Workload Identity Federation for AI Object Storage
Secure access to AI Object Storage using external identity providers
Overview
Workload Identity Federation enables your applications to access CoreWeave AI Object Storage using tokens from your existing identity provider, eliminating the need to store long-lived credentials in your applications or configuration files.
How it works
Instead of managing static API keys, your applications obtain tokens from your identity provider and exchange them for temporary CoreWeave access credentials. These credentials automatically refresh as tokens expire, providing seamless access to AI Object Storage without manual credential management.
Supported protocols
CoreWeave supports two industry-standard protocols for Workload Identity Federation:
- SAML works well for enterprise environments with existing SAML infrastructure, using XML-based assertions that support complex attribute mappings with traditional enterprise IdPs.
- OIDC is the preferred option for cloud-native applications and modern identity providers, using JSON Web Tokens (JWT) that integrate more easily with programmatic access patterns and are simpler to debug.
OIDC's JSON-based approach makes it particularly well-suited for API-first workflows and automated systems, while SAML's mature ecosystem serves organizations with established enterprise identity management requirements.
Benefits and getting started
Workload Identity Federation enhances security by eliminating stored credentials while providing centralized identity and access control through your existing IdP. This approach delivers complete audit visibility and automatic token rotation without application changes.
To get started, configure Workload Identity Federation in the CoreWeave Console, choose your implementation approach (SAML or OIDC), then configure your applications to use federated tokens instead of static credentials.
Alternatively, you can create Access Keys using Workload Identity Federation or create Access Keys using OIDC directly.