Skip to main content

Configure and Manage Bucket Policies

Configure and edit Bucket policy IAM in CoreWeave AI Object Storage

An Object Storage bucket policy is a JSON blob that defines access to operations and objects for the bucket it's assigned to. Bucket policies are applied to an individual bucket, and are used to control access to the resources inside the bucket.

Access to a bucket is allowed or denied by evaluating both the Org and Bucket policies as follows:

Example bucket policy

The policy below allows organization-wide read access for the specified bucket.

Example
{

    "Version": "2012-10-17",

    "Statement": [{

        "Sid": "AllowGetObject",

        "Principal": {

            "AWS": "*"

        },

        "Effect": "Allow",

        "Action": "s3:GetObject",

        "Resource": "arn:aws:s3:::my-bucket/*",

        "Condition": {

            "StringEquals": {

                "cw:PrincipalOrgID": ["Org ID"]

            }

        }

    }]

}

Set a policy

The S3:PutBucketPolicy API call is used to set a policy for a bucket. Here is how bucket policies are set using different tools.

AWS_CLI

Example command
$
aws s3api put-bucket-policy --bucket MyBucket --policy file://policy.json`

s3cmd

Example command
$
s3cmd setpolicy FILE s3://BUCKET

Boto3

Example method
response = client.put_bucket_policy(

    Bucket='examplebucket',

    Policy='{"Version": "2012-10-17", "Statement": [{ "Sid": "id-1","Effect": "Allow","Principal": {"AWS": "arn:aws:iam::123456789012:root"}, "Action": [ "s3:PutObject","s3:PutObjectAcl"], "Resource": ["arn:aws:s3:::acl3/*" ] } ]}',

)



print(response)

Example policy

This policy would deny the user Jean Doe the ability to delete objects.

Example
{

  "Version": "2012-10-17",

  "Statement": [

    {

      "Sid": "statement",

      "Effect": "Deny",

      "Principal": {

        "AWS": "arn:aws:iam::123456789012:coreweave/JeanDoe"

      },

      "Action": [

        "s3:DeleteObject",

        "s3:DeleteObjectVersion",

        "s3:PutLifecycleConfiguration"

      ],

      "Resource": [

        "arn:aws:s3:::my-bucket",

      "arn:aws:s3:::my-bucket/*"

      ]

    }

  ]

}

Set roles for bucket policies

Learn more

For more information, see: Object Storage roles.

ValueDescription
org-idA static identifier for your organization at CoreWeave. If you use Conditions instead of the Principal field you can substitute a variable like cw:ResourceOrgId for the actual value.
principal-providerSpecifies where the principal came from. For example, the principal-provider for a SAML integration would be saml. Similarly, It would be coreweave for a user inside of CoreWeave's cloud. You can also use this field to specify a role targeting principals who have credentials for specific roles.
principal-nameUsed to identify the actual actor from the specified provider. For example, if the principal-provider is saml, then that name would be what is present in the PrincipalName attribute in the SAML assertion. For Cloud Console users, this value is the user's UID. This can be found in the Cloud Console, or can be provided upon request.
Last updated on