> ## Documentation Index
> Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt
> Use this file to discover all available pages before exploring further.

# July 10, 2026 - AI Object Storage group-based access control

> Reference IAM and OIDC group memberships directly in CAIOS bucket policy conditions

CoreWeave AI Object Storage bucket policies now support group-based access control, letting you grant or restrict access based on a principal's group memberships rather than listing individual users.

## Overview

Two new condition keys are available in bucket access policies:

* **`iam:[ORG-ID]:groups`**: populated when a principal authenticates with a [CoreWeave API access token](/products/storage/object-storage/auth-access/manage-access-keys/api-access-token). The key carries the principal's CoreWeave IAM group memberships, sourced from SCIM.
* **`oidc:[ORG-ID]:groups`**: populated when a principal authenticates through [OIDC Workload Identity Federation](/products/storage/object-storage/auth-access/workload-identity-federation/use-oidc-tokens). The key carries the groups from the OIDC token's `groups` claim.

Because both keys are multi-valued, you reference them with set operators such as `ForAnyValue:StringEqualsIgnoreCase` rather than a plain string operator. This lets you write a single policy that stays accurate as group membership changes in your identity provider, without editing the policy itself.

<Note>
  Dedicated integrations for Google Workspace and Entra ID groups are upcoming.
</Note>

## What changed in documentation

* [Attribute-based access control](/products/storage/object-storage/auth-access/bucket-access/bucket-policies#attribute-based-access-control): explains how group membership attributes are carried in credentials and how to reference them in policy conditions
* [Group-based access](/products/storage/object-storage/auth-access/bucket-access/bucket-policies#group-based-access): example bucket policy that grants access to members of a named group
* [Condition keys reference](/products/storage/object-storage/auth-access/bucket-access/bucket-policies#condition-keys): documents `iam:[ORG-ID]:groups` and `oidc:[ORG-ID]:groups`, including which authentication method populates each key
* [Direct access token exchange](/products/storage/object-storage/auth-access/manage-access-keys/api-access-token): explains that credentials obtained through API token exchange carry SCIM group memberships in `iam:[ORG-ID]:groups`
