Access Control
Authentication and authorization for AI Object Storage
Access Keys
CoreWeave AI Object Storage uses Access Keys to authenticate users. Access Keys are created one of two ways:
Using Cloud Console tokens
Cloud Console tokens allow for an easier but slightly less security-conscious method to create either permanent or time-limited Access Keys for CoreWeave AI Object Storage using Cloud Console tokens. To create an Access Key using a Cloud Console token, follow the steps in How-To: Create Key with a Cloud Console token.
Keys generated with Cloud Console tokens are created by submitting API requests to CreateAccessKeyFromJWT, and have these characteristics:
- Duration: Keys can be persistent, or they can be time-limited for up to 12 hours.
- Identity format:
coreweave/<cloud-token-id>. - Requirements: Requires access to the Cloud Console. The Cloud Console token used to create the Access Key must have
writepermissions for Object Storage to allow users to upload data. See: How to: Create an API Access Token for details.
Using Workload Identity Federation
Using Workload Identity Federation is highly recommended for production workloads, and for granting machine-to-machine access for workloads to access AI Object Storage.
Creating Access Keys using SAML assertions with Workload Identity Federation which is a slightly more complex but much more secure method of creating keys.
Keys generated with SAML assertions are generated by submitting API requests to CreateAccessKeysFromSAML, and have these characteristics:
- Duration: Keys are ephemeral and have a maximum lifespan of 12 hours.
- Identity format:
saml/<saml-role>. - Requirements: A valid
configId, generated from a Workload Identity Federation configuration, must be created for the Access Key and passed in to the API request. See How-To: Manage Workload Identity Federation for AI Object Storage andCreateAccessKeyFromSAMLfor more information.
Identity formats
Recognizing the Access Key format can be useful for auditing and diagnostic purposes. The method by which an Access Key was created can be determined by examining its identity format:
- Keys created using SAML assertions have this format:
saml/<saml-role>. - Keys created using Cloud Console tokens have this format:
coreweave/<cloud-token-id>. - Keys created using CoreWeave internal tools have this format:
static/<key-id>.
Get started
See How-To: Get Started with AI Object Storage for a step-by-step guide to set up your environment and start using CoreWeave AI Object Storage.