Skip to main content
Before you start using CoreWeave AI Object Storage, you must set up access tokens, access keys, and organization access policies. Bucket access policies are optional. You can use them for finer-grained control of your resources. The Object Storage API lets you manage access keys and policies programmatically, while the Object Storage S3 endpoint lets you create and manage buckets and objects. For production workloads, CoreWeave recommends Workload Identity Federation as the method for obtaining Access Keys. It exchanges short-lived OIDC tokens for temporary credentials, which eliminates the need to store or rotate long-lived static keys. The following diagram outlines how to choose an authentication and management approach for Object Storage:

Authentication summary table

This table summarizes the authentication required to use each Object Storage API and interface:
API/InterfacePurposeAuthentication required
Object Storage API
api.coreweave.com		Object Storage control plane
Create access keys, org policies		API Access Token for a principal that has the Object Storage Admin IAM role (through IAM Access Policies). For Object Storage, this IAM role replaces the legacy CoreWeave admin group.
Object Storage S3-compatible endpoints
cwobject.com or cwlota.com		Storage operations
Manage buckets, upload objects		Access Keys: obtained through Cloud Console tokens (static) or Workload Identity Federation (ephemeral, recommended for production)
Cloud ConsoleBoth IAM and StorageAPI Access Tokens for Console/API actions
Access Keys for S3-compatible bucket and object operations
Last modified on May 29, 2026