diff --git a/internal/start/templates/kong.yml b/internal/start/templates/kong.yml
index 0c098886d..533aa7c37 100644
--- a/internal/start/templates/kong.yml
+++ b/internal/start/templates/kong.yml
@@ -151,8 +151,23 @@ services:
           replace:
             headers:
               - "Authorization: {{ .BearerToken }}"
+  # S3-compatible storage endpoint (no Authorization header transformation)
+  - name: storage-v1-s3
+    _comment: "Storage S3: /storage/v1/s3/* -> http://storage-api:5000/s3/*"
+    url: http://{{ .StorageId }}:5000/s3
+    routes:
+      - name: storage-v1-s3-all
+        strip_path: true
+        paths:
+          - /storage/v1/s3/
+    plugins:
+      - name: cors
+      # Note: No request-transformer plugin for Authorization header
+      # S3 presigned URLs require the original AWS signature in the Authorization header
+      # Adding/replacing with Bearer token would break S3 signature validation
+  # Regular storage API endpoint (with Authorization header transformation)
   - name: storage-v1
-    _comment: "Storage: /storage/v1/* -> http://storage-api:5000/*"
+    _comment: "Storage API: /storage/v1/* -> http://storage-api:5000/*"
     url: http://{{ .StorageId }}:5000/
     routes:
       - name: storage-v1-all