Skip to main content
CoreWeave AI Object Storage bucket policies now support group-based access control, letting you grant or restrict access based on a principal’s group memberships rather than listing individual users.

Overview

Two new condition keys are available in bucket access policies:
  • iam:[ORG-ID]:groups: populated when a principal authenticates with a CoreWeave API access token. The key carries the principal’s CoreWeave IAM group memberships, sourced from SCIM.
  • oidc:[ORG-ID]:groups: populated when a principal authenticates through OIDC Workload Identity Federation. The key carries the groups from the OIDC token’s groups claim.
Because both keys are multi-valued, you reference them with set operators such as ForAnyValue:StringEqualsIgnoreCase rather than a plain string operator. This lets you write a single policy that stays accurate as group membership changes in your identity provider, without editing the policy itself.
Dedicated integrations for Google Workspace and Entra ID groups are upcoming.

What changed in documentation

  • Attribute-based access control: explains how group membership attributes are carried in credentials and how to reference them in policy conditions
  • Group-based access: example bucket policy that grants access to members of a named group
  • Condition keys reference: documents iam:[ORG-ID]:groups and oidc:[ORG-ID]:groups, including which authentication method populates each key
  • Direct access token exchange: explains that credentials obtained through API token exchange carry SCIM group memberships in iam:[ORG-ID]:groups
Last modified on July 16, 2026