> ## Documentation Index
> Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Pod Identity Webhook

> Configure pods to access CoreWeave AI Object Storage

| Chart reference                  | Description                                          |
| -------------------------------- | ---------------------------------------------------- |
| `coreweave/pod-identity-webhook` | Configure pods to access CoreWeave AI Object Storage |

This page describes the Pod Identity Webhook chart, which configures Pods on a CKS cluster to authenticate to CoreWeave AI Object Storage without managing static credentials. It covers what the webhook does, an example manifest that shows the autoinjected configuration, and the chart values you need to set when you install it.

## About the Pod Identity Webhook

The *Pod Identity Webhook* is a deployment of the [EKS Pod Identity Webhook](https://github.com/aws/amazon-eks-pod-identity-webhook) configured to use CoreWeave's OIDC Workload Federation feature. Instead of using `AssumeRoleWithWebIdentity`, it uses a lesser-known API called the [Container Credential Provider](https://docs.aws.amazon.com/sdkref/latest/guide/feature-container-credentials.html).

When installed, the webhook injects most of the variables needed to authenticate to AI Object Storage into any Pod that uses a [Service Account](https://kubernetes.io/docs/concepts/security/service-accounts/) with an annotation of `caios.coreweave.com/inject: "true"`.

## Example usage

The following example shows how the webhook injects authentication configuration into a Pod. If you apply the following manifest into a cluster with the webhook enabled, the resulting `Pod` has autoinjected configuration.

<Note>
  While the webhook handles all authentication, you still need to configure workloads to use Virtual Addressing Style. For examples, see [Attaching endpoints](/products/storage/object-storage/using-object-storage/configure-endpoints).
</Note>

```yaml title="test-pod.yaml" highlight={4-5} theme={"system"}
apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    caios.coreweave.com/inject: "true"  # <-- This activates the webhook
  name: test
---
apiVersion: v1
kind: Pod
metadata:
  name: test-6cf468f7b7-2g4c7
spec:
  serviceAccountName: test
  initContainers:
  - name: aws-setup
    image: amazon/aws-cli:latest
    command:
    - sh
    args:
    - -c
    - |
        aws configure set default.s3.addressing_style virtual
        # Use https://cwobject.com if using from outside of a CKS Cluster
        aws configure set endpoint_url "http://cwlota.com"
    volumeMounts:
    - mountPath: /config
      name: aws-config
    env:
    - name: AWS_CONFIG_FILE
      value: /config/config
  containers:
  - name: awscli
    image: amazon/aws-cli:latest
    args:
    - s3
    - ls
    env:
    - name: AWS_CONFIG_FILE
      value: /aws/config
    volumeMounts:
    - mountPath: /aws
      name: aws-config
  volumes:
  - name: aws-config
    emptyDir: {}
```

The resulting `Pod` has autoinjected configuration, like the following example (some fields omitted for clarity):

```yaml title="created-pod-config.yaml" theme={"system"}
apiVersion: v1
kind: Pod
metadata:
  name: rclone-test-hj7cc
spec:
  containers:
  - args:
    - lsd
    - 'caios:'
    - -vv
    env:
    - name: RCLONE_CONFIG
      value: /config/rclone.conf
    - name: AWS_DEFAULT_REGION
      value: US-EAST-04A
    - name: AWS_REGION
      value: US-EAST-04A
    - name: AWS_CONTAINER_CREDENTIALS_FULL_URI
      value: https://api.coreweave.com/v1/cwobject/temporary-credentials/oidc/[YOUR-ORG-ID]
    - name: AWS_CONTAINER_AUTHORIZATION_TOKEN_FILE
      value: /var/run/secrets/cks.coreweave.com/serviceaccount/cks-pod-identity-token
    image: rclone/rclone
    name: rclone
    volumeMounts:
    - mountPath: /config
      name: rclone-conf
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: kube-api-access-gzzsm
      readOnly: true
    - mountPath: /var/run/secrets/cks.coreweave.com/serviceaccount
      name: cks-pod-identity-token
      readOnly: true
  serviceAccountName: test
  volumes:
  - name: cks-pod-identity-token
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          audience: https://coreweave.com/iam
          expirationSeconds: 600
          path: cks-pod-identity-token
  - configMap:
      defaultMode: 420
      name: rclone-conf
    name: rclone-conf
  - name: kube-api-access-gzzsm
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          expirationSeconds: 3607
          path: token
      - configMap:
          items:
          - key: ca.crt
            path: ca.crt
          name: kube-root-ca.crt
      - downwardAPI:
          items:
          - fieldRef:
              apiVersion: v1
              fieldPath: metadata.namespace
            path: namespace
```

## Example chart configuration

The following section shows the values you set when you install the chart. To find the values for this configuration:

* Find your CoreWeave Organization ID in the [CoreWeave Console settings page](https://console.coreweave.com/account/settings).
* Use one of the following regions supported by AI Object Storage to configure the webhook:

  <Accordion title="Availability Zones that support AI Object Storage">
    <Tabs>
      <Tab title="US-CENTRAL">
        * `US-CENTRAL-05A`
        * `US-CENTRAL-06A`
        * `US-CENTRAL-07A`
        * `US-CENTRAL-08A`
        * `US-CENTRAL-08B`
      </Tab>

      <Tab title="US-EAST">
        * `US-EAST-01A`
        * `US-EAST-02A`
        * `US-EAST-03A`
        * `US-EAST-04A`
        * `US-EAST-04B`
        * `US-EAST-06A`
        * `US-EAST-08A`
        * `US-EAST-13A`
        * `US-EAST-14A`
        * `US-EAST-15A`
        * `US-EAST-17A`
      </Tab>

      <Tab title="US-WEST">
        * `RNO2A`
        * `US-WEST-01A`
        * `US-WEST-04A`
        * `US-WEST-09B`
        * `US-WEST-10A`
      </Tab>

      <Tab title="CA-EAST">
        * `CA-EAST-01A`
      </Tab>

      <Tab title="EU-NORTH">
        * `EU-NORTH-05A`
      </Tab>

      <Tab title="EU-SOUTH">
        * `EU-SOUTH-03B`
        * `EU-SOUTH-04A`
      </Tab>
    </Tabs>

    Learn more about [Regions and Availability Zones](/platform/regions/about-regions-and-azs).
  </Accordion>
* Find the `audience` value in your [OIDC Workload Federation](https://console.coreweave.com/organization/iam/workload-federation/oidc) configuration.

```yaml title="pod-identity-webhook.yaml" theme={"system"}
config:
  # -- The CoreWeave Organization ID, six-character hexadecimal string found in the CoreWeave Console settings page
  orgID: "cweeee"

  # -- The CoreWeave <a href="https://docs.coreweave.com/glossary#availability-zone-az">Availability Zone (AZ)</a>, used as an AWS Region
  # Example: US-EAST-04A
  # See the <a href="https://docs.coreweave.com/platform/regions/about-regions-and-azs">CoreWeave Docs on Regions and AZs</a>
  region: "US-EAST-04A"

  # -- The Audience to be used for the projected token.
  # Must match the Audience requirement found in the Cloud Console
  # Workload Federation (OIDC) configuration.
  audience: https://coreweave.com/iam
```
