BTW I’m using file_get_contents to read the password with php.
I case anyone wants to use the same method, you have to trim the result, because file_get_contents adds a whitespace at the end of the result.
$content = file_get_contents('/run/agenix/mysql.pwd');
echo $content === trim($content) ? 'No whitespace found' : 'Whitespace found';
// result is Whitespace found
The permission system has 3 levels of access, users groups and others. So you can use the same user, the same group, or make it readable for everyone on the system (last is likely the worst option).
So if you don’t want to have a common group you need to use the same user, if you don’t want to place the same secrets out of the same encrypted file (which is the option you have).
Another possible option: use systems for credentials here. With that you can keep the decrypted credentials als root user and systemd makes them readable for your units. But that also just is a reasonable option if you can/want to run everything thru systemd.
See that option systemd.exec