About organization access policies
Learn about AI Object Storage organization access policies
AI Object Storage organization access policies enforce permissions across your entire organization, automatically covering every resource, bucket, and user in your account. By centralizing access rules, you ensure that global security standards and compliance requirements are consistently applied.
They sit at the top of the policy hierarchy, taking effect before any bucket-level rules. Written in JSON with the same syntax as bucket access policies, they apply to both the S3-compatible API and the AI Object Storage API. Because organization access policies override bucket access policies, they serve as the first line of defense for every request in your AI Object Storage environment.
Set your organization access policies after you create access tokens and keys, and before bucket operations.
Key considerations
AI Object Storage organization access policies have some specific aspects and considerations that are important to understand:
Policy Aspect | Description |
---|---|
Admin Access | A special static internal policy grants Cloud Console admin users unrestricted access to all cwobject: API actions, but admin status does not grant S3 API access; S3 API access must be explicitly granted via org or bucket access policies. |
Group Usage | Cloud Console groups are not allowed in organization access policies; use UIDs (from Cloud Console) or SAML users and groups instead. |
s3:PutBucketPolicy | The s3:PutBucketPolicy action is a global operation that only evaluates organization policies (ignoring bucket-level policies) and requires org policies to explicitly allow s3:PutBucketPolicy or s3:* with "resources": ["*"] or specific bucket names. This behavior is designed to prevent users from accidentally locking themselves out of a bucket with a misconfigured bucket access policy. |
Global Operations | All cwobject: API actions and the s3:ListAllMyBuckets operation are global operations that must specify "resources": ["*"] . |
Policy Evaluation Order | CoreWeave evaluates policies in two steps, with organization policies evaluated first (before any bucket-level policies). |
Policy Management Recommendation | Prefer managing access via organization policies for broad, centralized control; use bucket policies only for bucket-specific features such as bucket lifecycle configuration. |
Learn how to set an organization access policy or view examples of organization access policies.