Skip to main content

About Access Keys

Learn about AI Object Storage access keys

CoreWeave AI Object Storage uses Access Keys to authenticate requests for users and workloads. Access Keys are created either in Cloud Console, or by using Workload Identity Federation, which is recommended for production.

Before you can create or manage Access Keys, you need an API Access Token with admin permissions.

Using Cloud Console tokens

Cloud Console tokens allow for an easier but slightly less security-conscious method to create either permanent or time-limited Access Keys for CoreWeave AI Object Storage using Cloud Console tokens. To create an Access Key using a Cloud Console token, follow the steps in How-To: Create Key with a Cloud Console token.

Keys generated with Cloud Console tokens are created by submitting API requests to CreateAccessKeyFromJWT, and have these characteristics:

  • Duration: Keys can be persistent, or they can be time-limited for up to 12 hours.
  • Identity format: coreweave/<cloud-token-id>.
  • Requirements: Requires access to the Cloud Console. The Cloud Console token used to create the Access Key must have write permissions for Object Storage to allow users to upload data. See: How to: Create an API Access Token for details.

Using Workload Identity Federation

Using Workload Identity Federation is highly recommended for production workloads, and for granting machine-to-machine access for workloads to access AI Object Storage.

Creating Access Keys using SAML assertions with Workload Identity Federation which is a slightly more complex but much more secure method of creating keys.

Keys generated with SAML assertions are generated by submitting API requests to CreateAccessKeysFromSAML, and have these characteristics:

Identity formats

Recognizing the Access Key format can be useful for auditing and diagnostic purposes. The method by which an Access Key was created can be determined by examining its identity format:

  • Keys created using SAML assertions have this format: saml/<saml-role>.
  • Keys created using Cloud Console tokens have this format: coreweave/<cloud-token-id>.
  • Keys created using CoreWeave internal tools have this format: static/<key-id>.

Types of access keys

Understanding different key types helps you choose the right management approach:

  • Permanent keys: Don't expire automatically, require manual rotation
  • Temporary keys: Expire after a set duration (up to 12 hours)
  • SAML-generated keys: Created with Workload Identity Federation, automatically ephemeral

For production environments, consider using Workload Identity Federation for automated, secure key management. For less sensitive operations or for testing, you can use access keys created with Cloud Console tokens.

Managing your access keys

This section covers the full lifecycle of access key management: