Using Workload Identity Federation and SAML
Create Access Keys using Workload Identity Federation and SAML Assertions
Create Key with a SAML assertion and Workload Identity Federation
Keys created using SAML assertions and Workload Identity Federation are created by submitting an HTTP POST request to the https://api.coreweave.com/v1/cwobject/temporary-credentials/saml endpoint. Within the request, the user provides:
- a
durationin seconds, with a maximum lifetime of 12 hours, - the organization ID,
- the Workload Federation configuration ID generated on the Cloud Console, and
- a SAML assertion, configured as desired, typically generated by an IdP.
Example
{"durationSeconds": 300,"orgId": "<MY_ORG_ID>","configId": "<WORKLOAD_FEDERATION_CONFIG_ID>","samlResponse": "<BASE64_ENCODED_SAML_RESPONSE>"}
CoreWeave then validates the SAML assertion, parsing the role and principal from the assertion. If validation is successful, CoreWeave returns an API key pair comprised of an Access Key and a Secret Key, which allow the user to authenticate to CoreWeave AI Object Storage.
The key pair is considered valid for the length of the set duration. Once the key pair expires, the steps above must be repeated to provision a new one.
Learn more
SAML assertion key values
In order to successfully authenticate any principal or subject and provide the necessary key pairs to use AI Object Storage, CoreWeave requires these specific attributes to be present inside any SAML assertion. Every SAML Role must have permissions granted via SAML assertion in order to perform any actions on AI Object Storage buckets.
Role
<Attribute Name="https://coreweave.com/SAML/Attributes/Role"><AttributeValue>role-name</AttributeValue></Attribute>
PrincipalName
<Attribute Name="https://coreweave.com/SAML/Attributes/PrincipalName"><AttributeValue>principal-name</AttributeValue></Attribute>
| Attribute Name | Definition |
|---|---|
https://coreweave.com/SAML/Attributes/Role | Denotes the role for the credential this call generates. If a request is made using these credentials, the role attached to them is validated using the bucket access policy. Appears in audit logs as the role used to gain access. |
https://coreweave.com/SAML/Attributes/PrincipalName | Denotes the principal that the credentials are for; that is, the actor making the requests. Can also be used in the bucket access policy if desired. Appears in audit logs as the principal that gained access. |
Each authenticated key pair is treated as an individual user for access, and can be used to provide granular modification of permissions. These permissions may grant read and/or write permissions, which include permissions for modifying the bucket access policies on buckets they own or are allowed to access.
Access policies for CoreWeave AI Object Storage are evaluated at the organization level, allowing users to be assigned privileges in groups. Users assigned to a role will only gain the access privileges granted to that role's key pair.
Destination, Recipient, Audience
Make sure to set the destination, recipient, and audience elements accordingly in your SAML response:
| Element | Value |
|---|---|
Destination | https://console.coreweave.com/m2m-saml-acs |
Recipient | https://console.coreweave.com/m2m-saml-acs |
Audience | https://console.coreweave.com/accounts/saml/$ORG_UID/metadata/ |
Example SAML assertion
Click to expand: Example SAML assertion
Example SAML assertion
<saml2p:Response xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" ID="ONELOGIN_a99a0b99699054bb10d0b06a9dbc6d46b68941a5" Version="2.0" IssueInstant="2025-06-30T21:06:44.055954Z" Destination="https://console.coreweave.com/m2m-saml-acs"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp.example.com/d350ef80-d88e-4583-995c-704cee7672c6</saml2:Issuer><ds:Signature><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#ONELOGIN_a99a0b99699054bb10d0b06a9dbc6d46b68941a5"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>/Ee8Ev3P2SlRF6UXeKI8U/2GV+6QUF4NPRlDAAbF9Nw=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>HSEQBYyFo135t4rmAYrBOPbVpxp5UdIrfwgWZmWJYIAdLK5wJ3YoIhKB+RFho4uGdN+eAvb02F4NeYCShhCToePFSsPN+GlYiYmcqOlM9ES6pVIsyXWnfQicAB48CZNWYVprMaZshSup7QJ+QSn1uWnxSYlcYMtHo+f6lSt5VTy6Q/hGoRVpctAlDA5ASWSXHckebWra2zV5sgd8t0lE5FpoU44BqW9nFA8+eV20xbGFMa07G23tnggT8W5yAwg+/EkKIstbIRbJnFDDXq804dqwLjEc2NAc/2lC6287kvtfL8teDrkp3/qvrSPpTmSKU1T71peflM7VSleGkCqo5Q==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICtDCCAZygAwIBAgIUOUDkmck91X09hVgqkL6cc/NSoQUwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI1MDYzMDIxMDY0NFoXDTI1MDcwMTIxMDY0NFowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn2e99p4HbBsxfzJCCQO8rFWc+vbqBV5nT2IdI4uSicNLKGmzZomHFrp3/X9BUMxxAMIvfXTYzv1imOST0+ewokbnqbcFuugUbybgM2VyQPYr8npxJeCgwqV9Nl7pbRonx8AKDcvfUZPQ68xkk9cutizO2OoVopMxBjAHdjr5IHsOR1OzeWYpO51IKtlwoIrZoIsIs5R1JgDsGwj/r2jL3OaCOXY4iMaZp96nvqw4GrvjkGG5igpLFoOhId2sx/jCQaIbXOZlg7NbmbzlmG/dl+nLPk3ncJlRIQoqyz7ccUsD5TBAIBvxPWlP8ja4HwA5k3qoXdnnZxo10tFQf8LzAwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAaUjqWkT+bSRjUho10rCWRm6cEDFSjCQXCLLOQzr69wCa9djjfAy/9WxY8QiG4hBDDVFz2jGq64J+z4yoZhboNlwzt8RXjmpQsd//IR0HYu3SGtdpHczYNI/wV5EycCUK8qeqMgUVIDtX9OMGgp71S79lCkod/TXi9ynb+5F/HE1/ZRDC071loViqWqb5w2X3/UJRu3IMiu2hMjUKS97GuzCQGbyJzrKsspQRQioyFhQq+jE6p0maRNu/NV8Jdoxh7T0CWMU3iEuyDptG5a6QLsvjqWkaKtrpw34wZVqHevkswl3jLSbv2Ps9ValbBo/7524Znon05KG9MtDzQBefQ</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:Assertion ID="ONELOGIN_55a169797ef16fb32a0739ec9fffc5f727531493" Version="2.0" IssueInstant="2025-06-30T21:06:44.055954Z"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://idp.example.com/d350ef80-d88e-4583-995c-704cee7672c6</saml2:Issuer><ds:Signature><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/><ds:Reference URI="#ONELOGIN_55a169797ef16fb32a0739ec9fffc5f727531493"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/><ds:DigestValue>JmJsIBpRwlgqLHogq2MfDxDTvjhafqWjc09VPv7kcYE=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>PKINypDPQUatQlfsTi62HamMpgPyl+1H7o+tEG608Im/lNkpg16I06wkh98X+EBV+3K1aXzLaXDt4OIRKbQIDKwl/Aq4ez+jt9Yc1gkFk/QzZAQ/BZOrcNTkBNfdElXpKZ1lP/2HBGbG679VRqz4kXhpPBES2i1zaG08pCnUNbJvrlykfiLoUpLqg5qDYaZAJIOdrZfHGWhWR8D0jISf7nCbtxVBnCmIjWa10hs9zA9syBReFa14loS0ASHq+mT2UPDU+P0wR6MraZpS9dAkYYLYBcx4UQ1Indq+Ea9bhlVmZK8FzVwEU94ww+4yYDWImn5e9fruUM4Mf+0M6dKHsQ==</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICtDCCAZygAwIBAgIUOUDkmck91X09hVgqkL6cc/NSoQUwDQYJKoZIhvcNAQELBQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTI1MDYzMDIxMDY0NFoXDTI1MDcwMTIxMDY0NFowFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn2e99p4HbBsxfzJCCQO8rFWc+vbqBV5nT2IdI4uSicNLKGmzZomHFrp3/X9BUMxxAMIvfXTYzv1imOST0+ewokbnqbcFuugUbybgM2VyQPYr8npxJeCgwqV9Nl7pbRonx8AKDcvfUZPQ68xkk9cutizO2OoVopMxBjAHdjr5IHsOR1OzeWYpO51IKtlwoIrZoIsIs5R1JgDsGwj/r2jL3OaCOXY4iMaZp96nvqw4GrvjkGG5igpLFoOhId2sx/jCQaIbXOZlg7NbmbzlmG/dl+nLPk3ncJlRIQoqyz7ccUsD5TBAIBvxPWlP8ja4HwA5k3qoXdnnZxo10tFQf8LzAwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAaUjqWkT+bSRjUho10rCWRm6cEDFSjCQXCLLOQzr69wCa9djjfAy/9WxY8QiG4hBDDVFz2jGq64J+z4yoZhboNlwzt8RXjmpQsd//IR0HYu3SGtdpHczYNI/wV5EycCUK8qeqMgUVIDtX9OMGgp71S79lCkod/TXi9ynb+5F/HE1/ZRDC071loViqWqb5w2X3/UJRu3IMiu2hMjUKS97GuzCQGbyJzrKsspQRQioyFhQq+jE6p0maRNu/NV8Jdoxh7T0CWMU3iEuyDptG5a6QLsvjqWkaKtrpw34wZVqHevkswl3jLSbv2Ps9ValbBo/7524Znon05KG9MtDzQBefQ</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">[email protected]</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData NotOnOrAfter="2025-06-30T21:11:44.055954Z" Recipient="https://console.coreweave.com/m2m-saml-acs"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2025-06-30T21:01:44.055954Z" NotOnOrAfter="2025-06-30T21:11:44.055954Z"><saml2:AudienceRestriction><saml2:Audience>https://console.coreweave.com/accounts/saml/c972e1/metadata/</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2025-06-30T21:06:44.055954Z" SessionIndex="ONELOGIN_fddfeaa124b03f20701e1b1d939147c83d0b0c18"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute Name="https://coreweave.com/SAML/Attributes/PrincipalName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"></saml2:Attribute><saml2:Attribute Name="https://coreweave.com/SAML/Attributes/Role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"><saml2:AttributeValue xsi:type="xs:string">role-a99e28</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion></saml2p:Response>
Example access policy
Here is an example of a basic access policy that, if submitted, would allow users to read and write to buckets, without allowing any added privileges.
Example: basic-policy.json
{"version": "v1alpha1","name": "give-saml-access","statements": [{"name": "object-reader-allow","effect": "Allow","actions": ["s3:Get*","s3:List*"],"resources": ["test-bucket/*"],"principals": ["role/<reader-role>"]},{"name": "object-reader-deny","effect": "Deny","actions": ["s3:GetBucketPolicy","s3:ListAllMyBuckets","s3:ListMultipartUploadParts","s3:ListBucketMultipartUploads"],"resources": ["test-bucket/*"],"principals": ["role/<reader-role>"]},{"name": "object-writer-allow","effect": "Allow","actions": ["s3:*"],"resources": ["test-bucket/*"],"principals": ["role/<writer-role>"]},{"name": "object-writer-deny","effect": "Deny","actions": ["s3:PutBucketPolicy"],"resources": ["test-bucket/*"],"principals": ["role/<writer-role>"]},{"name": "object-admin-access","effect": "Allow","actions": ["*"],"resources": ["*"],"principals": ["role/<admin-role>"]}]}
Important
CoreWeave does not provide role management for AI Object Storage access. Role management for CoreWeave AI Object Storage is the responsibility of the client. CoreWeave assumes that any access given to a role via a SAML assertion provided by an organization's IdP is valid.