Skip to main content
Chart referenceDescription
coreweave/pod-identity-webhookConfigure pods to access CoreWeave AI Object Storage
This page describes the Pod Identity Webhook chart, which configures Pods on a CKS cluster to authenticate to CoreWeave AI Object Storage without managing static credentials. It covers what the webhook does, an example manifest that shows the autoinjected configuration, and the chart values you need to set when you install it.

About the Pod Identity Webhook

The Pod Identity Webhook is a deployment of the EKS Pod Identity Webhook configured to use CoreWeave’s OIDC Workload Federation feature. Instead of using AssumeRoleWithWebIdentity, it uses a lesser-known API called the Container Credential Provider. When installed, the webhook injects most of the variables needed to authenticate to AI Object Storage into any Pod that uses a Service Account with an annotation of caios.coreweave.com/inject: "true".

Example usage

The following example shows how the webhook injects authentication configuration into a Pod. If you apply the following manifest into a cluster with the webhook enabled, the resulting Pod has autoinjected configuration.
While the webhook handles all authentication, you still need to configure workloads to use Virtual Addressing Style. For examples, see Attaching endpoints.
test-pod.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    caios.coreweave.com/inject: "true"  # <-- This activates the webhook
  name: test
---
apiVersion: v1
kind: Pod
metadata:
  name: test-6cf468f7b7-2g4c7
spec:
  serviceAccountName: test
  initContainers:
  - name: aws-setup
    image: amazon/aws-cli:latest
    command:
    - sh
    args:
    - -c
    - |
        aws configure set default.s3.addressing_style virtual
        # Use https://cwobject.com if using from outside of a CKS Cluster
        aws configure set endpoint_url "http://cwlota.com"
    volumeMounts:
    - mountPath: /config
      name: aws-config
    env:
    - name: AWS_CONFIG_FILE
      value: /config/config
  containers:
  - name: awscli
    image: amazon/aws-cli:latest
    args:
    - s3
    - ls
    env:
    - name: AWS_CONFIG_FILE
      value: /aws/config
    volumeMounts:
    - mountPath: /aws
      name: aws-config
  volumes:
  - name: aws-config
    emptyDir: {}
The resulting Pod has autoinjected configuration, like the following example (some fields omitted for clarity):
created-pod-config.yaml
apiVersion: v1
kind: Pod
metadata:
  name: rclone-test-hj7cc
spec:
  containers:
  - args:
    - lsd
    - 'caios:'
    - -vv
    env:
    - name: RCLONE_CONFIG
      value: /config/rclone.conf
    - name: AWS_DEFAULT_REGION
      value: US-EAST-04A
    - name: AWS_REGION
      value: US-EAST-04A
    - name: AWS_CONTAINER_CREDENTIALS_FULL_URI
      value: https://api.coreweave.com/v1/cwobject/temporary-credentials/oidc/[YOUR-ORG-ID]
    - name: AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE
      value: /var/run/secrets/cks.coreweave.com/serviceaccount/cks-pod-identity-token
    image: rclone/rclone
    name: rclone
    volumeMounts:
    - mountPath: /config
      name: rclone-conf
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-gzzsm
      readOnly: true
    - mountPath: /var/run/secrets/cks.coreweave.com/serviceaccount
      name: cks-pod-identity-token
      readOnly: true
  serviceAccountName: test
  volumes:
  - name: cks-pod-identity-token
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          audience: https://coreweave.com/iam
          expirationSeconds: 600
          path: cks-pod-identity-token
  - configMap:
      defaultMode: 420
      name: rclone-conf
    name: rclone-conf
  - name: kube-api-access-gzzsm
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          expirationSeconds: 3607
          path: token
      - configMap:
          items:
          - key: ca.crt
            path: ca.crt
          name: kube-root-ca.crt
      - downwardAPI:
          items:
          - fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
            path: namespace

Example chart configuration

The following section shows the values you set when you install the chart. To find the values for this configuration:
  • Find your CoreWeave Organization ID in the CoreWeave Console settings page.
  • Use one of the following regions supported by AI Object Storage to configure the webhook:
    • US-CENTRAL-05A
    • US-CENTRAL-06A
    • US-CENTRAL-07A
    • US-CENTRAL-08A
    • US-CENTRAL-08B
    Learn more about Regions and Availability Zones.
  • Find the audience value in your OIDC Workload Federation configuration.
pod-identity-webhook.yaml
config:
  # -- The CoreWeave Organization ID, six-character hexadecimal string found in the CoreWeave Console settings page
  orgID: "cweeee"

  # -- The CoreWeave <a href="https://docs.coreweave.com/glossary#availability-zone-az">Availability Zone (AZ)</a>, used as an AWS Region
  # Example: US-EAST-04A
  # See the <a href="https://docs.coreweave.com/platform/regions/about-regions-and-azs">CoreWeave Docs on Regions and AZs</a>
  region: "US-EAST-04A"

  # -- The Audience to be used for the projected token.
  # Must match the Audience requirement found in the Cloud Console
  # Workload Federation (OIDC) configuration.
  audience: https://coreweave.com/iam
Last modified on June 10, 2026