AI Object Storage API
Manage organization-wide access policies, bucket settings, and access keys
Users with administrative permissions can interact with the CoreWeave AI Object Storage API using curl or any other HTTP client. The AI Object Storage API allows users to set organization-wide access policies, configure bucket settings, and manage access keys.
CoreWeave AI Object Storage is an S3-compatible object storage solution with two APIs:
- The S3 API is used for operations like uploading objects.
- The AI Object Storage API is used for tasks outside the S3 API command set, like creating access keys from SAML assertions.
Summary
This table lists the available endpoints for the CoreWeave AI Object Storage API. Click an action for detailed information.
- The API server is
https://api.coreweave.com. - Replace
{API_ACCESS_TOKEN}in the examples below with your CoreWeave API access token.
| Action | Method | Endpoint | Description |
|---|---|---|---|
| CreateAccessKeyFromJWT | POST | /v1/cwobject/access-key | Create an access key via a Cloud token. |
| ListAccessKeyInfo | GET | /v1/cwobject/access-key | List information about all access keys. |
| GetAccessKeyInfo | GET | /v1/cwobject/access-key/{accessKeyId} | Get information about a specific access key. |
| ListAccessPolicies | GET | /v1/cwobject/access-policy | List all Object Storage access policies in the organization. |
| EnsureAccessPolicy | POST | /v1/cwobject/access-policy | Apply or update access policies. |
| DeleteAccessPolicy | DELETE | /v1/cwobject/access-policy/{policy-name} | Delete an access policy. |
| SetBucketSettings | PUT | /v1/cwobject/bucket/settings | Configure bucket settings that aren't exposed in the S3 API. |
| ListBucketInfo | GET | /v1/cwobject/bucket-info | List information about all buckets. |
| GetBucketInfo | GET | /v1/cwobject/bucket-info/{bucketName} | Get information about a specific bucket. |
| SetOrganizationSettings | PUT | /v1/cwobject/organization/settings | Configure settings related to your organization and CoreWeave AI Object Storage. |
| RevokeAccessKeyByAccessKey | POST | /v1/cwobject/revoke-access-key/access-key | Revoke a specific access key. |
| RevokeAccessKeysByPrincipal | POST | /v1/cwobject/revoke-access-key/principal | Revoke all access keys for a principal. |
| CreateAccessKeyFromSAML | POST | /v1/cwobject/temporary-credentials/saml | Generate temporary access keys for CoreWeave AI Object Storage access via a SAML assertion. |
CreateAccessKeyFromJWT
| Method | Endpoint |
|---|---|
| POST | /v1/cwobject/access-key |
Generate an access key via a Cloud token. Access keys are time-limited or permanent, depending on the value of durationSeconds passed in the JSON object.
The durationSeconds field is required.
To create a permanent access key, set durationSeconds to 0.
{"durationSeconds": 0}
To create a temporary access key, specify the duration in seconds.
{"durationSeconds": 300}
Submit the request, passing the JSON object in the body as data.json.
$curl -X POST https://api.coreweave.com/v1/cwobject/access-key \-H "Content-Type: application/json" \-H "Authorization: Bearer {API_ACCESS_TOKEN}" \-d @data.json
A successful response returns the generated access key.
{"accessKeyID": "CWABCDEFGHIJKLMN","expiry": "1970-01-15T01:01:01Z","principalName": "coreweave/ueqXfgRCYGqptEXAMPLE1","secretKey": "cwo1234567890abcdefghijklmnopqrstuvwxyz1234"}
ListAccessKeyInfo
| Method | Endpoint |
|---|---|
| GET | /v1/cwobject/access-key |
List information about all access keys.
$curl -X GET https://api.coreweave.com/v1/cwobject/access-key \-H "Content-Type: application/json" \-H "Authorization: Bearer {API_ACCESS_TOKEN}"
A successful response returns a list of all access keys and their details.
{"info": [{"accessKeyId": "CWABCDEFGHIJKLMN","status": "string","principalName": "coreweave/ueqXfgRCYGqptEXAMPLE1","attributes": {"property1": "string","property2": "string"},"expiry": "2019-08-24T14:15:22Z","orgId": "abc123"}]}
GetAccessKeyInfo
| Method | Endpoint |
|---|---|
| GET | /v1/cwobject/access-key/{accessKeyId} |
Get information about a specific access key. Provide the {accessKeyId} to retrieve as shown.
$curl -X GET https://api.coreweave.com/v1/cwobject/access-key/{accessKeyId} \-H "Content-Type: application/json" \-H "Authorization: Bearer {API_ACCESS_TOKEN}"
A successful response returns the details for the requested access key.
{"info": {"accessKeyId": "CWABCDEFGHIJKLMN","status": "string","principalName": "coreweave/ueqXfgRCYGqptEXAMPLE1","attributes": {"property1": "string","property2": "string"},"expiry": "2019-08-24T14:15:22Z","orgId": "abc123"}}
ListAccessPolicies
| Method | Endpoint |
|---|---|
| GET | /v1/cwobject/access-policy |
List all Object Storage access policies in the organization, which define who can access the storage and what actions they can perform.
$curl -X GET https://api.coreweave.com/v1/cwobject/access-policy \-H "Content-Type: application/json" \-H "Authorization: Bearer {API_ACCESS_TOKEN}"
A successful response returns a list of all access policies.
{"policies": [{"version": "v1alpha1","name": "string","statements": [{"name": "string","effect": "Allow","actions": ["s3:CreateBucket"],"resources": ["string"],"principals": ["string"]}]}]}
EnsureAccessPolicy
| Method | Endpoint |
|---|---|
| POST | /v1/cwobject/access-policy |
Apply or update access policies that define who can access the storage and what actions they can perform.
Just as with bucket policies, CoreWeave supports all actions that take place inside access policies. However, within access policies we also support the following set of cwobject:* actions:
cwobject:CreateAccessKeycwobject:CreateAccessKeySAMLcwobject:RevokeAccessKeyByAccessKeycwobject:RevokeAccessKeysByPrincipalcwobject:EnsureAccessPolicycwobject:DeleteAccessPolicycwobject:ListAccessPolicycwobject:EnableBucketAuditLoggingcwobject:DisableBucketAuditLoggingcwobject:EnableControlPlaneAuditLoggingcwobject:DisableControlPlaneAuditLoggingcwobject:EnableBucketAuditLoggingDefaultcwobject:DisableBucketAuditLoggingDefault
Please note: cwobject actions must be used with "*" as the resource value.
Supply the policy as a JSON object in the request body. To allow all actions on all resources for all principals, save the following JSON object as data.json.
{"policy": {"version": "v1alpha1","name": "test-policy","statements": [{"name": "allow-everything","effect": "Allow","actions": ["*"],"resources": ["*"],"principals": ["*"]}]}}
Submit the request, passing the JSON object in the body as data.json.
$curl -X POST https://api.coreweave.com/v1/cwobject/access-policy \-H "Content-Type: application/json" \-H "Authorization: Bearer {API_ACCESS_TOKEN}" \-d @data.json
A successful response returns an empty object.
{}
DeleteAccessPolicy
| Method | Endpoint |
|---|---|
| DELETE | /v1/cwobject/access-policy/{policy-name} |
Delete an access policy. Provide the {policy-name} to delete as shown.
$curl -X DELETE https://api.coreweave.com/v1/cwobject/access-policy/{policy-name} \-H "Content-Type: application/json" \-H "Authorization: Bearer {API_ACCESS_TOKEN}"
A successful response returns an empty object.
{}
SetBucketSettings
| Method | Endpoint |
|---|---|
| PUT | /v1/cwobject/bucket/settings |
Configure bucket settings that aren't exposed in the S3 API. Supply the bucket settings as a JSON object in the request body. To enable audit logging for a bucket, save the following JSON object as data.json.
{"bucketName": "string","settings": {"auditLoggingEnabled": true}}
Submit the request, passing the JSON object in the body as data.json.
$curl -X PUT https://api.coreweave.com/v1/cwobject/bucket/settings \-H "Content-Type: application/json" \-H "Authorization: Bearer {API_ACCESS_TOKEN}" \-d @data.json
A successful response returns the updated bucket settings.
{"settings": {"auditLoggingEnabled": true}}
ListBucketInfo
| Method | Endpoint |
|---|---|
| GET | /v1/cwobject/bucket-info |
List information about all buckets.
$curl -X GET https://api.coreweave.com/v1/cwobject/bucket-info \-H "Content-Type: application/json" \-H "Authorization: Bearer {API_ACCESS_TOKEN}"
A successful response returns a list of all buckets and their details.
{"info": [{"orgId": "abc123","name": "my-bucket","creationTime": "2019-08-24T14:15:22Z","settings": {"auditLoggingEnabled": true},"location": "string","usage": [{"measurementType": "string","value": "string","valueHumanReadable": "string"}]}]}
GetBucketInfo
| Method | Endpoint |
|---|---|
| GET | /v1/cwobject/bucket-info/{bucketName} |
Get information about a specific bucket. Provide the {bucketName} to retrieve as shown.
$curl -X GET https://api.coreweave.com/v1/cwobject/bucket-info/{bucketName} \-H "Content-Type: application/json" \-H "Authorization: Bearer {API_ACCESS_TOKEN}"
A successful response returns the details for the requested bucket.
{"info": {"orgId": "abc123","name": "my-bucket","creationTime": "2019-08-24T14:15:22Z","settings": {"auditLoggingEnabled": true},"location": "string","usage": [{"measurementType": "string","value": "string","valueHumanReadable": "string"}]}}
SetOrganizationSettings
| Method | Endpoint |
|---|---|
| PUT | /v1/cwobject/organization/settings |
Configure settings related to your organization and CoreWeave AI Object Storage. Supply the organization settings as a JSON object in the request body. To enable audit logging for the control plane and buckets, save the following JSON object as data.json.
{"settings": {"controlPlaneAuditLoggingEnabled": true,"bucketAuditLoggingEnabled": true}}
Submit the request, passing the JSON object in the body as data.json.
$curl -X PUT https://api.coreweave.com/v1/cwobject/organization/settings \-H "Content-Type: application/json" \-H "Authorization: Bearer {API_ACCESS_TOKEN}" \-d @data.json
A successful response returns the updated organization settings.
{"settings": {"controlPlaneAuditLoggingEnabled": true,"bucketAuditLoggingEnabled": true}}
RevokeAccessKeyByAccessKey
| Method | Endpoint |
|---|---|
| POST | /v1/cwobject/revoke-access-key/access-key |
Revoke a specific access key. To delete example-access-key create the following JSON object as data.json.
{"accessKey": "example-access-key"}
Submit the request, passing the JSON object in the body as data.json.
$curl -X POST https://api.coreweave.com/v1/cwobject/revoke-access-key/access-key \-H "Content-Type: application/json" \-H "Authorization: Bearer {API_ACCESS_TOKEN}" \-d @data.json
A successful response returns an empty object.
{}
RevokeAccessKeysByPrincipal
| Method | Endpoint |
|---|---|
| POST | /v1/cwobject/revoke-access-key/principal |
Revoke all access keys for a principal. To delete all access keys for coreweave/ueqXfgRCYGqptEXAMPLE1, create the following JSON object as data.json.
{"principalName": "coreweave/ueqXfgRCYGqptEXAMPLE1"}
Submit the request, passing the JSON object in the body as data.json.
$curl -X POST https://api.coreweave.com/v1/cwobject/revoke-access-key/principal \-H "Content-Type: application/json" \-H "Authorization: Bearer {API_ACCESS_TOKEN}" \-d @data.json
A successful response returns an empty object.
{}
CreateAccessKeyFromSAML
| Method | Endpoint |
|---|---|
| POST | /v1/cwobject/temporary-credentials/saml |
Generate a time-limited access key for an Org ID. The maximum lifespan of the key is 43200 seconds (12 hours).
samlResponse must be Base64-encoded.
To generate temporary credentials with a 300-second lifespan and a SAML assertion from https://example.com/metadata/, create the following JSON object as data.json. The lifespan of the key is set by durationSeconds. In order to regenerate this ephemeral key, the SAML assertion must be re-submitted after durationSeconds has elapsed.
{"durationSeconds": 300,"orgId": "abc123","configId": "<WORKLOAD_FEDERATION_CONFIG_ID>","samlResponse": "<BASE64_ENCODED_SAML_RESPONSE>"}
configId values are generated via the Cloud Console by creating a Workload Federation configuration. See How to: Configure Workload Identity Federation for Object Storage.
Submit the request, passing the JSON object in the body as data.json.
$curl -X POST https://api.coreweave.com/v1/cwobject/temporary-credentials/saml \-H "Content-Type: application/json" \-H "Authorization: Bearer {API_ACCESS_TOKEN}" \-d @data.json
A successful response returns the generated credentials, for example:
{"accessKeyID": "CWABCDEFGHIJKLMN","expiry": "1970-01-15T01:01:01Z","principalName": "coreweave/ueqXfgRCYGqptEXAMPLE1","secretKey": "cwo1234567890abcdefghijklmnerkgnelrkwgnvwxyz1234"}