Introduction to Authentication and Access Control
Learn how to manage user access to CKS clusters
If you are an administrator logging in to your CoreWeave account for the first time, see How to: Activate Your CoreWeave Organization.
Managing organization access
CoreWeave supports several authentication methods to CKS for organization users.
Managed Auth
Managed Auth is the recommended path for handling user authorization in CKS.
Managed Auth refers to a series of CoreWeave provided tools to simplify authentication in order to offer customers flexible, easy-to-manage methods of authorization management.
SAML SSO
Security Assertion Markup Language (SAML) is a protocol that enables the Single Sign-On (SSO) authentication method to allow organization users to easily identify themselves to services like CoreWeave Kubernetes Service and the CoreWeave Cloud Console. CoreWeave supports SAML/SSO as an organization-wide authentication method.
OIDC Workload Identity Federation for CKS
Traditional approaches to multi-cloud authentication often rely on long-lived API keys, service account credentials, or other static secrets that must be distributed to workloads. This creates operational overhead around credential rotation, increases security risks from credential exposure, and makes it difficult to implement fine-grained access controls across different cloud providers.
OIDC Workload Identity transforms your CKS cluster into a trusted identity provider that can authenticate your workloads to external services without static credentials. Instead of managing secrets, your applications use short-lived tokens issued by Kubernetes itself. These tokens are automatically rotated and can be configured with precise permissions using each cloud provider's native IAM systems. This approach eliminates credential sprawl while providing the security and operational benefits that modern multi-cloud architectures require. External services like AWS, GCP, and various SaaS platforms can be configured to trust tokens issued by your CKS cluster, enabling seamless authentication without the traditional secret management overhead.