> ## Documentation Index
> Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt
> Use this file to discover all available pages before exploring further.

# About authentication and access control

> Authentication and authorization for CoreWeave AI Object Storage

Before you start using CoreWeave AI Object Storage, you must set up access tokens, access keys, and organization access policies. Bucket access policies are optional. You can use them for finer-grained control of your resources. The [Object Storage API](/products/storage/object-storage/reference/object-storage-api-ref) lets you manage access keys and policies programmatically, while the [Object Storage S3 endpoint](/products/storage/object-storage/reference/object-storage-s3) lets you create and manage buckets and objects.

For production workloads, CoreWeave recommends [Workload Identity Federation](/products/storage/object-storage/auth-access/workload-identity-federation/about) as the method for obtaining Access Keys. It exchanges short-lived OIDC tokens for temporary credentials, which eliminates the need to store or rotate long-lived static keys.

If a principal already authenticates with a [CoreWeave API access token](/products/storage/object-storage/auth-access/create-access-tokens), CoreWeave recommends exchanging that token directly for temporary credentials instead of creating a separate static Access Key. This method also carries the principal's SCIM group memberships, which you can use for [group-based and attribute-based access control](/products/storage/object-storage/auth-access/bucket-access/bucket-policies#attribute-based-access-control). See [Direct access token exchange](/products/storage/object-storage/auth-access/manage-access-keys/api-access-token).

The following diagram outlines how to choose an authentication and management approach for Object Storage:

```mermaid theme={"system"}
flowchart TD
    B{"What do you want to do?"} --> C["Manage Object Storage<br/>control plane<br/>(Access keys, org policies)"]
    B --> D["Use Storage<br/>(Buckets, objects)"]

    C --> E["Requires API Access Token<br/>for a principal with<br/>Object Storage Admin<br/>IAM role"]
    D --> F["Requires Access Keys"]

    E --> G{"How do you want to<br/>manage Object Storage<br/>control plane?"}
    G --> H["Manually in Cloud Console"]
    G --> I["Using the AI Object Storage API (`cwobject:`)"]

    F --> J{"How do you want to<br/>obtain Access Keys?"}
    J --> K["Static keys<br/>(API access token)<br/>For development and testing"]
    J --> L["WIF keys - recommended<br/>(OIDC or SAML)<br/>For production workloads"]

    K --> M["S3-compatible endpoints<br/>(`cwobject.com` or `cwlota.com`)"]
    L --> N["OIDC - recommended<br/>15-min ephemeral keys"]
    L --> O["SAML<br/>Up to 12-hour keys"]
    N --> M
    O --> M
```

## Authentication summary table

This table summarizes the authentication required to use each Object Storage API and interface:

| API/Interface                                                              | Purpose                                                            | Authentication required                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
| -------------------------------------------------------------------------- | ------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Object Storage API<br />`api.coreweave.com`                                | Object Storage control plane<br />Create access keys, org policies | API Access Token for a principal that has the `Object Storage Admin` IAM role (through [IAM Access Policies](/security/iam/access-policies)). For Object Storage, this IAM role replaces the legacy CoreWeave `admin` group.                                                                                                                                                                                                                                                                                                                       |
| Object Storage S3-compatible endpoints<br />`cwobject.com` or `cwlota.com` | Storage operations<br />Manage buckets, upload objects             | [Access Keys](/products/storage/object-storage/auth-access/manage-access-keys/about): obtained directly from a [CoreWeave API access token](/products/storage/object-storage/auth-access/manage-access-keys/api-access-token) for temporary credentials, by [creating a static key](/products/storage/object-storage/auth-access/manage-access-keys/create-keys) with an API access token, or through [Workload Identity Federation](/products/storage/object-storage/auth-access/workload-identity-federation/about) (recommended for production) |
| Cloud Console                                                              | Both IAM and Storage                                               | API Access Tokens for Console/API actions<br />Access Keys for S3-compatible bucket and object operations                                                                                                                                                                                                                                                                                                                                                                                                                                          |