Implementation:Kserve Kserve Storage Credentials Pattern

Knowledge Sources	KServe KServe Storage
Domains	MLOps, Security, Cloud_Storage
Last Updated	2026-02-13 00:00 GMT

Overview

Concrete YAML pattern for creating Kubernetes Secrets and ServiceAccounts that provide cloud storage credentials to KServe InferenceServices.

Description

This pattern defines the YAML manifests users must create to enable KServe's storage initializer to download model artifacts from cloud storage. It covers S3-compatible storage (with endpoint, region, and HTTPS annotations), HuggingFace Hub (with token-based auth), and the centralized storage-config Secret approach.

Usage

Use this pattern before deploying any InferenceService that references a remote storageUri (e.g., s3://, gs://, hf://). The ServiceAccount created here is referenced in the InferenceService's spec.predictor.serviceAccountName field.

Code Reference

Source Location

Repository: kserve
File: docs/samples/storage/s3/s3_secret.yaml (S3 example)
File: docs/samples/storage/hf/hf_secret.yaml (HuggingFace example)
File: config/configmap/inferenceservice.yaml, Line 652 (storageSpecSecretName default)

Signature

S3 Credential Secret

apiVersion: v1
kind: Secret
metadata:
  name: s3-secret
  annotations:
    serving.kserve.io/s3-endpoint: s3.amazonaws.com
    serving.kserve.io/s3-usehttps: "1"
    serving.kserve.io/s3-region: us-east-1
type: Opaque
data:
  AWS_ACCESS_KEY_ID: <base64-encoded>
  AWS_SECRET_ACCESS_KEY: <base64-encoded>
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: s3-sa
secrets:
  - name: s3-secret

HuggingFace Token Secret

apiVersion: v1
kind: Secret
metadata:
  name: storage-config
type: Opaque
stringData:
  HF_TOKEN: <your-huggingface-token>
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: hfserviceacc
secrets:
  - name: storage-config

Import

kubectl apply -f secret.yaml

I/O Contract

Inputs

Name	Type	Required	Description
AWS_ACCESS_KEY_ID	base64 string	Yes (S3)	AWS access key for S3
AWS_SECRET_ACCESS_KEY	base64 string	Yes (S3)	AWS secret key for S3
HF_TOKEN	string	Yes (HF)	HuggingFace authentication token
s3-endpoint	annotation string	No	S3-compatible endpoint URL
s3-usehttps	annotation "1"/"0"	No	Enable HTTPS for S3
s3-region	annotation string	No	AWS region

Outputs

Name	Type	Description
Secret	v1.Secret	Kubernetes Secret with storage credentials
ServiceAccount	v1.ServiceAccount	ServiceAccount bound to the Secret

Usage Examples

S3 Storage Credentials

# 1. Create S3 credentials
kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: s3-secret
  annotations:
    serving.kserve.io/s3-endpoint: s3.amazonaws.com
    serving.kserve.io/s3-usehttps: "1"
    serving.kserve.io/s3-region: us-east-1
type: Opaque
data:
  AWS_ACCESS_KEY_ID: $(echo -n "AKIAIOSFODNN7EXAMPLE" | base64)
  AWS_SECRET_ACCESS_KEY: $(echo -n "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY" | base64)
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: s3-sa
secrets:
  - name: s3-secret
EOF

# 2. Reference in InferenceService
# spec.predictor.serviceAccountName: s3-sa

HuggingFace Token

# 1. Create HF token secret
kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: storage-config
type: Opaque
stringData:
  HF_TOKEN: hf_aBcDeFgHiJkLmNoPqRsTuVwXyZ
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: hfserviceacc
secrets:
  - name: storage-config
EOF

Related Pages

Implements Principle

Principle:Kserve_Kserve_Storage_Credentials

Page Connections

Double-click a node to navigate. Hold to expand connections.

Principle

Implementation

Heuristic

Environment