> ## Documentation Index
> Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt
> Use this file to discover all available pages before exploring further.
# About authentication and access control
> Authentication and authorization for CoreWeave AI Object Storage
Before you start using CoreWeave AI Object Storage, you must set up access tokens, access keys, and organization access policies. Bucket access policies are optional. You can use them for finer-grained control of your resources. The [Object Storage API](/products/storage/object-storage/reference/object-storage-api-ref) lets you manage access keys and policies programmatically, while the [Object Storage S3 endpoint](/products/storage/object-storage/reference/object-storage-s3) lets you create and manage buckets and objects.
For production workloads, CoreWeave recommends [Workload Identity Federation](/products/storage/object-storage/auth-access/workload-identity-federation/about) as the method for obtaining Access Keys. It exchanges short-lived OIDC tokens for temporary credentials, which eliminates the need to store or rotate long-lived static keys.
The following diagram outlines how to choose an authentication and management approach for Object Storage:
```mermaid theme={"system"}
flowchart TD
B{"What do you want to do?"} --> C["Manage Object Storage
control plane
(Access keys, org policies)"]
B --> D["Use Storage
(Buckets, objects)"]
C --> E["Requires API Access Token
for a principal with
Object Storage Admin
IAM role"]
D --> F["Requires Access Keys"]
E --> G{"How do you want to
manage Object Storage
control plane?"}
G --> H["Manually in Cloud Console"]
G --> I["Using the AI Object Storage API (`cwobject:`)"]
F --> J{"How do you want to
obtain Access Keys?"}
J --> K["Static keys
(Cloud Console tokens)
For development and testing"]
J --> L["WIF keys - recommended
(OIDC or SAML)
For production workloads"]
K --> M["S3-compatible endpoints
(`cwobject.com` or `cwlota.com`)"]
L --> N["OIDC - recommended
15-min ephemeral keys"]
L --> O["SAML
Up to 12-hour keys"]
N --> M
O --> M
```
## Authentication summary table
This table summarizes the authentication required to use each Object Storage API and interface:
| API/Interface | Purpose | Authentication required |
| -------------------------------------------------------------------------- | ------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Object Storage API
`api.coreweave.com` | Object Storage control plane
Create access keys, org policies | API Access Token for a principal that has the `Object Storage Admin` IAM role (through [IAM Access Policies](/security/iam/access-policies)). For Object Storage, this IAM role replaces the legacy CoreWeave `admin` group. |
| Object Storage S3-compatible endpoints
`cwobject.com` or `cwlota.com` | Storage operations
Manage buckets, upload objects | [Access Keys](/products/storage/object-storage/auth-access/manage-access-keys/about): obtained through Cloud Console tokens (static) or [Workload Identity Federation](/products/storage/object-storage/auth-access/workload-identity-federation/about) (ephemeral, recommended for production) |
| Cloud Console | Both IAM and Storage | API Access Tokens for Console/API actions
Access Keys for S3-compatible bucket and object operations |