Secret-volume-path security question

hi all,

The annotation vault.hashicorp.com/agent-inject-file configures the filename and path in the secrets volume where a Vault secret will be written. That means all the secrets will be exposed if someone get this file. I just want to know if there are any safety issues with this design. Many thanks.

Yes that’s how the agent works, however the safety issues are up to you on how you setup your pods and namespaces. Obviously doing this in an open fashion (i.e. a volume that everything has access to) is not a good idea.

Thanks aram’s reply. Is there a way to not generate this file but can pass secrets to the application, or delete the file after passing secrets?

You don’t need to generate the file at all, it’s optional. You can use environment variables, that’s another option.
You can also have the application talk to the agent directly, it’ll act as a caching proxy to your secrets.

Okay, got it. Then i have no any confusion now. Thanks a lot and have a good day!!!