Permissions and Ports for Harness Connections
The following table lists the permissions and ports needed for the Harness Delegate to access Connectors such as artifact servers, cloud providers, verification, and security providers. You configure these settings in the Harness Manager.
- Artifact servers: The Delegate pulls artifacts and metadata from artifact servers using the account and ports required by the artifact server.
- Deployments: Most Harness deployments to Virtual Machines (for example, AWS, GCP, Azure, Datacenter) are performed using SSH over port 22. The VPC firewall setting might also require additional open ports for administration, such as HTTP 443.
- Verifications: The Delegate makes API calls to verification providers using the access keys required by the providers.
- Security: For security, such as SAML and LDAP, the Delegate uses the account and ports required by the provider, such as an Active Directory domain controller running in an Azure or AWS VPC.
Connections | Permissions and Harness Docs | Ports for Delegate Connections to Services | Provider References |
Active Directory LDAP | User account in the Active Directory. | HTTPS: 443. LDAP without SSL: 389. Secure LDAP (LDAPS): 636. | |
AppDynamics | General permission: View, Edit and Delete permissions for new applications can be set as part of the default permissions for a custom role. | HTTP: 80 | |
AWS Cloud | IAM user to be able to make API requests to AWS. DescribeRegions required. | Depends on the firewall settings of your VPC, but typically, HTTP: 443. | |
AWS CodeDeploy | Policies:
| HTTPS: 443. | |
AWS EC2 | Policy: AmazonEC2FullAccess DescribeRegions required also. | HTTP: 80. HTTP: 443. TCP: 9090. | |
AWS ELB, ALB, ECS | Policy for Elastic Load Balancer, Application Load Balancer, and Elastic Container Service. DescribeRegions required also. | Well-known ports: 25, 80, 443, 465, and 587. | |
AWS S3 | Policy: AmazonS3ReadOnlyAccess. DescribeRegions required also. | HTTP: 443. | |
Azure | Client (Application) and Tenant (Directory) IDs, and Key. | Windows VMs (WinRM ports): HTTP: 5985, HTTPS: 5986. | |
Bamboo | Username and password for account. | HTTP: 443. TCP: 8085. | |
Bugsnag | Data Access API Auth Token. | The Bugsnag Data Access API is exposed on the same TCP port as the dashboard, 49080. | |
Datadog | API Key. | HTTPS: 443. | |
Docker Registry | User permission level. | TCP: 8083. | |
Dynatrace | Access token. | HTTPS: 443. | |
ELK Elasticsearch | User (Read permission) or Token Header and Token Value. | TCP: 9200. | |
Github Repo | User account: repository owner. Organization account: read and write. | HTTP: 443. | |
Google Cloud Platform (GCP) | Policies:
| SSH: 22. | |
JFrog Artifactory | Privileged User: Read permission. | HTTP: 443. | |
Jenkins | Matrix-based: Read permission. Execute Permission, if jobs are triggered from Harness stage. | HTTPS: 443. | |
Kubernetes Cluster | One of the following:
| Depends where the cluster is hosted, such as GCP or AWS. | |
Logz | Token-based. | HTTPS: 443. | |
OpenShift | Kubernetes service account token. | HTTPS: 443. | |
New Relic | API key. | HTTPS: 443. | |
Nexus | User account with Repository View Privilege or read for repository. | TCP: 8081. | |
Tanzu Application Service (formerly Pivotal Cloud Foundry) | User account with Admin, Org Manager, or Space Manager role. The user account must be able to update spaces, orgs, and applications. | HTTP: 80 or 443. | |
Prometheus | None. | Depends on where the Prometheus server is hosted. For example, on AWS, port 9090 might be required. | |
SMTP | None. | TCP: 25. | |
Splunk | User account with Read permissions on eventtypes objects. | TCP: 8089 for API. | |
Sumo Logic | User account with access ID and key and query permissions. | HTTPS: 443. | |
WinRM | User account in the same Active Directory domain as the Windows instances the connection uses. | HTTP: 5985. HTTPS: 5986 and 443. SSH: 22. | Installation and Configuration for Windows Remote Management |