diff --git a/abra-entrypoint.sh b/abra-entrypoint.sh
index 6eb3500..cfade45 100644
--- a/abra-entrypoint.sh
+++ b/abra-entrypoint.sh
@@ -3,8 +3,9 @@ set -e
 
 [ -f /run/secrets/postgres_p ] && export DB_PASSWORD="$(cat /run/secrets/postgres_p)"
 [ -f /run/secrets/django_sk ] && export DJANGO_SECRET_KEY="$(cat /run/secrets/django_sk)"
-[ -f /run/secrets/minio_rp ] && export MINIO_ROOT_PASSWORD="$(cat /run/secrets/minio_rp)"
+#[ -f /run/secrets/minio_rp ] && export MINIO_ROOT_PASSWORD="$(cat /run/secrets/minio_rp)"
 [ -f /run/secrets/minio_rp ] && export AWS_S3_SECRET_ACCESS_KEY="$(cat /run/secrets/minio_rp)"
+[ -f /run/secrets/minio_ru ] && export AWS_S3_ACCESS_KEY_ID="$(cat /run/secrets/minio_ru)"
 [ -f /run/secrets/django_sp ] && export DJANGO_SUPERUSER_PASSWORD="$(cat /run/secrets/django_sp)"
 [ -f /run/secrets/oidc_rpcs ] && export OIDC_RP_CLIENT_SECRET="$(cat /run/secrets/oidc_rpcs)"
 [ -f /run/secrets/collab_ss ] && export COLLABORATION_SERVER_SECRET="$(cat /run/secrets/collab_ss)"
diff --git a/compose.yml b/compose.yml
index 17900d4..35a2bd3 100644
--- a/compose.yml
+++ b/compose.yml
@@ -27,7 +27,7 @@ x-common-env: &common-env
   # Media
   STORAGES_STATICFILES_BACKEND: django.contrib.staticfiles.storage.StaticFilesStorage
   AWS_S3_ENDPOINT_URL: http://minio:9000
-  AWS_S3_ACCESS_KEY_ID: user
+  # AWS_S3_ACCESS_KEY_ID supplied via secret (this is same MINIO_ROOT_USER)
   # AWS_S3_SECRET_ACCESS_KEY supplied via secret (this is same as MINIO_ROOT_PASSWORD)
   MEDIA_BASE_URL: https://${DOMAIN}
   AWS_STORAGE_BUCKET_NAME: docs-media-storage
@@ -75,10 +75,12 @@ x-yprovider-env: &yprovider-env
   COLLABORATION_WS_URL: wss://${DOMAIN}/collaboration/ws/
 
 x-minio-env: &minio-env
-  MINIO_ROOT_USER: user
+  #  MINIO_ROOT_USER: user
   # MINIO_ROOT_PASSWORD supplied by secrets
   # TODO: switch to using password_file (currently only works with env var)
   # MINIO_ROOT_PASSWORD_FILE: /run/secrets/minio_rp
+  MINIO_ROOT_USER_FILE: /run/secrets/minio_ru
+  MINIO_ROOT_PASSWORD_FILE: /run/secrets/minio_rp
 
 services:
   app:
@@ -206,7 +208,9 @@ services:
     networks:
       - backend
     entrypoint: >
-      sh -c "MINIO_ROOT_PASSWORD=\"\$$(cat /run/secrets/minio_rp)\" &&
+      sh -c "
+      MINIO_ROOT_USER=$(cat /run/secrets/minio_ru) &&
+      MINIO_ROOT_PASSWORD=$(cat /run/secrets/minio_rp) &&
       /usr/bin/mc alias set docs http://minio:9000 \$${MINIO_ROOT_USER} \"\$${MINIO_ROOT_PASSWORD}\" &&
       /usr/bin/mc mb --ignore-existing docs/docs-media-storage &&
       /usr/bin/mc version enable docs/docs-media-storage &&
@@ -218,6 +222,7 @@ services:
         condition: none
     secrets:
       - minio_rp
+      - minio_ru
 
   minio:
     image: minio/minio:RELEASE.2025-05-24T17-08-30Z
@@ -243,6 +248,7 @@ services:
         mode: 0555
     secrets:
       - minio_rp
+      - minio_ru
 
   web:
     image: nginx:1.29
@@ -304,6 +310,9 @@ secrets:
   minio_rp:
     external: true
     name: ${STACK_NAME}_minio_rp_${SECRET_MINIO_RP_VERSION}
+  minio_ru:
+    external: true
+    name: ${STACK_NAME}_minio_ru_${SECRET_MINIO_RP_VERSION}
   y_api_key:
     external: true
     name: ${STACK_NAME}_y_api_key_${SECRET_Y_API_KEY_VERSION}
\ No newline at end of file