Organization Access Policies Examples
View examples of AI Object Storage organization access policies
This page lists examples of organization access policies for various use cases. You can use these examples as templates to create your own organization access policies tailored to your specific needs.
Learn about the structure of organization access policies and how to set them.
Full control
Full control of all resources for admins
This policy contains one statement that grants full S3 API access (s3:*
) to all SAML admins for all resources in the organization. The resources
field is set to "*"
to allow access to all S3 buckets and objects, and the principals
field is set to ["role/Admin"]
to allow access to all users in the SAML Admin group.
{"policy": {"version": "v1alpha1","name": "full-s3-api-access","statements": [{"name": "allow-full-s3-api-access-to-all","effect": "Allow","actions": ["s3:*"],"resources": ["*"],"principals": ["role/Admin"]}]}}
Full control of one specific bucket for all users
This policy contains two statements that, when combined, grant access to a specific bucket, "my-specific-bucket"
.
- The first grants access for the creation of access keys and listing of access policies to all users.
- The second grants full S3 API access (
s3:*
) to all users.
The resources
field includes both the bucket itself and all objects within that bucket, allowing for both bucket-level operations (like listing the bucket) and object-level operations (like getting or putting objects within that bucket).
{"policy": {"version": "v1alpha1","name": "full-access-my-specific-bucket","statements": [{"name": "allow-token-creation","effect": "Allow","actions": ["cwobject:CreateAccessKey","cwobject:CreateAccessKeySAML","cwobject:ListAccessPolicy"],"resources": ["my-specific-bucket","my-specific-bucket/*"],"principals": ["*"]},{"name": "full-s3-access-for-all-users","effect": "Allow","actions": ["s3:*"],"resources": ["my-specific-bucket","my-specific-bucket/*"],"principals": ["*"]}]}}
Full S3 API access to all users
This policy contains one statement that grants full S3 API access (s3:*
) to all principals and resources in the organization. The resources
field is set to "*"
to allow access to all S3 buckets and objects, and the principals
field is also set to "*"
to allow access to all users.
This is useful when you want to grant full access by default, then restrict specific buckets with bucket access policies.
{"policy": {"version": "v1alpha1","name": "full-s3-api-access","statements": [{"name": "allow-full-s3-api-access-to-all","effect": "Allow","actions": ["s3:*"],"resources": ["*"],"principals": ["*"]}]}}
Full control of all buckets for a specific user
This policy grants full S3 access (s3:*
) to a specific Cloud Console user, identified by their UID (coreweave/UserUID
).
The UID can be found in the user's settings within the Cloud Console. The resources field uses the wildcard "*"
to grant access across all buckets, but it could also be narrowed to a specific bucket using the short-form resource names, as shown in the previous example.
{"policy": {"version": "v1alpha1","name": "s3-full-control-specific-user","statements": [{"name": "full-s3-access-for-user","effect": "Allow","actions": ["s3:*"],"resources": ["*"],"principals": ["coreweave/UserUID"]}]}}
Read-only access
Read-only access to all buckets
This policy provides read-only access to all S3 buckets for all principals. The actions s3:List*
, s3:Get*
, and s3:Head*
are commonly used to define read-only permissions.
{"policy": {"version": "v1alpha1","name": "s3-read-only-all-buckets","statements": [{"name": "read-only-access","effect": "Allow","actions": ["s3:List*","s3:Get*","s3:Head*"],"resources": ["*"],"principals": ["*"]}]}}
Read-only access to a specific bucket
This policy restricts everyone in the organization to read-only access for "my-specific-bucket"
. Note the short-form bucket name used in the resources array, which is required in organization access policies.
Two resources are listed:
- The bucket itself (
"my-specific-bucket"
) - All objects within that bucket (
"my-specific-bucket/*"
)
This allows for both bucket-level operations (like listing the bucket) and object-level operations (like getting or listing objects within that bucket). The principals
field is set to "*"
to allow access to all users.
{"policy": {"version": "v1alpha1","name": "specific-bucket-access","statements": [{"name": "read-only-my-specific-bucket","effect": "Allow","actions": ["s3:List*","s3:Get*","s3:Head*"],"resources": ["my-specific-bucket","my-specific-bucket/*"],"principals": ["*"]}]}}
Allow non-admins limited AI Object Storage API access
This policy contains one statement for AI Object Storage API actions (cwobject:
). It grants all non-admins the ability to create access keys and list access policies, but does not grant any other cwobject:
access. Remember that cwobject:
actions are global and require "resources": ["*"]
.
Admins (as defined in Cloud Console) already have unrestricted cwobject:
access, so this policy effectively limits non-admin users to only these specified actions.
{"policy": {"version": "v1alpha1","name": "limited-cwobject-access","statements": [{"name": "allow-token-creation","effect": "Allow","actions": ["cwobject:CreateAccessKey","cwobject:CreateAccessKeySAML","cwobject:ListAccessPolicy","cwobject:ListAccessKeyInfo"],"resources": ["*"],"principals": ["*"]}]}}
AI Object Storage API and S3 API access for a SAML group
This policy contains two statements that, when combined, grant all S3 API and AI Object Storage API actions to a specific SAML group, role/Admin
.
- The first statement (
cwobject-access-for-saml-group
) grants all AI Object Storage API actions (cwobject:*
). - The second statement (
s3-access-for-saml-group
) grants all S3-compatible actions (s3:*
).
This grants broad administrative access at the organization level, while controlling membership with your Identity Provider (IdP) group.
{"policy": {"version": "v1alpha1","name": "full-access-saml-admin-group","statements": [{"name": "cwobject-access-for-saml-group","effect": "Allow","actions": ["cwobject:*"],"resources": ["*"],"principals": ["role/Admin"]},{"name": "s3-access-for-saml-group","effect": "Allow","actions": ["s3:*",],"resources": ["*"],"principals": ["role/Admin"]}]}}
Advanced example
This example policy combines three statements that are similar to the previous examples, but combined into a single policy.
- The first statement,
s3-access
, grants full S3 API access to all principals and buckets. - The second statement,
cwobject-access
, grants limited AI Object Storage API access to all non-admins.- Admin users do not need to be listed here, because they have a special internal policy granting unrestricted access.
- The third statement,
read-only
, makes a specific bucket read-only for a specific SAML group.
This is similar to a real-world scenario that allows all users to manage S3 buckets, but restricts AI Object Storage API access to non-admins, while restricting a specific SAML group to read-only access to a specific bucket.
{"policy": {"version": "v1alpha1","name": "complex-access-policy","statements": [{"name": "s3-access","effect": "Allow","actions": ["s3:*"],"resources": ["*"],"principals": ["*"]},{"name": "cwobject-access","effect": "Allow","actions": ["cwobject:CreateAccessKey","cwobject:CreateAccessKeySAML","cwobject:ListAccessPolicy","cwobject:ListAccessKeyInfo"],"resources": ["*"],"principals": ["*"]},{"name": "read-only","effect": "Allow","actions": ["s3:List*","s3:Get*","s3:Head*"],"resources": ["my-specific-bucket","my-specific-bucket/*"],"principals": ["role/SAMLGroup"]}]}}