Manage Workload Identity Federation for AI Object Storage
Set up and manage Workload Identity Federation to authenticate AI Object Storage Access Keys
Workload Identity Federation enables authorizing Access Keys using your IdP as the authorizing entity.
Prerequisites
This guide presumes the following:
- You have administrator privileges for your organization
- You have a mechanism for generating SAML assertions; most commonly, this is an Identity Provider (IdP)
Procedure
To create Workload Identity Federation configurations for your organization, first log in to your CoreWeave organization on the Cloud Console.
From the left-hand navigation pane, select the IAM drop-down menu. Inside this menu, select Workload Federation to navigate to the Workload Federation page.
From the Workload Federation page, you can view or edit your existing Workload Identity Federation configurations.
Create a configuration
In the Cloud Console you can create a Workload Identity Federation configuration using either SAML or OIDC.
- SAML
- OIDC
- Navigate to the Workload Federation page.
- Click the Create SAML configuration button. This opens the configuration creation page:
To properly configure Workload Identity Federation, you must provide:
- Name: A unique name for the configuration.
- IdP Entity ID: Your identity provider's unique identifier, typically a URI or URL format. You can find this value in your IdP's SAML metadata or SSO configuration settings. CoreWeave uses this to verify the source of SAML assertions.
- X.509 Certificate: The PEM-encoded public key certificate from your identity provider. CoreWeave uses this to verify that SAML assertions are digitally signed by your trusted IdP. You can typically find this in your IdP's SAML/SSO configuration settings.
- Description: A brief description of the configuration.
After providing the necessary information, click the Create button to create the configuration.
- Navigate to the Workload Federation page.
- Click the Create OIDC configuration button. This opens the configuration creation page:
To properly configure Workload Identity Federation, you must provide:
- Name: A unique name for the configuration.
- Issuer URL: Your OIDC provider's identifier URL such as
https://your-domain.okta.comorhttps://accounts.google.com. CoreWeave uses this to verify that tokens were issued by your trusted identity provider and to discover the provider's configuration. - Client ID (Audience): The client identifier that OIDC tokens must be intended for (e.g.,
abc123-def456-ghi789). CoreWeave validates that incoming tokens contain this value in their audience (aud) claim. - Description: A brief description of the configuration.
After providing the necessary information, click the Create button to create the configuration.
Created configurations are viewable on the Workload Federation page. After the configuration is created, a Config ID is generated. This ID is used to associate the new configuration to your AI Object Storage Access Keys by passing it in to the API call as the value of configId.
Example
{"durationSeconds": 300,"orgId": "abc123","configId": "<WORKLOAD_FEDERATION_CONFIG_ID>","samlResponse": "<BASE64_ENCODED_SAML_RESPONSE>"}
For more information on how to use Workload Identity Federation with AI Object Storage, refer to the API Reference.