diff --git a/docs/src/user-docs/guides-using-object-storage/aws-s3/clp-config.md b/docs/src/user-docs/guides-using-object-storage/aws-s3/clp-config.md
index b9da0a252a..268c2c7ed8 100644
--- a/docs/src/user-docs/guides-using-object-storage/aws-s3/clp-config.md
+++ b/docs/src/user-docs/guides-using-object-storage/aws-s3/clp-config.md
@@ -149,16 +149,40 @@ aws_authentication:
 `<profile-name>` should be the name of an existing [AWS CLI profile](index.md#named-profiles).
 
 In addition, the *top-level* config `aws_config_directory` must be set to the directory containing
-the profile configurations (typically `~/.aws`):
+the profile configurations:
+
+::::{tab-set}
+:::{tab-item} Docker Compose
+:sync: docker
+
+Typically `~/.aws`:
 
 ```yaml
 aws_config_directory: "<aws-config-dir>"
 ```
 
-:::{note}
+```{note}
 If profiles are not used for AWS authentication, `aws_config_directory` should be commented or set
 to `null`.
+```
+
+:::
+
+:::{tab-item} Kubernetes (Helm)
+:sync: kind
+
+Provide your AWS config file contents via `--set-file`:
+
+```bash
+helm install <release> clp/clp \
+  --set-file clpConfig.aws_config.credentials=$HOME/.aws/credentials \
+  --set-file clpConfig.aws_config.config=$HOME/.aws/config
+```
+
+See [Installing the Helm chart][k8s-install-helm-chart] for details.
+
 :::
+::::
 
 ### env_vars
 
@@ -198,4 +222,5 @@ Credentials are resolved in priority order. Common sources include:
 
 [aws-region-codes]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.RegionsAndAvailabilityZones.html#Concepts.RegionsAndAvailabilityZones.Availability
 [boto3-credentials]: https://docs.aws.amazon.com/boto3/latest/guide/credentials.html#configuring-credentials
+[k8s-install-helm-chart]: ../../guides-k8s-deployment.md#installing-the-helm-chart
 [rust-sdk-credentials]: https://docs.aws.amazon.com/sdk-for-rust/latest/dg/credproviders.html
diff --git a/tools/deployment/package-helm/Chart.yaml b/tools/deployment/package-helm/Chart.yaml
index efd7f51af1..a161236299 100644
--- a/tools/deployment/package-helm/Chart.yaml
+++ b/tools/deployment/package-helm/Chart.yaml
@@ -1,6 +1,6 @@
 apiVersion: "v2"
 name: "clp"
-version: "0.3.2-dev.5"
+version: "0.3.2-dev.6"
 description: "A Helm chart for CLP's (Compressed Log Processor) package deployment"
 type: "application"
 appVersion: "0.12.1-dev"
diff --git a/tools/deployment/package-helm/templates/_helpers.tpl b/tools/deployment/package-helm/templates/_helpers.tpl
index 3f9ce509c6..677ba6287d 100644
--- a/tools/deployment/package-helm/templates/_helpers.tpl
+++ b/tools/deployment/package-helm/templates/_helpers.tpl
@@ -354,6 +354,13 @@ hostPath:
   type: "Directory"
 {{- end }}
 
+{{/*
+The mount path for the AWS config directory inside containers.
+
+@return {string} Path string
+*/}}
+{{- define "clp.awsConfigMountPath" -}}/opt/clp/.aws{{- end }}
+
 {{/*
 Creates a volumeMount for the AWS config directory.
 
@@ -362,21 +369,20 @@ Creates a volumeMount for the AWS config directory.
 */}}
 {{- define "clp.awsConfigVolumeMount" -}}
 name: "aws-config"
-mountPath: {{ .Values.clpConfig.aws_config_directory | quote }}
+mountPath: {{ include "clp.awsConfigMountPath" . | quote }}
 readOnly: true
 {{- end }}
 
 {{/*
-Creates a volume for the AWS config directory.
+Creates a volume for the AWS config directory backed by the chart-managed Secret.
 
 @param {object} . Root template context
 @return {string} YAML-formatted volume definition
 */}}
 {{- define "clp.awsConfigVolume" -}}
 name: "aws-config"
-hostPath:
-  path: {{ .Values.clpConfig.aws_config_directory | quote }}
-  type: "Directory"
+secret:
+  secretName: {{ include "clp.fullname" . }}-aws-config
 {{- end }}
 
 {{/*
diff --git a/tools/deployment/package-helm/templates/aws-config-secret.yaml b/tools/deployment/package-helm/templates/aws-config-secret.yaml
new file mode 100644
index 0000000000..92f9280848
--- /dev/null
+++ b/tools/deployment/package-helm/templates/aws-config-secret.yaml
@@ -0,0 +1,15 @@
+{{- if .Values.clpConfig.aws_config }}
+apiVersion: "v1"
+kind: "Secret"
+metadata:
+  name: {{ include "clp.fullname" . }}-aws-config
+  labels:
+    {{- include "clp.labels" . | nindent 4 }}
+stringData:
+  {{- with .Values.clpConfig.aws_config.credentials }}
+  credentials: {{ . | quote }}
+  {{- end }}
+  {{- with .Values.clpConfig.aws_config.config }}
+  config: {{ . | quote }}
+  {{- end }}
+{{- end }}
diff --git a/tools/deployment/package-helm/templates/compression-scheduler-deployment.yaml b/tools/deployment/package-helm/templates/compression-scheduler-deployment.yaml
index 0eafee6515..11f6855bc5 100644
--- a/tools/deployment/package-helm/templates/compression-scheduler-deployment.yaml
+++ b/tools/deployment/package-helm/templates/compression-scheduler-deployment.yaml
@@ -77,7 +77,7 @@ spec:
               mountPath: "/etc/clp-config.yaml"
               subPath: "clp-config.yaml"
               readOnly: true
-            {{- if .Values.clpConfig.aws_config_directory }}
+            {{- if .Values.clpConfig.aws_config }}
             - {{- include "clp.awsConfigVolumeMount" . | nindent 14 }}
             {{- end }}
             {{- if eq .Values.clpConfig.logs_input.type "fs" }}
@@ -97,7 +97,7 @@ spec:
         - name: "config"
           configMap:
             name: {{ include "clp.fullname" . }}-config
-        {{- if .Values.clpConfig.aws_config_directory }}
+        {{- if .Values.clpConfig.aws_config }}
         - {{- include "clp.awsConfigVolume" . | nindent 10 }}
         {{- end }}
         {{- if eq .Values.clpConfig.logs_input.type "fs" }}
diff --git a/tools/deployment/package-helm/templates/compression-worker-deployment.yaml b/tools/deployment/package-helm/templates/compression-worker-deployment.yaml
index 7c942c662b..f5fc0b55d0 100644
--- a/tools/deployment/package-helm/templates/compression-worker-deployment.yaml
+++ b/tools/deployment/package-helm/templates/compression-worker-deployment.yaml
@@ -73,7 +73,7 @@ spec:
               ) | quote }}
               mountPath: "/var/data/staged-archives"
             {{- end }}
-            {{- if .Values.clpConfig.aws_config_directory }}
+            {{- if .Values.clpConfig.aws_config }}
             - {{- include "clp.awsConfigVolumeMount" . | nindent 14 }}
             {{- end }}
             {{- if eq .Values.clpConfig.logs_input.type "fs" }}
@@ -116,7 +116,7 @@ spec:
           ) | quote }}
           emptyDir: {}
         {{- end }}
-        {{- if .Values.clpConfig.aws_config_directory }}
+        {{- if .Values.clpConfig.aws_config }}
         - {{- include "clp.awsConfigVolume" . | nindent 10 }}
         {{- end }}
         {{- if eq .Values.clpConfig.logs_input.type "fs" }}
diff --git a/tools/deployment/package-helm/templates/configmap.yaml b/tools/deployment/package-helm/templates/configmap.yaml
index a66be78db8..ff147f7d55 100644
--- a/tools/deployment/package-helm/templates/configmap.yaml
+++ b/tools/deployment/package-helm/templates/configmap.yaml
@@ -205,8 +205,8 @@ data:
       target_uncompressed_size: {{ .target_uncompressed_size | int }}
     {{- end }}{{/* with .Values.clpConfig.stream_output */}}
     tmp_directory: "/var/tmp"
-    {{- if .Values.clpConfig.aws_config_directory }}
-    aws_config_directory: {{ .Values.clpConfig.aws_config_directory | quote }}
+    {{- if .Values.clpConfig.aws_config }}
+    aws_config_directory: {{ include "clp.awsConfigMountPath" . | quote }}
     {{- end }}
     webui:
       host: "localhost"
diff --git a/tools/deployment/package-helm/templates/garbage-collector-deployment.yaml b/tools/deployment/package-helm/templates/garbage-collector-deployment.yaml
index 4f6c003d99..27218e061f 100644
--- a/tools/deployment/package-helm/templates/garbage-collector-deployment.yaml
+++ b/tools/deployment/package-helm/templates/garbage-collector-deployment.yaml
@@ -75,7 +75,7 @@ spec:
               ) | quote }}
               mountPath: "/var/data/archives"
             {{- end }}
-            {{- if .Values.clpConfig.aws_config_directory }}
+            {{- if .Values.clpConfig.aws_config }}
             - {{- include "clp.awsConfigVolumeMount" . | nindent 14 }}
             {{- end }}
             {{- if eq .Values.clpConfig.stream_output.storage.type "fs" }}
@@ -106,7 +106,7 @@ spec:
             "name" "archives"
           ) | nindent 10 }}
         {{- end }}
-        {{- if .Values.clpConfig.aws_config_directory }}
+        {{- if .Values.clpConfig.aws_config }}
         - {{- include "clp.awsConfigVolume" . | nindent 10 }}
         {{- end }}
         {{- if eq .Values.clpConfig.stream_output.storage.type "fs" }}
diff --git a/tools/deployment/package-helm/templates/query-worker-deployment.yaml b/tools/deployment/package-helm/templates/query-worker-deployment.yaml
index 4641efaf01..c4917563df 100644
--- a/tools/deployment/package-helm/templates/query-worker-deployment.yaml
+++ b/tools/deployment/package-helm/templates/query-worker-deployment.yaml
@@ -63,7 +63,7 @@ spec:
               ) | quote }}
               mountPath: "/var/data/archives"
             {{- end }}
-            {{- if .Values.clpConfig.aws_config_directory }}
+            {{- if .Values.clpConfig.aws_config }}
             - {{- include "clp.awsConfigVolumeMount" . | nindent 14 }}
             {{- end }}
             {{- if eq .Values.clpConfig.stream_output.storage.type "fs" }}
@@ -105,7 +105,7 @@ spec:
             "name" "archives"
           ) | nindent 10 }}
         {{- end }}
-        {{- if .Values.clpConfig.aws_config_directory }}
+        {{- if .Values.clpConfig.aws_config }}
         - {{- include "clp.awsConfigVolume" . | nindent 10 }}
         {{- end }}
         {{- if eq .Values.clpConfig.stream_output.storage.type "fs" }}
diff --git a/tools/deployment/package-helm/templates/webui-deployment.yaml b/tools/deployment/package-helm/templates/webui-deployment.yaml
index c528b79603..52ec99e4bf 100644
--- a/tools/deployment/package-helm/templates/webui-deployment.yaml
+++ b/tools/deployment/package-helm/templates/webui-deployment.yaml
@@ -80,7 +80,7 @@ spec:
               mountPath: "/opt/clp/var/www/webui/server/dist/settings.json"
               subPath: "webui-server-settings.json"
               readOnly: true
-            {{- if .Values.clpConfig.aws_config_directory }}
+            {{- if .Values.clpConfig.aws_config }}
             - {{- include "clp.awsConfigVolumeMount" . | nindent 14 }}
             {{- end }}
             {{- if eq .Values.clpConfig.logs_input.type "fs" }}
@@ -112,7 +112,7 @@ spec:
         - name: "server-settings"
           configMap:
             name: {{ include "clp.fullname" . }}-config
-        {{- if .Values.clpConfig.aws_config_directory }}
+        {{- if .Values.clpConfig.aws_config }}
         - {{- include "clp.awsConfigVolume" . | nindent 10 }}
         {{- end }}
         {{- if eq .Values.clpConfig.logs_input.type "fs" }}
diff --git a/tools/deployment/package-helm/values.yaml b/tools/deployment/package-helm/values.yaml
index 02d71a14ab..0b78efc4c9 100644
--- a/tools/deployment/package-helm/values.yaml
+++ b/tools/deployment/package-helm/values.yaml
@@ -243,8 +243,13 @@ clpConfig:
       archive: 60
       search_result: 30
 
-  # Location of the AWS tools' config files (e.g., `~/.aws`). Set to null to disable.
-  aws_config_directory: null
+  # AWS config content (e.g., `~/.aws/config`). Provide file contents via `--set-file` to create a
+  # chart-managed Secret that is mounted into pods. Set to null to disable.
+  # Usage:
+  #   helm install <release> <chart> \
+  #     --set-file clpConfig.aws_config.credentials=$HOME/.aws/credentials \
+  #     --set-file clpConfig.aws_config.config=$HOME/.aws/config
+  aws_config: null
 
 credentials:
   database: