Manage Bucket Policies
How to manage bucket policies in CoreWeave AI Object Storage
An Object Storage bucket policy is a JSON object that defines access to operations, and the objects for the bucket it's assigned to. Bucket policies are applied to an individual bucket, and are used to control access to the resources inside the bucket.
Policy evaluation
Access to a bucket is allowed or denied by evaluating both the Org and Bucket policies as follows:
Example policies
The policy below allows organization-wide read
access for the specified bucket.
{"Version": "2012-10-17","Statement": [{"Sid": "AllowGetObject","Principal": {"AWS": "*"},"Effect": "Allow","Action": "s3:GetObject","Resource": "arn:aws:s3:::my-bucket/*","Condition": {"StringEquals": {"cw:PrincipalOrgID": ["Org ID"]}}}]}
This policy denies the user JeanDoe
the ability to delete objects.
{"Version": "2012-10-17","Statement": [{"Sid": "statement","Effect": "Deny","Principal": {"AWS": "arn:aws:iam::123456789012:coreweave/JeanDoe"},"Action": ["s3:DeleteObject","s3:DeleteObjectVersion","s3:PutLifecycleConfiguration"],"Resource": ["arn:aws:s3:::my-bucket","arn:aws:s3:::my-bucket/*"]}]}
Set a policy with the Cloud Console
- In the Cloud Console, navigate to Object Storage > Organization Policies.
- Click Create Policy.
- In the Create Policy page, enter the Policy Name.
- In the Statement section, enter the Name
- Select the Effect, either Allow or Deny.
- Enter a Principal to which the policy applies, then click
+
at the right to add it to the policy.After clicking+
, it should appear below the field:Multiple Principals can be added by entering them and clicking+
again. - Enter an Action, such as
s3:GetObject
ors3:PutObject
, then click+
to add it to the policy. Multiple actions can be added. - Enter the Resource to which the policy applies, the click
+
to add it to the policy. Multiple resources can be added. A completed example Statement section looks like this: - Click Add Statement. You'll see the statement added to the policy with edit and delete icons.
You can click the edit icon to change the statement, or the delete icon to remove the statement from the policy.
- Click Submit to create the policy.
View an existing policy
To view an existing policy, navigate to Object Storage > Organization Policies, then click the policy name. This is the policy created in the prior section.
{"name": "my-new-policy","version": "v1alpha1","statements": [{"name": "s3-api-access","effect": "Allow","actions": ["s3:*"],"resources": ["*"],"principals": ["*"]}]}
Edit or delete an existing policy
To edit or delete the policy, click the More icon to the right of the policy, then select Edit or Delete.
Edit returns you to the policy editor.
Delete requires confirmation:
Set a policy with CLI tools
The S3:PutBucketPolicy
API call is used to set a policy for a bucket. Here is how bucket policies are set using different tools.
AWS CLI
$aws s3api put-bucket-policy --bucket MyBucket --policy file://policy.json`
s3cmd
$s3cmd setpolicy FILE s3://BUCKET
Boto3
response = client.put_bucket_policy(Bucket='examplebucket',Policy='{"Version": "2012-10-17", "Statement": [{ "Sid": "id-1","Effect": "Allow","Principal": {"AWS": "arn:aws:iam::123456789012:root"}, "Action": [ "s3:PutObject","s3:PutObjectAcl"], "Resource": ["arn:aws:s3:::acl3/*" ] } ]}',)print(response)
Roles for bucket policies
Roles can be used in bucket policies to specify a set of permissions for a user or group of users. Roles are defined in the Principal
field of the policy. The following table describes the fields used to define roles in a bucket policy.
Value | Description |
---|---|
org-id | A static identifier for your organization at CoreWeave. If you use Conditions instead of the Principal field you can substitute a variable like cw:ResourceOrgId for the actual value. |
principal-provider | Specifies where the principal came from. For example, the principal-provider for a SAML integration would be saml . Similarly, It would be coreweave for a user inside of CoreWeave's cloud. You can also use this field to specify a role targeting principals who have credentials for specific roles. |
principal-name | Used to identify the actual actor from the specified provider. For example, if the principal-provider is saml , then that name would be what is present in the PrincipalName attribute in the SAML assertion. For Cloud Console users, this value is the user's UID , which is found in that user's Settings in Cloud Console. |
For more information, see: