Manage Bucket Policies
How to manage bucket policies in CoreWeave AI Object Storage
An Object Storage bucket access policy is a JSON object that defines access to operations, and the objects for the bucket it's assigned to. Bucket access policies are applied to an individual bucket, and are used to control access to the resources inside the bucket.
Before setting a bucket access policy, you must set at least one organization access policy for your organization to access the bucket. Bucket access policies are evaluated after organization access policies.
You can set bucket access policies programmatically using the S3 API with standard S3 tools like aws s3api or s3cmd, or using the CoreWeave Terraform provider. Although you can set organization access policies in the Cloud Console, bucket access policies cannot be set in the Cloud Console.
Policy evaluation
Access to a bucket is allowed or denied by evaluating both the organization and bucket access policies as follows:
Example policies
The policy below allows organization-wide read access for the specified bucket.
{"Version": "2012-10-17","Statement": [{"Sid": "AllowGetObject","Principal": {"AWS": "*"},"Effect": "Allow","Action": ["s3:GetObject","s3:ListBucket"],"Resource": ["arn:aws:s3:::my-bucket","arn:aws:s3:::my-bucket/*"],"Condition": {"StringEquals": {"cw:PrincipalOrgID": ["Org ID"]}}}]}
You can also use bucket access policies to allow users from other organizations to access your bucket:
{"Version": "2012-10-17","Statement": [{"Sid": "AllowGetObject","Principal": {"AWS": "*"},"Effect": "Allow","Action": ["s3:GetObject","s3:ListBucket"],"Resource": ["arn:aws:s3:::my-bucket","arn:aws:s3:::my-bucket/*"],"Condition": {"StringEquals": {"cw:PrincipalOrgID": ["Org ID", "OtherOrgID"]}}}]}
This policy denies the user JeanDoe the ability to delete objects.
{"Version": "2012-10-17","Statement": [{"Sid": "statement","Effect": "Deny","Principal": {"AWS": "arn:aws:iam::123456789012:coreweave/JeanDoe"},"Action": ["s3:DeleteObject","s3:DeleteObjectVersion","s3:PutLifecycleConfiguration"],"Resource": ["arn:aws:s3:::my-bucket","arn:aws:s3:::my-bucket/*"]}]}
Set a policy with CLI tools
The S3:PutBucketPolicy API call is used to set a policy for a bucket. Here is how bucket access policies are set using different tools.
- AWS CLI
- s3cmd
- Boto3
$aws s3api put-bucket-policy --bucket MyBucket --policy file://policy.json`
$s3cmd setpolicy FILE s3://BUCKET
response = client.put_bucket_policy(Bucket='examplebucket',Policy='{"Version": "2012-10-17", "Statement": [{ "Sid": "id-1","Effect": "Allow","Principal": {"AWS": "arn:aws:iam::123456789012:root"}, "Action": [ "s3:PutObject","s3:PutObjectAcl"], "Resource": ["arn:aws:s3:::acl3/*" ] } ]}',)print(response)
Set a policy with Terraform
To use the CoreWeave Terraform provider to set a bucket access policy, use the coreweave_object_storage_bucket_policy resource. Here is an example:
Click to expand Terraform example
## Example using jsonencode to pass a raw JSON string to the policy attributelocals {bucket_policy = {Version = "2012-10-17"Statement = [{Sid = "allow-all"Effect = "Allow"Principal = {"CW" : "*"}Action = ["s3:*"]resource = ["arn:aws:s3:::${coreweave_object_storage_bucket.raw.name}"]},]}}resource "coreweave_object_storage_bucket" "raw" {name = "bucket-policy-raw-example"zone = "US-EAST-04A"}resource "coreweave_object_storage_bucket_policy" "raw" {bucket = coreweave_object_storage_bucket.raw.namepolicy = jsonencode(local.bucket_policy)}## Example using the coreweave_object_storage_bucket_policy_document data sourceresource "coreweave_object_storage_bucket" "doc" {name = "bucket-policy-doc-example"zone = "US-EAST-04A"}data "coreweave_object_storage_bucket_policy_document" "doc" {version = "2012-10-17"statement {sid = "allow-all"effect = "Allow"action = ["s3:*"]resource = ["arn:aws:s3:::${coreweave_object_storage_bucket.doc.name}"]principal = {"CW" : ["*"]}}statement {sid = "DenyIfPrefixEquals"effect = "Deny"action = ["s3:ListBucket"]resource = ["arn:aws:s3:::${coreweave_object_storage_bucket.doc.name}"]principal = {"CW" : ["*"]}condition = {"StringNotEquals" : {"s3:prefix" : "projects"}}}}resource "coreweave_object_storage_bucket_policy" "doc" {bucket = coreweave_object_storage_bucket.doc.namepolicy = data.coreweave_object_storage_bucket_policy_document.doc.json}
This resource is also available in OpenTofu. See Use Terraform to manage CoreWeave AI Object Storage infrastructure as code for more information.
Roles for bucket access policies
Roles can be used in bucket access policies to specify a set of permissions for a user or group of users. Roles are defined in the Principal field of the policy. The following table describes the fields used to define roles in a bucket access policy.
| Value | Description |
|---|---|
org-id | A static identifier for your organization at CoreWeave. If you use Conditions instead of the Principal field you can substitute a variable like cw:ResourceOrgId for the actual value. |
principal-provider | Specifies where the principal came from. For example, the principal-provider for a SAML integration would be saml. Similarly, It would be coreweave for a user inside of CoreWeave's cloud. You can also use this field to specify a role targeting principals who have credentials for specific roles. |
principal-name | Used to identify the actual actor from the specified provider. For example, if the principal-provider is saml, then that name would be what is present in the PrincipalName attribute in the SAML assertion. For Cloud Console users, this value is the user's UID, which is found in that user's Settings in Cloud Console. |
Additional resources
For more information, see: