diff --git a/README.md b/README.md
index aae84bf..63ab507 100644
--- a/README.md
+++ b/README.md
@@ -184,7 +184,7 @@ Shared services used across multiple applications.
 
 - **[Versity S3 Gateway](https://github.com/versity/versitygw)** (Port: 10000 by default) - S3-compatible API over a POSIX directory (named Docker volumes). Use as shared object storage for apps that expect S3; pair with clients using path-style URLs and your LAN hostname or reverse proxy.
 
-**Configuration:** Set either `ROOT_ACCESS_KEY` / `ROOT_SECRET_KEY` or `ROOT_ACCESS_KEY_ID` / `ROOT_SECRET_ACCESS_KEY`. Optional `VERSITYGW_PORT`. The compose file uses pass-through env (not `${VAR}`) so secrets from the deploy environment (e.g. Komodo) are not blanked by interpolation; if the UI does not export vars to the compose process, use a `.env` beside `compose.yaml` with those names.
+**Configuration:** Set either `ROOT_ACCESS_KEY` / `ROOT_SECRET_KEY` or `ROOT_ACCESS_KEY_ID` / `ROOT_SECRET_ACCESS_KEY` in a `.env` file next to `compose.yaml` (see `.env.sample`). Optional `VERSITYGW_PORT`. Komodo writes Stack Environment to `.env` by default; the service uses `env_file: .env` so those values reach the container (unlike shell pass-through, which does not read that file).
 
 ---
 
diff --git a/komodo/s3/versitygw/.env.sample b/komodo/s3/versitygw/.env.sample
index ae26c5e..1ae4a21 100644
--- a/komodo/s3/versitygw/.env.sample
+++ b/komodo/s3/versitygw/.env.sample
@@ -1,8 +1,12 @@
 # Versity S3 Gateway — root credentials for the flat-file IAM backend.
-# Copy to `.env` and set strong values before `docker compose up -d`.
+# Copy to `.env` in this directory (same folder as compose.yaml).
 # https://github.com/versity/versitygw/wiki/Quickstart
 #
-# Set either pair (same names as the Kubernetes Helm chart):
+# Komodo: use these exact names in Stack Environment — they are written to `.env`
+# on the host (default `env_file_path`). If you change `env_file_path` in the Stack,
+# update `env_file` in compose.yaml to match.
+#
+# Set either pair (Helm chart uses the *_ID / *_ACCESS_KEY names):
 #   ROOT_ACCESS_KEY + ROOT_SECRET_KEY
 #   ROOT_ACCESS_KEY_ID + ROOT_SECRET_ACCESS_KEY
 
diff --git a/komodo/s3/versitygw/compose.yaml b/komodo/s3/versitygw/compose.yaml
index ee087e4..29aa199 100644
--- a/komodo/s3/versitygw/compose.yaml
+++ b/komodo/s3/versitygw/compose.yaml
@@ -5,13 +5,13 @@ services:
     image: versity/versitygw:v1.3.1
     container_name: versitygw
     restart: unless-stopped
+    # Komodo writes Stack Environment to `.env` in the run directory; that file is
+    # not automatically injected into the container unless listed here (pass-through
+    # only sees the compose process env, not this file).
+    env_file:
+      - path: .env
+        required: false
     environment:
-      # Pass-through (no `${VAR}`): avoids empty interpolation when secrets are
-      # only in the deploy environment (e.g. Komodo) or not in `.env`.
-      - ROOT_ACCESS_KEY
-      - ROOT_SECRET_KEY
-      - ROOT_ACCESS_KEY_ID
-      - ROOT_SECRET_ACCESS_KEY
       # Matches Helm chart default; enables `/_/health` for probes.
       - VGW_HEALTH=/_/health
     ports: