Bucket Policy
CoreWeave AI Object Storage bucket policies define the access rules for buckets and objects. Each policy is a JSON object that contains a series of elements:
- Version: Defines the policy language version.
- Statement: This main element container can include multiple policy statements.
- Sid: Optional ID to differentiate between statements.
- Effect: Indicates if the policy allows or denies access.
- Principal: The principals this policy applies to.
- Action: A list of actions that the policy allows or denies.
- Resource: The resources this policy applies to.
- Condition: Circumstances under which the policy grants permission.
This reference guide describes each element, along with a mapping of API calls to required actions that must be allowed.
Policy details
Version
Version is required.
It defines the version of the policy language used.
Use 2012-10-17 for all policies. Some old policies use 2008-10-17. Any other value is invalid.
Version example
{"Version": "2012-10-17","Statement": [{"Sid": "UniquePolicyName","Effect": "Allow","Principal": { ... },"Action": [ ... ],"Resource": [ ... ],"Condition": { ... }}]}
Statement
Statement is required.
It's the main policy element that defines the access rules for buckets and objects.
It can contain a single policy or an array. Each policy is enclosed in curly braces, with arrays of policies enclosed in square brackets.
Statement example
{"Version": "2012-10-17","Statement": [{"Sid": "UniquePolicyName","Effect": "Allow","Principal": { ... },"Action": [ ... ],"Resource": [ ... ],"Condition": { ... }},{ ... },{ ... }]}
Sid
Sid (Statement ID) is optional.
It's a short, human-readable identifier for the policy statement, which is useful for tracking and managing policies.
Each Statement in an array of statements can have an assigned Sid. Each Sid must be unique within the JSON policy, and may only consist of only ASCII uppercase, lowercase, or numbers.
Sid example
{"Version": "2012-10-17","Statement": [{"Sid": "UniquePolicyName","Effect": "Allow","Principal": { ... },"Action": [ ... ],"Resource": [ ... ],"Condition": { ... }}]}
Effect
Effect is required.
It specifies whether the statement allows or denies the action.
The valid options are Allow or Deny, and these are case-sensitive. By default, access to resources is denied. To allow access to a resource, you must set the Effect element to Allow. To override an allow that is otherwise in force, set the Effect element to Deny.
Effect example
{"Version": "2012-10-17","Statement": [{"Sid": "UniquePolicyName","Effect": "Allow","Principal": { ... },"Action": [ ... ],"Resource": [ ... ],"Condition": { ... }}]}
Principal / NotPrincipal
Either Principal or NotPrincipal are required; they cannot be used together.
The key can either be "AWS" or "CW", and the value is an ARN (Amazon Resource Name).
Use Principal to specify the user, role, or group allowed for this policy.
Use NotPrincipal to deny access to all, except the principal specified. Use with "Effect":"Allow" is not supported.
Important: Troubleshooting the side-effects of NotPrincipal can be difficult. We strongly recommend using options such as Condition instead.
Principal example
{"Version": "2012-10-17","Statement": [{"Sid": "UniquePolicyName","Effect": "Allow","Principal": {"CW": "arn:aws:iam:::user/<ORG>:<USER>"},"Action": [ ... ],"Resource": [ ... ],"Condition": { ... }}]}
Action / NotAction
Either Action or NotAction are required; they cannot be used together.
Use Action to describe the specific actions that are allowed or denied.
Use NotAction to match everything except the specified actions.
Wildcards such as s3:* are allowed to match multiple actions. Be careful when combining NotAction and "Effect": "Allow" in the same policy because it could grant users more permissions than intended. See the list of API calls and required actions to determine what actions must be allowed for each API call.
Action example
{"Version": "2012-10-17","Statement": [{"Sid": "UniquePolicyName","Effect": "Allow","Principal": { ... },"Action": ["s3:ListBucket","s3:GetObject"],"Resource": [ ... ],"Condition": { ... }}]}
Resource / NotResource
Either Resource or NotResource are required; they cannot be used together.
Use Resource to apply the policy to the listed resources.
Use NotResource to apply the policy to all resources except the ones listed.
Use ARN format to specify resources. Wildcards * and ? are allowed within each colon-separated ARN segment. Wildcards do not extend past colon boundaries.
Important: Do not use NotResource in tandem with "Effect": "Allow" and "Action": "*" because this allows all actions on all resources except those listed.
Resource example
{"Version": "2012-10-17","Statement": [{"Sid": "UniquePolicyName","Effect": "Allow","Principal": { ... },"Action": [ ... ],"Resource": ["arn:aws:s3:::my-bucket/my-key-name","arn:aws:s3:::???-bucket/*/test"],"Condition": { ... }}]}
Condition
Condition is optional.
A Condition consists of an operator, and a key with a value. The condition is evaluated to grant or deny access based on the request context.
Condition operators
The supported condition operators are:
- IpAddress: The specified IP address or range, such as
203.0.113.0/24 - NotIpAddress: All IP addresses except the specified address
- StringEquals: Exact, case-sensitive match
- StringNotEquals: Match all except specified string, case-sensitive
- StringLike: Case-sensitive match allowing wildcards
- StringNotLike: Negated case-sensitive match allowing wildcards
- StringEqualsIgnoreCase: Exact match, ignores case
- StringNotEqualsIgnoreCase: Negated exact match, ignores case
- Null: Check for absent condition key
Condition keys
The supported condition keys are:
cw:PrincipalArn: The principal, formatted asarn:partition:service:region:account-id:[resource-type/]resource-idcw:ResourceArn: The resource ARN of the request.cw:ResourceOrgCloudID: The cloud-id from the owner of a resource.cw:PrincipalOrgCloudID: The cloud-id from the principal.cw:SourceIP: The source IP address of the request.cw:Bucket: The bucket name of the request.
Condition example
{"Version": "2012-10-17","Statement": [{"Sid": "UniquePolicyName","Effect": "Allow","Principal": { ... },"Action": [ ... ],"Resource": [ ... ],"Condition": {"IpAddress": {Operator"cw:SourceIP": "203.0.113.0/24"Key with value}}}]}
Version
Version is required.
It defines the version of the policy language used.
Use 2012-10-17 for all policies. Some old policies use 2008-10-17. Any other value is invalid.
Statement
Statement is required.
It's the main policy element that defines the access rules for buckets and objects.
It can contain a single policy or an array. Each policy is enclosed in curly braces, with arrays of policies enclosed in square brackets.
Sid
Sid (Statement ID) is optional.
It's a short, human-readable identifier for the policy statement, which is useful for tracking and managing policies.
Each Statement in an array of statements can have an assigned Sid. Each Sid must be unique within the JSON policy, and may only consist of only ASCII uppercase, lowercase, or numbers.
Effect
Effect is required.
It specifies whether the statement allows or denies the action.
The valid options are Allow or Deny, and these are case-sensitive. By default, access to resources is denied. To allow access to a resource, you must set the Effect element to Allow. To override an allow that is otherwise in force, set the Effect element to Deny.
Principal / NotPrincipal
Either Principal or NotPrincipal are required; they cannot be used together.
The key can either be "AWS" or "CW", and the value is an ARN (Amazon Resource Name).
Use Principal to specify the user, role, or group allowed for this policy.
Use NotPrincipal to deny access to all, except the principal specified. Use with "Effect":"Allow" is not supported.
Important: Troubleshooting the side-effects of NotPrincipal can be difficult. We strongly recommend using options such as Condition instead.
Action / NotAction
Either Action or NotAction are required; they cannot be used together.
Use Action to describe the specific actions that are allowed or denied.
Use NotAction to match everything except the specified actions.
Wildcards such as s3:* are allowed to match multiple actions. Be careful when combining NotAction and "Effect": "Allow" in the same policy because it could grant users more permissions than intended. See the list of API calls and required actions to determine what actions must be allowed for each API call.
Resource / NotResource
Either Resource or NotResource are required; they cannot be used together.
Use Resource to apply the policy to the listed resources.
Use NotResource to apply the policy to all resources except the ones listed.
Use ARN format to specify resources. Wildcards * and ? are allowed within each colon-separated ARN segment. Wildcards do not extend past colon boundaries.
Important: Do not use NotResource in tandem with "Effect": "Allow" and "Action": "*" because this allows all actions on all resources except those listed.
Condition
Condition is optional.
A Condition consists of an operator, and a key with a value. The condition is evaluated to grant or deny access based on the request context.
Condition operators
The supported condition operators are:
- IpAddress: The specified IP address or range, such as
203.0.113.0/24 - NotIpAddress: All IP addresses except the specified address
- StringEquals: Exact, case-sensitive match
- StringNotEquals: Match all except specified string, case-sensitive
- StringLike: Case-sensitive match allowing wildcards
- StringNotLike: Negated case-sensitive match allowing wildcards
- StringEqualsIgnoreCase: Exact match, ignores case
- StringNotEqualsIgnoreCase: Negated exact match, ignores case
- Null: Check for absent condition key
Condition keys
The supported condition keys are:
cw:PrincipalArn: The principal, formatted asarn:partition:service:region:account-id:[resource-type/]resource-idcw:ResourceArn: The resource ARN of the request.cw:ResourceOrgCloudID: The cloud-id from the owner of a resource.cw:PrincipalOrgCloudID: The cloud-id from the principal.cw:SourceIP: The source IP address of the request.cw:Bucket: The bucket name of the request.
Version example
{"Version": "2012-10-17","Statement": [{"Sid": "UniquePolicyName","Effect": "Allow","Principal": { ... },"Action": [ ... ],"Resource": [ ... ],"Condition": { ... }}]}
Required policies
Each API call requires permission to perform one or more related actions, and those action names do not always match the API calls. Some API calls perform multiple actions that require permission to separate actions. For example, copying an object requires permission to perform both s3:PutObject and s3:GetObject actions.
Use the permission mapping below when planning bucket policies. See Object Storage API Features for a complementary list of API calls mapped to their associated actions.
| Required action permission | API call |
|---|---|
s3:AbortMultipartUpload | s3:AbortMultiPartUpLoad |
s3:CreateBucket | s3:CreateBucket |
s3:DeleteBucket | s3:DeleteBucket |
s3:DeleteObject | s3:DeleteObjects3:DeleteObjects |
s3:DeleteObjectTagging | s3:DeleteObjectTagging |
s3:DeleteObjectVersion | s3:DeleteObjects |
s3:DeleteLifecycleConfiguration | s3:DeleteBucketLifeCycle |
s3:DeleteBucketPolicy | s3:DeleteBucketPolicy |
s3:DeleteBucketTagging | s3:DeleteBucketTagging |
s3:GetLifecycleConfiguration | s3:GetBucketLifecycleConfiguration |
s3:GetBucketLocation | s3:GetBucketLocation |
s3:GetBucketPolicy | s3:GetBucketPolicy |
s3:GetBucketTagging | s3:GetBucketTagging |
s3:GetBucketVersioning | s3:GetBucketVersioning |
s3:GetObject | s3:CopyObjects3:GetObjects3:GetObjectAcls3:GetObjectAttributess3:HeadObjects3:UploadPartCopy |
s3:GetObjectTagging | s3:GetObjectTagging |
s3:ListAllMyBuckets | s3:ListBuckets |
s3:ListBucket | s3:GetBucketACLs3:HeadBuckets3:ListObjectsV2s3:ListObjectVersions |
s3:ListMultipartUploadParts | s3:ListParts |
s3:ListBucketMultipartUploads | s3:ListMultiPartUploads |
s3:PutLifecycleConfiguration | s3:PutBucketLifecycleConfiguration |
s3:PutBucketPolicy | s3:PutBucketPolicyIf no policy exists, access to create a new policy is granted if the user's Org ID matches the bucket's organization. |
s3:PutBucketTagging | s3:PutBucketTagging |
s3:PutBucketVersioning | s3:PutBucketVersioning |
s3:PutObject | s3:CompleteMultiPartUpLoads3:CopyObjects3:CreateMultiPartUpLoads3:PutObjects3:UploadParts3:UploadPartCopy |
s3:PutObjectTagging | s3:PutObjectTagging |