Disabling secret sharing for IBM Software Hub vaults

An instance administrator can optionally disable secret sharing for vaults. Disable secret sharing to ensure that secret owners cannot share secrets that are stored in vaults with other users.

Permissions you need for this task

To complete this task, you must have one of the following roles:

Cluster administrator
Instance administrator

When you need to complete this task

Complete this task if you want to prevent users from sharing secrets that are stored in vaults.

You can complete this task anytime after IBM® Software Hub is installed. However, it is recommended that you complete this task before you give users access to IBM Software Hub.

About this task

When you disable secret sharing, users cannot share secrets from the internal vault or from an external vault.

Procedure

Log in to your Red Hat® OpenShift® Container Platform cluster as a user with sufficient permissions to complete the task:
```
${OC_LOGIN}
```

Run the following command to update the IBM Software Hub product-configmap ConfigMap:

oc patch cm product-configmap \
--namespace=${PROJECT_CPD_INST_OPERANDS} \
--type=merge \
--patch '{"data": {"VAULT_DISABLE_SHARING_SECRET": "true"}}'

Confirm that VAULT_DISABLE_SHARING_SECRET parameter is set to true:

oc get cm product-configmap \
--namespace=${PROJECT_CPD_INST_OPERANDS} \
-o jsonpath="{.data.VAULT_DISABLE_SHARING_SECRET}{'\n'}"

Results

When the VAULT_DISABLE_SHARING_SECRET parameter is set to true, users who own secrets in the internal vault cannot share their secrets with other users. Users who own secrets in an external vault cannot share their secrets with other users even if they have the Share secrets permission.