Manage Organization Access Policies
Control access to all principals and resources across the entire organization
AI Object Storage organization access policies enforce permissions across your entire organization. They sit at the top of the policy hierarchy, taking effect before any bucket-level rules. Written in JSON with the same syntax as bucket access policies, they apply to both the S3-compatible API and the AI Object Storage API.
These policies automatically cover every resource, bucket, and user in your account. By centralizing access rules, you ensure that global security standards and compliance requirements are consistently applied. Because organization access policies override bucket access policies, they serve as the first line of defense for every request in your AI Object Storage environment.
How to set an organization access policy
- AI Object Storage API
- Cloud Console
-
Prepare a JSON file (for example,
policy.json
) similar to the examples below. -
Send the JSON document to
https://api.coreweave.com/v1/cwobject/access-policy
with an HTTP client such ascurl
.$curl -X POST https://api.coreweave.com/v1/cwobject/access-policy \-H "Content-Type: application/json" \--data @policy.json -
The endpoint returns a confirmation response.
For full request and response schemas, see the AI Object Storage API reference.
To create an access policy, use the Cloud Console.
The Organization Access Policies section allows you to create, edit, and delete policies. Use the Search function to find policies by name.
The More menu on the right allows you to edit or delete a policy.
See Set a policy with the Cloud Console for a step-by-step guide.
See examples of organization access policies.
Structure of organization access policies
Organization access policies use JSON objects with three top-level fields: version
, name
, and statements
. The statements field is an array of objects. Each statement includes the following:
- name: A unique identifier for the policy statement.
- effect: Indicates whether the policy allows or denies access. Must be either
Allow
orDeny
. - principals: The users, roles, or groups to which the policy applies.
- actions: The specific actions that the policy allows or denies.
- resources: The resources to which the policy applies, specified in short-form names (not full ARNs).
Version
The version
specifies the policy language version and is mandatory. For organization access policies, set "version": "v1alpha1"
. This internal CoreWeave identifier is not the same as the date-based format (for example, "2012-10-17") used in standard S3 bucket access policies.
{"policy": {"version": "v1alpha1","name": "example-org-policy","statements": [{"name": "allow-s3-get-object","effect": "Allow","principals": ["*"],"actions": ["s3:GetObject"],"resources": ["my-bucket/*"]}]}}
Name
At the top level, within the policy
object, name
is required. It provides a human-readable identifier for the overall organization access policy.
{"policy": {"version": "v1alpha1","name": "my-organization-wide-policy","statements": [{"name": "allow-all-s3","effect": "Allow","principals": ["*"],"actions": ["s3:*"],"resources": ["*"]}]}}
Statements
The statements
element is required, and acts as the main container for access rules. It can contain a single policy statement or an array of multiple statements, with each individual statement enclosed in curly braces.
{"policy": {"version": "v1alpha1","name": "multi-statement-policy","statements": [{"name": "allow-s3-api-access","effect": "Allow","actions": ["s3:*"],"resources": ["*"],"principals": ["*"]},{"name": "allow-cwobject-api-actions","effect": "Allow","actions": ["cwobject:CreateAccessKey", "cwobject:ListAccessPolicy"],"resources": ["*"],"principals": ["coreweave/UserUID"]}]}}
Name (within Statement)
Within each individual statement, name
is required. It serves as a short, human-readable identifier for that specific policy statement, similar to Sid
in bucket access policies.
Each name
must be unique within the JSON policy.
{"policy": {"version": "v1alpha1","name": "my-policy","statements": [{"name": "MyUniqueStatementIdentifier","effect": "Allow","principals": ["*"],"actions": ["*"],"resources": ["*"]}]}}
Effect
The Effect
field is mandatory and must be either Allow
or Deny
(case-sensitive). It determines whether the statement grants or denies the specified actions on the listed resources for the designated principals. By default, all access is denied.
Setting Effect
to Allow
grants permission; setting it to Deny
explicitly rejects the request and overrides any Allow
. During policy evaluation, an explicit Deny
in an organization access policy immediately rejects the request.
{"policy": {"version": "v1alpha1","name": "deny-specific-deletion","statements": [{"name": "prevent-object-deletion","effect": "Deny","principals": ["coreweave/UserUID"],"actions": ["s3:DeleteObject"],"resources": ["my-sensitive-bucket/*"]}]}}
Principals
The principals
field is required. It defines which users, roles, or groups the policy applies to.
For organization access policies, only short-form identifiers are supported. If you use a full ARN, the policy will fail with an error.
- Cloud Console Users: Use the user's
UID
, found in the user's Settings in the Cloud Console, prefixed withcoreweave/
. For example,coreweave/UserUID
. - SAML Users or Groups: When using SAML with an Identity Provider (IdP), reference users or groups using the format
role/GroupName
. TheGroupName
must match thePrincipalName
attribute in the SAML assertion. - Wildcard: Use
"*"
to apply the policy to all principals.
Groups created in the Cloud Console (like admin) cannot be used in organization access policies. To assign policies to groups, use a SAML-enabled Identity Provider (IdP).
{"policy": {"version": "v1alpha1","name": "principal-access-examples","statements": [{"name": "allow-specific-user","effect": "Allow","principals": ["coreweave/UserUID"],"actions": ["s3:*"],"resources": ["my-bucket", "my-bucket/*"]},{"name": "allow-saml-admin-group","effect": "Allow","principals": ["role/Admin"],"actions": ["s3:*", "cwobject:*"],"resources": ["*"]},{"name": "allow-all-users-read-access","effect": "Allow","principals": ["*"],"actions": ["s3:GetObject", "s3:ListBucket"],"resources": ["my-bucket", "my-bucket/*"]}]}}
Actions
The actions
field is required. It defines which operations the policy allows or denies. You can use wildcards (like s3:*
or cwobject:*
) to cover multiple actions at once. Organization access policies can include actions from two APIs:
- S3 API: Use
s3:*
to reference all S3 actions. - AI Object Storage API: Use
cwobject:*
for all CoreWeave-specific storage actions.
Recommendation: Keep S3 and cwobject:
actions in separate policy statements. This makes the policy easier to read and understand.
{"policy": {"version": "v1alpha1","name": "action-set-example","statements": [{"name": "allow-s3-read-actions","effect": "Allow","principals": ["*"],"actions": ["s3:List*","s3:Get*","s3:Head*"],"resources": ["my-bucket", "my-bucket/*"]},{"name": "allow-cwobject-key-management","effect": "Allow","principals": ["coreweave/UserUID"],"actions": ["cwobject:CreateAccessKey","cwobject:RevokeAccessKeyByAccessKey","cwobject:ListAccessKeyInfo"],"resources": ["*"]}]}}
Resources
The resources
field is required. It defines which resources the policy applies to. Important guidelines for defining resources:
- Use short names: Use simple resource names like
my-bucket
.- Do not use full ARNs (such as
arn:aws:s3:::my-bucket
)—they will cause errors.
- Do not use full ARNs (such as
- Specify both bucket and object levels: If a policy affects both bucket-level and object-level operations, list both:
"my-bucket"
for bucket-level actions"my-bucket/*"
for object-level actions
- Use
"*"
for global operations: Actions likecwobject:*
ands3:ListAllMyBuckets
are global—they're not tied to a single resource. They require"resources": ["*"]
to be allowed. - Special case -
s3:PutBucketPolicy
: This action is treated as global. To allow it, include"s3:PutBucketPolicy"
in theactions
and setresources
to either"*"
or the specific bucket name (e.g.,"my-bucket"
).
{"policy": {"version": "v1alpha1","name": "resource-scope-examples","statements": [{"name": "allow-access-to-specific-bucket","effect": "Allow","principals": ["*"],"actions": ["s3:GetObject", "s3:PutObject"],"resources": ["my-specific-bucket","my-specific-bucket/*"]},{"name": "allow-global-s3-and-cwobject-actions","effect": "Allow","principals": ["*"],"actions": ["s3:ListAllMyBuckets", "cwobject:ListBucketInfo"],"resources": ["*"]}]}}
Allowed AI Object Storage API actions
The following AI Object Storage API (cwobject:
) actions are allowed in organization access policies:
cwobject:CreateAccessKey
cwobject:CreateAccessKeySAML
cwobject:ListAccessKeyInfo
cwobject:GetAccessKeyInfo
cwobject:UpdateAccessKeyStatus
cwobject:RevokeAccessKeyByAccessKey
cwobject:RevokeAccessKeysByPrincipal
cwobject:EnsureAccessPolicy
cwobject:ListAccessPolicy
cwobject:DeleteAccessPolicy
cwobject:ListBucketInfo
cwobject:GetBucketInfo
cwobject:EnableBucketAuditLogging
cwobject:DisableBucketAuditLogging
cwobject:EnableBucketAuditLoggingDefault
cwobject:DisableBucketAuditLoggingDefault
cwobject:EnableControlPlaneAuditLogging
cwobject:DisableControlPlaneAuditLogging
Please note: cwobject
actions must use "*"
as the resource value.
These actions are specific to the AI Object Storage API and are used to manage access keys, policies, and audit logging for your organization.