goharbor/harbor

Harbor ECR replication : ECR Cross-Account Replication Cannot Create Repository & Cannot Assume Cross-Account Role

Open

#22858 opened on Feb 19, 2026

View on GitHub
 (3 comments) (0 reactions) (0 assignees)Go (28,490 stars) (5,235 forks)batch import
Stalehelp wantedreplication/adapters

Description

When using Harbor to replicate images to AWS ECR across accounts, i’m seeing the following limitations:

1️⃣ Repository Must Pre-Exist

If the target ECR repository does not already exist, replication fails.

Even when the Harbor pod is running with an IAM role (via IRSA / Pod Identity), Harbor does not create the repository in the target account. The repository must be manually or externally provisioned (e.g., Terraform).

Expected behavior: • If IAM permissions allow ecr:CreateRepository, Harbor should automatically create the target repository during replication.

Current workaround: • Pre-create the repository in the target account. • Apply a repository policy allowing ecr:PutImage from the source account role. • This allows pushing images, but still requires manual repo creation.

2️⃣ Cannot Assume Cross-Account Role

I am able to configure Harbor to use the pod’s IAM role (via IRSA), but Harbor does not appear to support assuming a role in another AWS account for replication.

As a result: • I cannot use sts:AssumeRole into the target account. • I must instead rely on ECR repository policies in the target account. • Even then, repository creation is still not possible cross-account.

Question: Is this limitation due to how the AWS SDK is implemented in Harbor’s ECR driver (i.e., no STS role assumption flow)?

Expected Improvements • Support cross-account AssumeRole for ECR replication. • Allow repository auto-creation when IAM permissions allow. • Native support for IRSA / Pod Identity without static access keys.

This would significantly improve Harbor’s usability in multi-account AWS environments following IAM best practices.

Contributor guide

Tech stack
godocker
Domain
clouddevopsinfrastructure
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
4
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
over 1 week
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
Basic understanding of AWS IAMFamiliarity with Docker registryGo programming basics
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
20
Research direction
Investigate the Harbor ECR replication adapter, likely located in the src/replication/adapter/ecr directory. The current implementation uses AWS SDK directly with static credentials or IRSA but does not support STS AssumeRole for cross account access. To support auto creation of repositories, modify the adapter to call ecr:CreateRepository if it does not exist, based on IAM permissions. Also, implement a flow to assume a role using the sts:AssumeRole API when target account role ARN is configured. Review existing tests in the adapter to ensure changes don't break existing functionality. Consider adding configuration options in Harbor's replication target settings for cross account role ARN and region.