Get Started with AI Object Storage
Set up AI Object Storage authentication, policies, and storage access for enterprise workloads
This guide provides a high-level overview of the steps required to set up and use AI Object Storage.
Prerequisites
- Administrative access to your CoreWeave organization
- A Cloud Console token with
admin
permissions
Configure authentication
Access keys are required for users and workloads to access AI Object Storage. Choose whether you'd like to get started more quickly with testing, or create a secure setup for production workloads:
- For the most secure setup, using SAML assertions with Workload Identity Federation to generate workload Access Keys is strongly recommended.
- For less sensitive operations or for testing, you can use Cloud Console tokens to create your access keys.
- Quick Setup
- Production Setup
For testing and validation: Get started in minutes with Cloud Console tokens.
Create an access key using Cloud Console tokens:
You must be logged in with an account that has admin
permissions.
- In the Cloud Console, navigate to Object Storage > Keys.
- Click Create Key.
- In the dialog:
- For a Temporary key, enter the desired duration in seconds and click Create.
- For a Permanent key, select Enable Permanent Key and click Create.
For production workloads: Implement secure, automated credential management.
Workload Identity Federation provides a more secure, controlled way to generate time-limited Access Keys using SAML assertions, and is recommended for granting workloads access to AI Object Storage in production environments.
Before you can generate Access Keys for AI Object Storage using Workload Identity Federation, you must first configure Workload Identity Federation for your organization.
- Configure Workload Identity Federation for AI Object Storage
- Using SAML assertions with Workload Identity Federation
After you configure Workload Identity Federation, you can use it to generate access keys for your workloads by submitting a CreateAccessKeysFromSAML
request to the AI Object Storage API.
This request contains:
- A SAML assertion (usually generated by an IdP),
- a
configId
, generated from the Workload Identity Federation Console, and - a
duration
parameter to specify the maximum lifespan of the Access Key.
{"durationSeconds": 300,"orgId": "abc123","configId": "<WORKLOAD_FEDERATION_CONFIG_ID>","samlResponse": "<BASE64_ENCODED_SAML_RESPONSE>"}
Learn more about creating access keys with Workload Identity Federation.
After setting up access keys for authentication, you need to set a policy for access control.
Set access policies
You must create an organization access policy to be able to access the Object Storage S3-compatible API.
Before uploading data, you may also want to set bucket access policies for your organization and buckets. Policies are used to control access to data, control lifecycles, and configure auditing.
See these sections for more information:
- How organization and bucket policies are evaluated
- Organization Access Policies
- Bucket Access Policies
- How-To: Manage Bucket Access Policies
- Reference:
EnsureAccessPolicy
action
After setting up access policies, you can configure your development environment and then set up buckets and objects.
Set global configs
Before you create your first bucket in AI Object Storage, ensure the following settings are applied in your AWS config:
- Your AWS/Boto3 client or CLI is configured to use the AI Object Storage endpoint. The
endpoint_url
should be:https://cwobject.com
for the primary endpointhttp://cwlota.com
if using LOTA
- The S3
addressing_style
is set tovirtual
:- In AWS CLI config:
aws configure set default.s3.addressing_style virtual
- In Boto3: use
config=Config(s3={'addressing_style': 'virtual'})
- In AWS CLI config:
This is a one-time configuration to add CoreWeave-specific settings to your development environment.
Create a bucket
After creating access keys, an organization access policy, and setting your global configuration, create a bucket to store data. Buckets are the primary organizational unit used by CoreWeave AI Object Storage to store object data.
You can create buckets using popular S3-compatible tools or the Cloud Console at these endpoints:
Endpoint | URL | Notes |
---|---|---|
Primary endpoint | https://cwobject.com | Uses HTTPS and requires TLS v1.3. Ensure your S3-compatible tools and OpenSSL use TLS v1.3. |
LOTA endpoint | http://cwlota.com | Uses HTTP protocol, not HTTPS. |
Use objects and buckets
CoreWeave AI Object Storage is compatible with the S3 API, so you can use any S3-compatible tool to manage your data. See How-To: Manage Objects to learn how to use CoreWeave AI Object Storage with s3cmd, Boto3, or the AWS CLI.
CoreWeave AI Object Storage is designed to work with LOTA (Local Object Transfer Accelerator), a first-of-its-kind intelligent proxy that provides a highly efficient, local gateway to CoreWeave AI Object Storage. See Concepts: LOTA for details about how LOTA works.
CoreWeave AI Object Storage has default quota limits. See Manage quota limits for more information.
API reference and compatibility information
- For API reference for AI Object Storage, refer to the API documentation.
- For S3 API compatibility reference, refer to the S3 compatibility documentation.