Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt

Use this file to discover all available pages before exploring further.

CoreWeave AI Object Storage uses Access Keys to authenticate requests for users and workloads. Access Keys are created either in Cloud Console, or by using Workload Identity Federation, which is recommended for production. Before you can create or manage Access Keys, you need an API Access Token with admin permissions.

Using Cloud Console tokens

Cloud Console tokens provide a straightforward way to create either permanent or time-limited Access Keys for CoreWeave AI Object Storage. To create an Access Key using a Cloud Console token, follow the steps in How-To: Create Key with a Cloud Console token. Keys generated with Cloud Console tokens are created by submitting API requests to CreateAccessKeyFromJWT, and have these characteristics:
  • Duration: Keys can be persistent, or they can be time-limited for up to 12 hours.
  • Identity format: coreweave/[CLOUD-TOKEN-ID].
  • Requirements: Requires access to the Cloud Console. The Cloud Console token used to create the Access Key must have write permissions for Object Storage to allow users to upload data. See: How to: Create an API Access Token for details.

Using Workload Identity Federation

Workload Identity Federation is recommended for production workloads. Instead of storing long-lived credentials, your applications obtain tokens from your existing identity provider and exchange them for short-lived Access Keys that automatically expire.

Workload Identity Federation with OIDC

OIDC is the recommended method for cloud-native and Kubernetes workloads. It uses short-lived tokens from your identity provider, such as GitHub Actions, a Kubernetes service account, or any OIDC-capable IdP, and exchanges them for temporary Access Keys with a 15-minute lifespan. OIDC is the standard approach for machine-to-machine authentication in modern cloud environments. Keys generated with OIDC tokens are created by submitting API requests to CreateAccessKeyFromOIDC, which is a GET request to an endpoint with the Organization ID, using the token as the authorization header.
  • Duration: Keys are ephemeral with a 15-minute lifespan.
  • Identity format: role/[ISSUER-URL]:[SUBJECT-USER-ID].

Workload Identity Federation with SAML

For advanced enterprise use-cases, SAML assertions are also supported. SAML is suited for organizations that already have SAML-based identity infrastructure and require integration with enterprise IdPs such as Active Directory Federation Services or similar systems. Keys generated with SAML assertions are created by submitting API requests to CreateAccessKeyFromSAML, and have these characteristics:
  • Duration: Keys are ephemeral with a maximum lifespan of 12 hours.
  • Identity format: role/[SAML-ROLE].
  • Requirements: A valid configId, generated from a Workload Identity Federation configuration, must be created for the Access Key and passed in to the API request. See Using Workload Identity Federation with SAML and CreateAccessKeyFromSAML for more information.

Identity formats

Recognizing the Access Key format can be useful for auditing and diagnostic purposes. The method by which an Access Key was created can be determined by examining its identity format:
Creation MethodIdentity Format
OIDC tokensrole/[ISSUER-URL]:[SUBJECT-USER-ID]
Cloud Console tokenscoreweave/[CLOUD-TOKEN-ID]
CoreWeave internal toolsstatic/[KEY-ID]
SAML assertionsrole/[SAML-ROLE]

Types of access keys

Access Keys fall into two categories based on how they are created: Static keys are created using Cloud Console tokens and are intended for development, testing, and manual operations:
  • Permanent keys: Do not expire. Require manual rotation.
  • Temporary keys: Expire after a set duration of up to 12 hours.
WIF keys are created using Workload Identity Federation and are intended for production workloads. They are always ephemeral and never need to be stored or rotated:
  • OIDC-generated keys: 15-minute lifespan, automatically refreshed by your application.
  • SAML-generated keys: Up to 12-hour lifespan, automatically refreshed via SAML assertion exchange.
For production environments, use Workload Identity Federation for automated, secure key management. For less sensitive operations or for testing, you can use access keys created with Cloud Console tokens.

Managing your access keys

This section covers the full lifecycle of access key management:
Last modified on April 14, 2026