Skip to main content

Bucket Policies

Bucket policy IAM in CoreWeave AI Object Storage

Bucket policies

Bucket policies are JSON files that can be configured to specify permissions. They are, broadly, an access control mechanism that allow a user or organization to define permissions for specific actions on a bucket. They apply to every object within a bucket, define which actors may take any action on a bucket, and stipulate the conditions under which those actions occur. Only the bucket owner can associate a policy with a bucket.

Important

CoreWeave requires the LocationConstraint to be set on all CreateBucket requests. When a bucket is created, the LocationConstraint needs to be set to one of CoreWeave's supported Data Centers. When a client contacts cwobject.com, they will be automatically routed to the location responsible for their bucket. Requests without a bucket will be served by the closest CoreWeave AI Object Storage location.

S3 Bucket lifecycle configuration

Creating a Bucket Lifecycle configuration is an effective way of managing your objects so that they're stored effectively for as long as you need them. A Lifecycle configuration is a set of rules that define actions that CoreWeave AI Object Storage applies to a group of objects. There are two types of actions within Bucket Lifecycle configuration:

  1. Transition actions – These actions define when objects transition to another storage class. We do not support these at this time.
  2. Expiration actions – These actions define when objects expire. CoreWeave AI Object Storage optimizes efficiency by deleting expired objects on your behalf. Because users may have up to 1,000 rules set for a bucket at any time, some rules may become obsolete. With this in mind, in CoreWeave AI Object Storage rules are evaluated with a predictable outcome. When rules are in conflict, the rule that will delete an object sooner will take precedence.

Below is an example of a lifecycle configuration file. This example shows all of the options available in CoreWeave AI Object Storage. You can find an explanation of the fields below.

Bucket lifecycle configuration

Example
{

  "Rules": [

    {

      "Expiration": {

        "Date": timestamp,

        "Days": integer,

        "ExpiredObjectDeleteMarker": true|false

      },

      "ID": "string",

      "Prefix": "string",

      "Filter": {

        "Prefix": "string",

        "Tag": {

          "Key": "string",

          "Value": "string"

        },

        "ObjectSizeGreaterThan": long,

        "ObjectSizeLessThan": long,

        "And": {

          "Prefix": "string",

          "Tags": [

            {

              "Key": "string",

              "Value": "string"

            }

            ...

          ],

          "ObjectSizeGreaterThan": long,

          "ObjectSizeLessThan": long

        }

      },

      "Status": "Enabled"|"Disabled",

      "NoncurrentVersionExpiration": {

        "NoncurrentDays": integer,

        "NewerNoncurrentVersions": integer

      },

      "AbortIncompleteMultipartUpload": {

        "DaysAfterInitiation": integer

      }

    }

    ...

  ]

}
RuleDefinition
ExpirationThis type of rule specifies that an object will be deleted when it reaches either a listed Date,a number of days old, or an expired Delete marker is present. The date must be in ISO 8601 format and the time in UTC 0000.
ExpiredObjectDeleteMarkerIndicates whether CoreWeave will remove a delete marker with no noncurrent versions. If set to true, the delete marker will be expired; if set to false the policy takes no action. This cannot be specified with Days or Date.
IDIdentifier for the rule itself. Can be up to 255 characters
FilterSpecifies objects for which a rule should apply. Must contain only one of a Prefix, Tag, or And value. An empty Filter indiscriminately applies to all objects in a bucket
PrefixA prefix for an object to match on. For instance foo/ will match both foo/bar and foo/baz. Only one prefix per rule can match
TagA dict specifying a specific tag (key) and its value. Multiple tags can be used at once with And
AndAllows you to match on multiple tags and up to one prefix.
ObjectSizeYou can specify a range of sizes in bytes using ObjectSizeGreaterThan and ObjectSizeLessThan
StatusStatus shows whether this rule should be enabled or not. If the rule is disabled it will not be applied.
NoncurrentVersionExpirationSpecifies how long and how many non-current versions of a versioned (or versioning suspended) object to keep.
NoncurrentDaysHow many days after an object becomes noncurrent before deletion
NewerNoncurrentVersionsDeletion will only occur after the specified number of non-current versions is reached. The process starts with the oldest version
AbortIncompleteMultipartUploadSpecify a number of days after starting a multi-part upload using DaysAfterInitiation to delete all parts if uploading is aborted.
Learn more

For a full list of Bucket Policy structures, see the Bucket Policy reference guide.

Last updated on