Using Workload Identity Federation and OIDC
Create Access Keys using Workload Identity Federation and OIDC Tokens
This guide covers how to create Access Keys using OIDC tokens and Workload Identity Federation.
Create a key with an OIDC token and Workload Identity Federation
Keys created using OIDC tokens and Workload Identity Federation are created by submitting an HTTP POST request to the https://api.coreweave.com/v1/cwobject/temporary-credentials/oidc endpoint. Within the request, the user provides:
- a
durationin seconds with a maximum lifetime of 12 hours - the organization ID
- the Workload Federation configuration ID generated on the Cloud Console
- an OIDC token (JWT): the token projected by Kubernetes into the container environment, bound to the Service Account
{"durationSeconds": 300,"orgId": "<MY_ORG_ID>","oidcToken": "<JWT_TOKEN>"}
CoreWeave then validates the OIDC token, parsing the role and principal claims from the JWT. If validation is successful, CoreWeave returns an API key pair comprised of an Access Key and a Secret Key, which allow the user to authenticate to CoreWeave AI Object Storage.
The key pair is considered valid for the length of the set duration. Once the key pair expires, the steps above must be repeated to provision a new one.
OIDC token required claims
In order to successfully authenticate any principal or subject and provide the necessary key pairs to use AI Object Storage, CoreWeave requires these specific claims to be present inside the JWT token:
{"https://coreweave.com/claims/role": "role-name","https://coreweave.com/claims/principal": "principal-name","iss": "https://your-oidc-provider.com","aud": "your-audience-value","sub": "user-identifier","exp": 1640995200,"iat": 1640991600}
| Claim Name | Definition |
|---|---|
https://coreweave.com/claims/role | Denotes the role for the credential this call generates. If a request is made using these credentials, the role attached to them is validated using the bucket access policy. Appears in audit logs as the role used to gain access. |
https://coreweave.com/claims/principal | Denotes the principal that the credentials are for; that is, the actor making the requests. Can also be used in the bucket access policy if desired. Appears in audit logs as the principal that gained access. |
iss | The issuer of the JWT token. Must match the issuer URL configured in your Workload Identity Federation configuration. |
aud | The audience for the token. Must match the audience configured in your Workload Identity Federation configuration. |
Token validation requirements
Your OIDC token must meet these requirements:
| Requirement | Description |
|---|---|
| Signature | Token must be properly signed by your identity provider |
| Expiration | Token must not be expired (exp claim) |
| Issuer | iss claim must match your configured OIDC provider |
| Audience | aud claim must match your configured audience value |
Example JWT token structure
Click to expand: Example decoded JWT token
{"iss": "https://your-oidc-provider.com","aud": "your-client-id","sub": "user-123456789","https://coreweave.com/claims/role": "data-scientist","exp": 1640995200,"iat": 1640991600,"nbf": 1640991600}