Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt

Use this file to discover all available pages before exploring further.

Chart referenceDescription
coreweave/pod-identity-webhookConfigure pods to access CoreWeave AI Object Storage

About the Pod Identity Webhook

The Pod Identity Webhook is a deployment of the EKS Pod Identity Webhook configured to use CoreWeave’s OIDC Workload Federation feature. Instead of using AssumeRoleWithWebIdentity, it uses a lesser-known API called the Container Credential Provider. When this webhook is installed, any pod which uses a Service Account with an annotation of caios.coreweave.com/inject: "true" will be injected with most of the variables needed to authenticate to CoreWeave AI Object Storage.

Example usage

As an example, if you apply the following manifest into a cluster with the webhook enabled, the resulting Pod will have auto-injected configuration.
While all authentication is handled by the webhook, workloads still need to be configured to use Virtual Addressing Style. See Attaching endpoints for examples.
test-pod.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    caios.coreweave.com/inject: "true"  # <-- This activates the webhook
  name: test
---
apiVersion: v1
kind: Pod
metadata:
  name: test-6cf468f7b7-2g4c7
spec:
  serviceAccountName: test
  initContainers:
  - name: aws-setup
    image: amazon/aws-cli:latest
    command:
    - sh
    args:
    - -c
    - |
        aws configure set default.s3.addressing_style virtual
        # Use https://cwobject.com if using from outside of a CKS Cluster
        aws configure set endpoint_url "http://cwlota.com"
    volumeMounts:
    - mountPath: /config
      name: aws-config
    env:
    - name: AWS_CONFIG_FILE
      value: /config/config
  containers:
  - name: awscli
    image: amazon/aws-cli:latest
    args:
    - s3
    - ls
    env:
    - name: AWS_CONFIG_FILE
      value: /aws/config
    volumeMounts:
    - mountPath: /aws
      name: aws-config
  volumes:
  - name: aws-config
    emptyDir: {}
The resulting Pod will have auto-injected configuration, like the following example (some fields omitted for clarity):
created-pod-config.yaml
apiVersion: v1
kind: Pod
metadata:
  name: rclone-test-hj7cc
spec:
  containers:
  - args:
    - lsd
    - 'caios:'
    - -vv
    env:
    - name: RCLONE_CONFIG
      value: /config/rclone.conf
    - name: AWS_DEFAULT_REGION
      value: US-EAST-04A
    - name: AWS_REGION
      value: US-EAST-04A
    - name: AWS_CONTAINER_CREDENTIALS_FULL_URI
      value: https://api.coreweave.com/v1/cwobject/temporary-credentials/oidc/[YOUR-ORG-ID]
    - name: AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE
      value: /var/run/secrets/cks.coreweave.com/serviceaccount/cks-pod-identity-token
    image: rclone/rclone
    name: rclone
    volumeMounts:
    - mountPath: /config
      name: rclone-conf
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-gzzsm
      readOnly: true
    - mountPath: /var/run/secrets/cks.coreweave.com/serviceaccount
      name: cks-pod-identity-token
      readOnly: true
  serviceAccountName: test
  volumes:
  - name: cks-pod-identity-token
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          audience: https://coreweave.com/iam
          expirationSeconds: 600
          path: cks-pod-identity-token
  - configMap:
      defaultMode: 420
      name: rclone-conf
    name: rclone-conf
  - name: kube-api-access-gzzsm
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          expirationSeconds: 3607
          path: token
      - configMap:
          items:
          - key: ca.crt
            path: ca.crt
          name: kube-root-ca.crt
      - downwardAPI:
          items:
          - fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
            path: namespace

Example chart configuration

To find the values for this configuration:
  • You can find your CoreWeave Organization ID in the CoreWeave Console settings page.
  • Use one of the following regions supported by AI Object Storage to configure the webhook:
    • US-CENTRAL-05A
    • US-CENTRAL-06A
    • US-CENTRAL-07A
    • US-CENTRAL-08A
    • US-CENTRAL-08B
    Learn more about Regions and Availability Zones.
  • You can find the audience value in your OIDC Workload Federation configuration.
pod-identity-webhook.yaml
config:
  # -- The CoreWeave Organization ID, six-character hexadecimal string found in the CoreWeave Console settings page
  orgID: "cweeee"

  # -- The CoreWeave <a href="https://docs.coreweave.com/glossary#availability-zone-az">Availability Zone (AZ)</a>, used as an AWS Region
  # Example: US-EAST-04A
  # See the <a href="https://docs.coreweave.com/platform/regions/about-regions-and-azs">CoreWeave Docs on Regions and AZs</a>
  region: "US-EAST-04A"

  # -- The Audience to be used for the projected token.
  # Must match the Audience requirement found in the Cloud Console
  # Workload Federation (OIDC) configuration.
  audience: https://coreweave.com/iam
Last modified on May 20, 2026