Skip to main content

Manage Bucket Policies

How to manage bucket policies in CoreWeave AI Object Storage

An Object Storage bucket policy is a JSON object that defines access to operations, and the objects for the bucket it's assigned to. Bucket policies are applied to an individual bucket, and are used to control access to the resources inside the bucket.

Policy evaluation

Access to a bucket is allowed or denied by evaluating both the Org and Bucket policies as follows:

Example policies

The policy below allows organization-wide read access for the specified bucket.

Example
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowGetObject",
"Principal": {
"AWS": "*"
},
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"StringEquals": {
"cw:PrincipalOrgID": ["Org ID"]
}
}
}
]
}

This policy denies the user JeanDoe the ability to delete objects.

Example
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "statement",
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::123456789012:coreweave/JeanDoe"
},
"Action": [
"s3:DeleteObject",
"s3:DeleteObjectVersion",
"s3:PutLifecycleConfiguration"
],
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
]
}

Set a policy with the Cloud Console

  1. In the Cloud Console, navigate to Object Storage > Organization Policies.
  2. Click Create Policy.
  3. In the Create Policy page, enter the Policy Name.
  4. In the Statement section, enter the Name
  5. Select the Effect, either Allow or Deny.
  6. Enter a Principal to which the policy applies, then click + at the right to add it to the policy.
    After clicking +, it should appear below the field:
    Multiple Principals can be added by entering them and clicking + again.
  7. Enter an Action, such as s3:GetObject or s3:PutObject, then click + to add it to the policy. Multiple actions can be added.
  8. Enter the Resource to which the policy applies, the click + to add it to the policy. Multiple resources can be added. A completed example Statement section looks like this:
  9. Click Add Statement. You'll see the statement added to the policy with edit and delete icons.
    You can click the edit icon to change the statement, or the delete icon to remove the statement from the policy.
  10. Click Submit to create the policy.

View an existing policy

To view an existing policy, navigate to Object Storage > Organization Policies, then click the policy name. This is the policy created in the prior section.

Example
{
"name": "my-new-policy",
"version": "v1alpha1",
"statements": [
{
"name": "s3-api-access",
"effect": "Allow",
"actions": [
"s3:*"
],
"resources": [
"*"
],
"principals": [
"*"
]
}
]
}

Edit or delete an existing policy

To edit or delete the policy, click the More icon to the right of the policy, then select Edit or Delete.

Edit returns you to the policy editor.

Delete requires confirmation:

Set a policy with CLI tools

The S3:PutBucketPolicy API call is used to set a policy for a bucket. Here is how bucket policies are set using different tools.

AWS CLI

Example command
$
aws s3api put-bucket-policy --bucket MyBucket --policy file://policy.json`

s3cmd

Example command
$
s3cmd setpolicy FILE s3://BUCKET

Boto3

Example method
response = client.put_bucket_policy(
Bucket='examplebucket',
Policy='{"Version": "2012-10-17", "Statement": [{ "Sid": "id-1","Effect": "Allow","Principal": {"AWS": "arn:aws:iam::123456789012:root"}, "Action": [ "s3:PutObject","s3:PutObjectAcl"], "Resource": ["arn:aws:s3:::acl3/*" ] } ]}',
)
print(response)

Roles for bucket policies

Roles can be used in bucket policies to specify a set of permissions for a user or group of users. Roles are defined in the Principal field of the policy. The following table describes the fields used to define roles in a bucket policy.

ValueDescription
org-idA static identifier for your organization at CoreWeave. If you use Conditions instead of the Principal field you can substitute a variable like cw:ResourceOrgId for the actual value.
principal-providerSpecifies where the principal came from. For example, the principal-provider for a SAML integration would be saml. Similarly, It would be coreweave for a user inside of CoreWeave's cloud. You can also use this field to specify a role targeting principals who have credentials for specific roles.
principal-nameUsed to identify the actual actor from the specified provider. For example, if the principal-provider is saml, then that name would be what is present in the PrincipalName attribute in the SAML assertion. For Cloud Console users, this value is the user's UID, which is found in that user's Settings in Cloud Console.
Learn more