File Uploads for AI Agents Without Exposing Storage Credentials

A practical pattern for passing PDFs, CSVs, logs, and repo snapshots into agent runs safely.

Audience: Document automation teams building AI workflows on top of customer files.

The problem

The shortcut is to give the agent a bucket URL or storage key. That creates long-lived access where the agent only needed run-scoped inputs.

Implementation path

Upload files to the run request, inject them into /skill/.argo/inputs, let the agent read normal files, and return signed artifact URLs only after finalization.

Tradeoffs and failure modes

Run-scoped uploads require a little more API discipline, but remove storage credentials from the model’s workspace.

Input layout

/skill/.argo/inputs/01-invoice.pdf
/skill/.argo/inputs/02-packing-list.csv
/skill/output/artifacts/result.xlsx

Run this on Argo