Skip to main content

Permissions and ports for Harness connections

The permissions and ports listed in this topic are for all of the integrations Harness supports across its FirstGen and NextGen product suites. For more information, see Harness FirstGen vs Harness NextGen.The following table lists the permissions and ports needed for the Harness Delegate to access Connectors such as artifact servers, cloud providers, verification, and security providers. You configure these settings in the Harness Manager.

  • Artifact servers: The Delegate pulls artifacts and metadata from artifact servers using the account and ports required by the artifact server.
  • Deployments: Most Harness deployments to Virtual Machines (for example, AWS, GCP, Azure, Datacenter) are performed using SSH over port 22. The VPC firewall setting might also require additional open ports for administration, such as HTTP 443.
  • Verifications: The Delegate makes API calls to verification providers using the access keys required by the providers.
  • Security: For security, such as SAML and LDAP, the Delegate uses the account and ports required by the provider, such as an Active Directory domain controller running in an Azure or AWS VPC.

In general, if you are already connecting to your artifact servers, cloud, verification, and security providers from within your network or VPC, and you install the Harness Delegate inside that network or VPC, there is little network or VPC configuration needed. You simply need to specify accounts and ports when configuring Harness to use the providers.

ConnectionsPermissions and Harness DocsPorts for Delegate Connections to ServicesProvider References
Active Directory LDAPUser account in the Active Directory.HTTPS: 443.LDAP without SSL: 389.Secure LDAP (LDAPS): 636.Users and Groups
AppDynamicsGeneral permission: View, Edit and Delete permissions for new applications can be set as part of the default permissions for a custom role.HTTP: 80General Permissions
AWS CloudIAM user to be able to make API requests to AWS.DescribeRegions required.Depends on the firewall settings of your VPC, but typically, HTTP: 443.Creating an IAM User in Your AWS Account
AWS CodeDeployPolicies:
  • AWSCodeDeployRole
  • AWSCodeDeployDeployerAccess
  • DescribeRegions required also.
  • HTTPS: 443.AWS Managed (Predefined) Policies for AWS CodeDeploy
    AWS EC2Policy: AmazonEC2FullAccessDescribeRegions required also.HTTP: 80.HTTP: 443.TCP: 9090.Controlling Access to Amazon EC2 Resources
    AWS ELB, ALB, ECSPolicy for Elastic Load Balancer, Application Load Balancer, and Elastic Container Service.DescribeRegions required also.Well-known ports: 25, 80, 443, 465, and 587.Amazon ECS Service Scheduler IAM Role
    AWS S3Policy: AmazonS3ReadOnlyAccess.DescribeRegions required also.HTTP: 443.Creating an IAM User in Your AWS Account
    AzureClient (Application) and Tenant (Directory) IDs, and Key.Windows VMs (WinRM ports): HTTP: 5985, HTTPS: 5986.Get application ID and authentication key
    BambooUsername and password for account.HTTP: 443.TCP: 8085.Bamboo permissions
    BugsnagData Access API Auth Token.The Bugsnag Data Access API is exposed on the same TCP port as the dashboard, 49080.Data Access API Authentication
    DatadogAPI Key.HTTPS: 443.Open Ports
    Docker RegistryUser permission level.TCP: 8083.Permission levels
    DynatraceAccess token.HTTPS: 443.Access tokens
    ELK ElasticsearchUser (Read permission) or Token Header and Token Value.TCP: 9200.User authentication
    Github RepoUser account: repository owner.Organization account: read and write.HTTP: 443.Permission levels for a user account repository Repository permission levels for an organization
    Google Cloud Platform (GCP)Policies:
  • Kubernetes Engine Admin.
  • Storage Object Viewer.
  • SSH: 22.Understanding Roles
    JFrog ArtifactoryPrivileged User: Read permission.HTTP: 443.Managing Permissions
    JenkinsMatrix-based: Read permission.Execute Permission, if jobs are triggered from Harness stage.HTTPS: 443.Matrix-based security
    Kubernetes ClusterOne of the following:* Same cluster as kubernetes delegate. Use this option if you installed the Harness Delegate in your cluster.
  • Username and password.
  • CA certificate, client certificate, and client key. Key passphrase and key algorithm are optional.
  • For OpenShift: Kubernetes service account token.
  • Depends where the cluster is hosted, such as GCP or AWS.Authenticating
    LogzToken-based.HTTPS: 443.Announcing the Logz.io Search API
    OpenShiftKubernetes service account token.HTTPS: 443.Enabling Service Account Authentication
    New RelicAPI key.HTTPS: 443.Access to REST API keys
    NexusUser account with Repository View Privilege or read for repository.TCP: 8081.Nexus Managing Security
    Tanzu Application Service (formerly Pivotal Cloud Foundry)User account with Admin, Org Manager, or Space Manager role. The user account must be able to update spaces, orgs, and applications.HTTP: 80 or 443.Orgs, Spaces, Roles, and Permissions
    PrometheusNone.Depends on where the Prometheus server is hosted. For example, on AWS, port 9090 might be required.Configuration
    SMTPNone.TCP: 25.
    SplunkUser account with Read permissions on eventtypes objects.TCP: 8089 for API.Set permissions for objects in a Splunk app
    Sumo LogicUser account with access ID and key and query permissions.HTTPS: 443.API Authentication
    WinRMUser account in the same Active Directory domain as the Windows instances the connection uses.HTTP: 5985.HTTPS: 5986 and 443.SSH: 22.Installation and Configuration for Windows Remote Management