloud (GDC) air-gapped appliance provides two methods to authenticate with Docker and Helm from your Harbor registry instance. The first method is using the Managed Harbor Service (MHS) credential helper and your GDC identity to sign in to the Docker or Helm CLI. After authenticating with GDC, you can sign in to the Docker client and perform Docker operations, without having to create or manage separate CLI secrets in Harbor.
The second method is using CLI secrets. After you authenticate using Identity-Aware Proxy (IAP) and sign in to the Harbor interface for the first time, use the Docker or Helm CLI to access Harbor. The Docker and Helm CLIs cannot handle redirection for IAP, so Harbor provides a CLI secret to use when signing in from Docker or Helm. This method is only available when Harbor uses IAP authentication.
Before you begin
To configure Docker and Helm authentication for Harbor registry instances,
ask your Organization IAM Admin to grant you the Harbor Instance Viewer
(harbor-instance-viewer) role.
Sign in to Docker or Helm with CLI secrets
To sign in to Docker or Helm with CLI secrets, follow these steps:
Sign in to Harbor with an IAP user account.
Click your username and select User Profile.
To copy the CLI secret associated with your account, click content_copyCopy.
Optional: To display buttons for
automatically generating or manually creating a new CLI secret, click the more_horiz ellipses in your user profile.
If you generated a new CLI secret, click content_copyCopy to copy it.
You can now use your CLI secret as the password when signing in to
Harbor from the Docker or Helm CLI:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[],[],null,["# Sign in to Docker and Helm\n\nThis page describes how to sign in to Docker or Helm using the Managed Harbor Service (MHS) credential helper or CLI secrets.\n\nTo provide flexibility, Google Distributed Cloud (GDC) air-gapped appliance provides two methods to authenticate with Docker and Helm from your Harbor registry instance. The first method is using the Managed Harbor Service (MHS) credential helper and your GDC identity to sign in to the Docker or Helm CLI. After authenticating with GDC, you can sign in to the Docker client and perform Docker operations, without having to create or manage separate CLI secrets in Harbor.\n\nThe second method is using CLI secrets. After you authenticate using Identity-Aware Proxy (IAP) and sign in to the Harbor interface for the first time, use the Docker or Helm CLI to access Harbor. The Docker and Helm CLIs cannot handle redirection for IAP, so Harbor provides a CLI secret to use when signing in from Docker or Helm. This method is only available when Harbor uses IAP authentication.\n\nBefore you begin\n----------------\n\n- To configure Docker and Helm authentication for Harbor registry instances, ask your Organization IAM Admin to grant you the Harbor Instance Viewer (`harbor-instance-viewer`) role.\n\nSign in to Docker or Helm with CLI secrets\n------------------------------------------\n\nTo sign in to Docker or Helm with CLI secrets, follow these steps:\n\n1. Sign in to Harbor with an IAP user account.\n2. Click your username and select **User Profile**.\n3. To copy the CLI secret associated with your account, click content_copy **Copy**.\n4. Optional: To display buttons for\n automatically generating or manually creating a new CLI secret, click the more_horiz ellipses in your user profile.\n\n | **Note:** A user can only have one CLI secret. When a new secret is generated or created, the old secret becomes invalid.\n5. If you generated a new CLI secret, click content_copy **Copy** to copy it.\n\n6. You can now use your CLI secret as the password when signing in to\n Harbor from the Docker or Helm CLI:\n\n docker login -u \u003cvar translate=\"no\"\u003eUSERNAME\u003c/var\u003e -p \u003cvar translate=\"no\"\u003eCLI_SECRET\u003c/var\u003e \u003cvar translate=\"no\"\u003eHARBOR_INSTANCE_URL\u003c/var\u003e\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eUSERNAME\u003c/var\u003e: the Harbor account username\n- \u003cvar translate=\"no\"\u003eCLI_SECRET\u003c/var\u003e: the generated CLI secret.\n- \u003cvar translate=\"no\"\u003eHARBOR_INSTANCE_URL\u003c/var\u003e: the URL of the Harbor instance.\n\n| **Note:** The CLI secret does not expire, unless you manually rotate it. The CLI secret is not associated with the user identity token. Signing out from Harbor or the GDC console does not revoke the CLI secret."]]
