> ## Documentation Index > Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt > Use this file to discover all available pages before exploring further. # Pod Identity Webhook > Configure pods to access CoreWeave AI Object Storage | Chart reference | Description | | -------------------------------- | ---------------------------------------------------- | | `coreweave/pod-identity-webhook` | Configure pods to access CoreWeave AI Object Storage | ## About the Pod Identity Webhook The *Pod Identity Webhook* is a deployment of the [EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook) configured to use CoreWeave's OIDC Workload Federation feature. Instead of using `AssumeRoleWithWebIdentity`, it uses a lesser-known API called the [Container Credential Provider](https://docs.aws.amazon.com/sdkref/latest/guide/feature-container-credentials.html). When this webhook is installed, any pod which uses a [Service Account](https://kubernetes.io/docs/concepts/security/service-accounts/) with an annotation of `caios.coreweave.com/inject: "true"` will be injected with most of the variables needed to authenticate to CoreWeave AI Object Storage. ## Example usage As an example, if you apply the following manifest into a cluster with the webhook enabled, the resulting `Pod` will have auto-injected configuration. While all authentication is handled by the webhook, workloads still need to be configured to use Virtual Addressing Style. See [Attaching endpoints](/products/storage/object-storage/using-object-storage/configure-endpoints) for examples. ```yaml title="test-pod.yaml" highlight={4-5} theme={"system"} apiVersion: v1 kind: ServiceAccount metadata: annotations: caios.coreweave.com/inject: "true" # <-- This activates the webhook name: test --- apiVersion: v1 kind: Pod metadata: name: test-6cf468f7b7-2g4c7 spec: serviceAccountName: test initContainers: - name: aws-setup image: amazon/aws-cli:latest command: - sh args: - -c - | aws configure set default.s3.addressing_style virtual # Use https://cwobject.com if using from outside of a CKS Cluster aws configure set endpoint_url "http://cwlota.com" volumeMounts: - mountPath: /config name: aws-config env: - name: AWS_CONFIG_FILE value: /config/config containers: - name: awscli image: amazon/aws-cli:latest args: - s3 - ls env: - name: AWS_CONFIG_FILE value: /aws/config volumeMounts: - mountPath: /aws name: aws-config volumes: - name: aws-config emptyDir: {} ``` The resulting `Pod` will have auto-injected configuration, like the following example (some fields omitted for clarity): ```yaml title="created-pod-config.yaml" theme={"system"} apiVersion: v1 kind: Pod metadata: name: rclone-test-hj7cc spec: containers: - args: - lsd - 'caios:' - -vv env: - name: RCLONE_CONFIG value: /config/rclone.conf - name: AWS_DEFAULT_REGION value: US-EAST-04A - name: AWS_REGION value: US-EAST-04A - name: AWS_CONTAINER_CREDENTIALS_FULL_URI value: https://api.coreweave.com/v1/cwobject/temporary-credentials/oidc/[YOUR-ORG-ID] - name: AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE value: /var/run/secrets/cks.coreweave.com/serviceaccount/cks-pod-identity-token image: rclone/rclone name: rclone volumeMounts: - mountPath: /config name: rclone-conf - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-gzzsm readOnly: true - mountPath: /var/run/secrets/cks.coreweave.com/serviceaccount name: cks-pod-identity-token readOnly: true serviceAccountName: test volumes: - name: cks-pod-identity-token projected: defaultMode: 420 sources: - serviceAccountToken: audience: https://coreweave.com/iam expirationSeconds: 600 path: cks-pod-identity-token - configMap: defaultMode: 420 name: rclone-conf name: rclone-conf - name: kube-api-access-gzzsm projected: defaultMode: 420 sources: - serviceAccountToken: expirationSeconds: 3607 path: token - configMap: items: - key: ca.crt path: ca.crt name: kube-root-ca.crt - downwardAPI: items: - fieldRef: apiVersion: v1 fieldPath: metadata.namespace path: namespace ``` ## Example chart configuration To find the values for this configuration: * You can find your CoreWeave Organization ID in the [CoreWeave Console settings page](https://console.coreweave.com/account/settings). * Use one of the following regions supported by AI Object Storage to configure the webhook: * `US-CENTRAL-05A` * `US-CENTRAL-06A` * `US-CENTRAL-07A` * `US-CENTRAL-08A` * `US-CENTRAL-08B` * `US-EAST-01A` * `US-EAST-02A` * `US-EAST-03A` * `US-EAST-04A` * `US-EAST-04B` * `US-EAST-06A` * `US-EAST-08A` * `US-EAST-13A` * `US-EAST-14A` * `RNO2A` * `US-WEST-01A` * `US-WEST-04A` * `US-WEST-09B` * `US-WEST-10A` * `CA-EAST-01A` * `EU-NORTH-05A` * `EU-SOUTH-03B` * `EU-SOUTH-04A` Learn more about [Regions and Availability Zones](/platform/regions/about-regions-and-azs). * You can find the `audience` value in your [OIDC Workload Federation](https://console.coreweave.com/organization/iam/workload-federation/oidc) configuration. ```yaml title="pod-identity-webhook.yaml" theme={"system"} config: # -- The CoreWeave Organization ID, six-character hexadecimal string found in the CoreWeave Console settings page orgID: "cweeee" # -- The CoreWeave Availability Zone (AZ), used as an AWS Region # Example: US-EAST-04A # See the CoreWeave Docs on Regions and AZs region: "US-EAST-04A" # -- The Audience to be used for the projected token. # Must match the Audience requirement found in the Cloud Console # Workload Federation (OIDC) configuration. audience: https://coreweave.com/iam ```