Get Started with AI Object Storage

Set up AI Object Storage authentication, policies, and storage access for enterprise workloads

This guide provides a high-level overview of the steps required to set up and use AI Object Storage.

Prerequisites

• Administrative access to your CoreWeave organization
• A Cloud Console token with admin permissions

Configure authentication

Access keys are required for users and workloads to access AI Object Storage. Choose whether you'd like to get started more quickly with testing, or create a secure setup for production workloads:

• For the most secure setup, using SAML assertions with Workload Identity Federation to generate workload Access Keys is strongly recommended.
• For less sensitive operations or for testing, you can use Cloud Console tokens to create your access keys.

Quick Setup

For testing and validation: Get started in minutes with Cloud Console tokens.

Create an access key using Cloud Console tokens:

You must be logged in with an account that has admin permissions.

1. In the Cloud Console, navigate to Object Storage > Keys.
2. Click Create Key.
3. In the dialog:
   • For a Temporary key, enter the desired duration in seconds and click Create.
   • For a Permanent key, select Enable Permanent Key and click Create.

Production Setup

For production workloads: Implement secure, automated credential management.

Workload Identity Federation provides a more secure, controlled way to generate time-limited Access Keys using SAML assertions, and is recommended for granting workloads access to AI Object Storage in production environments.

Before you can generate Access Keys for AI Object Storage using Workload Identity Federation, you must first configure Workload Identity Federation for your organization.

1. Configure Workload Identity Federation for AI Object Storage
2. Using SAML assertions with Workload Identity Federation

After you configure Workload Identity Federation, you can use it to generate access keys for your workloads by submitting a CreateAccessKeysFromSAML request to the AI Object Storage API.

This request contains:

1. A SAML assertion (usually generated by an IdP),
2. a configId, generated from the Workload Identity Federation Console, and
3. a duration parameter to specify the maximum lifespan of the Access Key.

Example

{
  "durationSeconds": 300,
  "orgId": "abc123",
  "configId": "<WORKLOAD_FEDERATION_CONFIG_ID>",
  "samlResponse": "<BASE64_ENCODED_SAML_RESPONSE>"
}

Learn more about creating access keys with Workload Identity Federation.

After setting up access keys for authentication, you need to set a policy for access control.

Set access policies

You must create an organization access policy to be able to access the Object Storage S3-compatible API.

Before uploading data, you may also want to set bucket access policies for your organization and buckets. Policies are used to control access to data, control lifecycles, and configure auditing.

See these sections for more information:

• How organization and bucket policies are evaluated
• Organization Access Policies
• Bucket Access Policies
• How-To: Manage Bucket Access Policies
• Reference: EnsureAccessPolicy action

After setting up access policies, you can configure your development environment and then set up buckets and objects.

Set global configs

Before you create your first bucket in AI Object Storage, ensure the following settings are applied in your AWS config:

• Your AWS/Boto3 client or CLI is configured to use the AI Object Storage endpoint. The endpoint_url should be:
  • https://cwobject.com for the primary endpoint
  • http://cwlota.com if using LOTA
• The S3 addressing_style is set to virtual:
  • In AWS CLI config: aws configure set default.s3.addressing_style virtual
  • In Boto3: use config=Config(s3={'addressing_style': 'virtual'})

This is a one-time configuration to add CoreWeave-specific settings to your development environment.

Create a bucket

After creating access keys, an organization access policy, and setting your global configuration, create a bucket to store data. Buckets are the primary organizational unit used by CoreWeave AI Object Storage to store object data.

You can create buckets using popular S3-compatible tools or the Cloud Console at these endpoints:

Endpoint	URL	Notes
Primary endpoint	https://cwobject.com	Uses HTTPS and requires TLS v1.3. Ensure your S3-compatible tools and OpenSSL use TLS v1.3.
LOTA endpoint	http://cwlota.com	Uses HTTP protocol, not HTTPS.

Use objects and buckets

CoreWeave AI Object Storage is compatible with the S3 API, so you can use any S3-compatible tool to manage your data. See How-To: Manage Objects to learn how to use CoreWeave AI Object Storage with s3cmd, Boto3, or the AWS CLI.

CoreWeave AI Object Storage is designed to work with LOTA (Local Object Transfer Accelerator), a first-of-its-kind intelligent proxy that provides a highly efficient, local gateway to CoreWeave AI Object Storage. See Concepts: LOTA for details about how LOTA works.

Quota limits

CoreWeave AI Object Storage has default quota limits. See Manage quota limits for more information.

API reference and compatibility information

• For API reference for AI Object Storage, refer to the API documentation.
• For S3 API compatibility reference, refer to the S3 compatibility documentation.