admin permissions.
Cloud Console tokens
Cloud Console tokens provide a direct way to create persistent or time-limited Access Keys for Object Storage. To create an Access Key with a Cloud Console token, follow the steps in How-To: Create Key with a Cloud Console token. To generate keys with Cloud Console tokens, submit API requests toCreateAccessKeyFromJWT. These keys have the following characteristics:
- Duration: Keys can be persistent, or they can be time-limited for up to 12 hours.
- Identity format:
coreweave/[CLOUD-TOKEN-ID]. - Requirements: Requires access to the Cloud Console. The Cloud Console token used to create the Access Key must have
writepermissions for Object Storage so users can upload data. For details, see How to: Create an API Access Token.
Workload Identity Federation
Workload Identity Federation is recommended for production workloads. Instead of storing long-lived credentials, your applications obtain tokens from your existing identity provider and exchange them for short-lived Access Keys that automatically expire.Workload Identity Federation with OIDC
OIDC is the recommended method for cloud-native and Kubernetes workloads. It uses short-lived tokens from your identity provider, such as GitHub Actions, a Kubernetes service account, or any OIDC-capable IdP, and exchanges them for temporary Access Keys with a 15-minute lifespan. OIDC is the standard approach for machine-to-machine authentication in cloud environments. To generate keys with OIDC tokens, submit API requests toCreateAccessKeyFromOIDC. The endpoint accepts a GET request that includes the Organization ID and uses the token as the authorization header.
- Duration: Keys are ephemeral with a 15-minute lifespan.
- Identity format:
role/[ISSUER-URL]:[SUBJECT-USER-ID].
Workload Identity Federation with SAML
For enterprise use cases, Object Storage also supports SAML assertions. SAML suits organizations that already have SAML-based identity infrastructure and require integration with enterprise IdPs such as Active Directory Federation Services or similar systems. To generate keys with SAML assertions, submit API requests toCreateAccessKeyFromSAML. These keys have the following characteristics:
- Duration: Keys are ephemeral with a maximum lifespan of 12 hours.
- Identity format:
role/[SAML-ROLE]. - Requirements: You must create a valid
configIdfrom a Workload Identity Federation configuration and pass it to the API request. For more information, see Using Workload Identity Federation with SAML.
Identity formats
You can use the Access Key format to audit and diagnose access. To find out how an Access Key was created, examine its identity format:| Creation method | Identity format |
|---|---|
| OIDC tokens | role/[ISSUER-URL]:[SUBJECT-USER-ID] |
| Cloud Console tokens | coreweave/[CLOUD-TOKEN-ID] |
| CoreWeave internal tools | static/[KEY-ID] |
| SAML assertions | role/[SAML-ROLE] |
Types of access keys
Access Keys fall into two categories based on creation method: Static keys come from Cloud Console tokens and are intended for development, testing, and manual operations:- Permanent keys: Don’t expire. Require manual rotation.
- Temporary keys: Expire after a set duration of up to 12 hours.
- OIDC-generated keys: 15-minute lifespan, automatically refreshed by your application.
- SAML-generated keys: Up to 12-hour lifespan, automatically refreshed through SAML assertion exchange.
Manage your access keys
This section covers the full lifecycle of access key management:- Create access keys: Generate new keys for users and workloads.
- Revoke access keys: Remove keys that are no longer needed.