About Access Keys
Learn about AI Object Storage access keys
CoreWeave AI Object Storage uses Access Keys to authenticate requests for users and workloads. Access Keys are created either in Cloud Console, or by using Workload Identity Federation, which is recommended for production.
Before you can create or manage Access Keys, you need an API Access Token with admin
permissions.
Using Cloud Console tokens
Cloud Console tokens allow for an easier but slightly less security-conscious method to create either permanent or time-limited Access Keys for CoreWeave AI Object Storage using Cloud Console tokens. To create an Access Key using a Cloud Console token, follow the steps in How-To: Create Key with a Cloud Console token.
Keys generated with Cloud Console tokens are created by submitting API requests to CreateAccessKeyFromJWT
, and have these characteristics:
- Duration: Keys can be persistent, or they can be time-limited for up to 12 hours.
- Identity format:
coreweave/<cloud-token-id>
. - Requirements: Requires access to the Cloud Console. The Cloud Console token used to create the Access Key must have
write
permissions for Object Storage to allow users to upload data. See: How to: Create an API Access Token for details.
Using Workload Identity Federation
Using Workload Identity Federation is highly recommended for production workloads, and for granting machine-to-machine access for workloads to access AI Object Storage.
Creating Access Keys using SAML assertions with Workload Identity Federation which is a slightly more complex but much more secure method of creating keys.
Keys generated with SAML assertions are generated by submitting API requests to CreateAccessKeysFromSAML
, and have these characteristics:
- Duration: Keys are ephemeral and have a maximum lifespan of 12 hours.
- Identity format:
saml/<saml-role>
. - Requirements: A valid
configId
, generated from a Workload Identity Federation configuration, must be created for the Access Key and passed in to the API request. See How-To: Manage Workload Identity Federation for AI Object Storage andCreateAccessKeyFromSAML
for more information.
Identity formats
Recognizing the Access Key format can be useful for auditing and diagnostic purposes. The method by which an Access Key was created can be determined by examining its identity format:
- Keys created using SAML assertions have this format:
saml/<saml-role>
. - Keys created using Cloud Console tokens have this format:
coreweave/<cloud-token-id>
. - Keys created using CoreWeave internal tools have this format:
static/<key-id>
.
Types of access keys
Understanding different key types helps you choose the right management approach:
- Permanent keys: Don't expire automatically, require manual rotation
- Temporary keys: Expire after a set duration (up to 12 hours)
- SAML-generated keys: Created with Workload Identity Federation, automatically ephemeral
For production environments, consider using Workload Identity Federation for automated, secure key management. For less sensitive operations or for testing, you can use access keys created with Cloud Console tokens.
Managing your access keys
This section covers the full lifecycle of access key management:
- Create access keys: Generate new keys for users and workloads
- Revoke access keys: Remove keys that are no longer needed