Skip to main content

Configure CORS for Web Browser Access

Configure CORS policies to allow web browsers to access your Object Storage buckets from different domains.

To enable cross-origin resource sharing (CORS) for your AI Object Storage bucket, you need to set an XML CORS configuration using s3:PutBucketCORS. This configuration defines which origins, HTTP methods, and headers are permitted. For more information about CORS, see CORS for Web Browser Access.

Prerequisites

  • Have the Object Storage Admin IAM role (assigned through CoreWeave IAM Access Policies), or equivalent permissions to configure AI Object Storage access policies.
  • Ensure that your AI Object Storage organization and/or bucket access policies grant your principal the s3:PutBucketCORS action (or s3:*) on the target bucket.
  • Have the aws s3api CLI tool installed and configured for your AI Object Storage environment.

All origins GET request

This policy allows cross-origin resource sharing (CORS) for a specific bucket. It has one statement that allows all origins to perform GET requests on the bucket:

All Origins GET Requests
<CORSConfiguration>

    <CORSRule>

        <AllowedOrigin>*</AllowedOrigin>

        <AllowedMethod>GET</AllowedMethod>

        <AllowedHeader>*</AllowedHeader>

        <MaxAgeSeconds>3000</MaxAgeSeconds>

    </CORSRule>

</CORSConfiguration>

In this example, the CORS configuration allows any origin (*) to perform GET requests on the bucket. You can customize the AllowedOrigin, AllowedMethod, and AllowedHeader elements to suit your needs.

You can set this CORS configuration using the aws s3api command:

$
aws s3api put-bucket-cors --bucket my-bucket --cors-configuration file://cors.xml

Where cors.xml contains the CORS configuration in XML format, like the example above.

Specific origin with multiple methods

The following example restricts CORS to a specific origin and allows multiple HTTP methods, as well as specific headers. This configuration also sets a MaxAgeSeconds value to cache the preflight response for 30 minutes and exposes a custom header x-amz-request-id to the client.

Restrict to a Specific Origin and Multiple Methods
<CORSConfiguration>

    <CORSRule>

        <AllowedOrigin>https://www.example.com</AllowedOrigin>

        <AllowedMethod>GET</AllowedMethod>

        <AllowedMethod>PUT</AllowedMethod>

        <AllowedHeader>Authorization</AllowedHeader>

        <AllowedHeader>Content-Type</AllowedHeader>

        <MaxAgeSeconds>1800</MaxAgeSeconds>

        <ExposeHeader>x-amz-request-id</ExposeHeader>

    </CORSRule>

</CORSConfiguration>
Last updated on