Security of /vault/secret/

I am still new to this, but after searching for a while I couldn’t find it.

I am using dynamic secret delivery to my mysql application running in a pod. Thus, the secret is stored in /vault/secret/file . That file is world readable which means that if the pod gets compromised, access to that database (mysql) is also automatically compromised. What can I do to stop this? Maybe I missed something…

either create a new policy and set it for the users or change the default one since it affects everyone automatically anyway.

path “/vault/secret/file” {
capabilities = [“deny”]
}

see https://www.vaultproject.io/docs/concepts/policies .

hope this helps!