November 20, 2025 - IAM Access Policies
Platform-wide role-based access control for CoreWeave services
Release SecurityOverview
IAM Access Policies allow you to assign roles, which provide more granular access control than the legacy group-based permissions model. Administrators and privileged users can now define which principals (IAM users or groups) are allowed to perform specific actions across CoreWeave services. Policies are created once and evaluated wherever authorization is required, enabling consistent, least-privilege access across the Cloud Platform.
Features
Platform-wide authorization
IAM Access Policies govern access to CoreWeave services including:
- IAM management: User and group administration, SAML SSO configuration, and Automated User Provisioning
- CKS resources: Kubernetes clusters and VPC management
- AI Object Storage: Control plane aspects such as bucket administration, organization access policies, and access key management; data plane aspects such as object upload, download, and deletion are governed by organization and bucket access policies.
- Access tokens: Personal access token creation and management
- Billing: Access to billing dashboards, balances, and invoices
- Observability: Cluster metrics and performance monitoring dashboards
- Support: Support ticket and record access
- Access requests: Approval workflows for privileged access
IAM Access Policies govern CoreWeave Cloud Console actions but do not control:
- AI Object Storage S3-compatible API, which uses organization and bucket access policies
- Kubernetes RBAC within CKS clusters
Role-based access model
CoreWeave IAM operates on a default-deny posture: without an access policy that assigns privileges to principals, that principal cannot perform actions. Policies assign one or more roles to users or groups, with each role granting a specific set of permissions:
| Role | Description |
|---|---|
| Access Token Viewer/Admin | Manage personal access tokens |
| IAM Viewer/Admin | View or manage IAM configuration and identity integrations |
| CKS Viewer/Admin | View or manage Kubernetes clusters and VPC resources |
| Object Storage Admin | Full administration of AI Object Storage buckets and policies |
| Billing Viewer | Read-only access to billing data |
| Observability Viewer | Access to cluster metrics and dashboards |
| Support Viewer | View support tickets and records |
| Access Request Approver | Approve privileged access requests |
Replacing legacy group-based permissions
IAM Access Policies replace the legacy permission model where user permissions were determined solely by group membership (admin, write, read, metrics, billing_viewer). The new system provides:
- Granular control: Assign specific roles rather than predefined bundles
- Flexible combinations: Mix and match roles to create custom permission sets
- Group and user targets: Apply policies to groups for easier management or to individual users for exceptions
- Consistent enforcement: Authorization evaluated uniformly across all services
Legacy group role assignments have been migrated to the new system, and you can now review and modify these assignments or create new groups with different role combinations.
Learn more: