Policy Overview
How to control access to endpoints and resources
Policies in CoreWeave AI Object Storage control access to resources, define permitted actions, and manage data lifecycles. They are crucial for enforcing security, ensuring compliance, and managing data retention. Policies follow a defined evaluation order: organization-level policies override bucket-level policies. This hierarchy ensures that users and systems can only perform explicitly authorized actions.
This guide covers how policy evaluation works, compares organization and bucket access policies, and outlines key exceptions to consider when designing secure and predictable access controls.
Policy types
CoreWeave AI Object Storage uses two types of policies: organization access policies and bucket access policies.
Organization access policies apply to all principals and resources across the entire organization. They are set in the Cloud Console or via the AI Object Storage API with HTTP clients like curl. Organization access policies are evaluated first in the policy evaluation order.
Bucket access policies apply to a specific bucket and the objects within it. They are set using the S3 API with standard S3 tools like aws s3api or s3cmd. Bucket access policies are evaluated after organization access policies, if allowed.
Policy evaluation
The AI Object Storage API evaluates policies by following a specific order to determine whether a request should be allowed or denied. This evaluation process is crucial for ensuring that access controls are applied consistently and predictably.
First, the API evaluates organization access policies, which apply to all principals and resources across the organization.
- If there is no explicit organization access policy, the request is rejected.
- If an organization access policy explicitly denies a request, the request is rejected.
- If an organization access policy allows the request, the API evaluates any bucket access policies that apply to the specific bucket and its objects.
Next, the API evaluates bucket access policies, which apply to specific buckets and their objects. The evaluation follows these rules:
- If there are no bucket access policies, the request is implicitly allowed.
- If a bucket access policy explicitly denies the request, the request is rejected.
- If a bucket access policy explicitly allows the request, the request is accepted.
- If a bucket access policy exists but does not explicitly allow or deny the request, the request is implicitly rejected.
The following diagram illustrates the workflow:
Differences between policy types
Organization and bucket access policies in CoreWeave AI Object Storage share a similar JSON structure and policy language, but they serve different purposes and have distinct characteristics. The following comparison table highlights the key differences between these two types of policies:
| Characteristic | Organization Access Policies | Bucket Access Policies |
|---|---|---|
| Use Cases | Broad control at the organizational level. | Granular bucket access and bucket lifecycles. |
| Scope | Applies to all principals and resources across the entire organization. | Applies only to a specific bucket and the objects within it. |
| Evaluation order | Evaluated first in the policy evaluation order. | Evaluated second, if allowed by organization access policies. |
| Management API | Managed via the Cloud Console or the Object Storage API. | Managed via the S3 API. |
| Policy Version | Use "version": "v1alpha1". This is an internal CoreWeave version. | Use "Version": "2012-10-17". (Some older policies may use "2008-10-17".) |
| API Actions | Includes both S3 API and AI Object Storage API actions. | Only includes S3 API actions. |
s3:PutBucketPolicy | s3:PutBucketPolicy only evaluates organization access policies. | To prevent lock-out, the s3:PutBucketPolicy action is ignored in bucket access policy evaluation. You cannot set a bucket access policy that prevents you from setting bucket access policies. |
| Resource Format | Use short format my-bucket. | Use ARN format arn:aws:s3:::my-bucket. |
| Principal Format (Cloud Console) | Use short format coreweave/UserUID. | Use ARN format arn:aws:iam::123456789012:coreweave/UserUID. |
| Principal Format (SAML groups} | Use short format role/Admin. | Use ARN format arn:aws:iam::123456789012:role/Admin. |
Learn more
For more information about organization and bucket access policies, and their associated APIs, see the following guides: