> ## Documentation Index
> Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt
> Use this file to discover all available pages before exploring further.
# About bucket access policies
> Learn to control user actions on specific resources
This page explains how bucket access policies work in CoreWeave AI Object Storage, how to apply one to a bucket, and how to structure the JSON document so you can write your own. Use this page when you need precise, S3-specific access control for an individual bucket, such as sharing a bucket with users from another organization or restricting access to a single prefix.
Bucket access policies are JSON objects that define allowed or denied actions on a single bucket and its contents. Only the bucket owner can attach or update this policy.
CoreWeave AI Object Storage enforces access in two layers:
* Organization access policies apply to all principals and resources in your organization. You configure them in the [Cloud Console](https://console.coreweave.com/object-storage/access-policies) or through the [AI Object Storage API](/products/storage/object-storage/reference/object-storage-api-ref#ensureaccesspolicy) (for example, with `curl`). CoreWeave evaluates these policies first.
* Bucket access policies apply only to one bucket and its objects. Use them to allow users from other organizations to access your bucket. CoreWeave evaluates these policies after organization access policies.
See the [complete policy evaluation order](/products/storage/object-storage/auth-access/policies#policy-evaluation) for details about how CoreWeave evaluates policies.
## Set a bucket access policy
To set a bucket access policy, use the [S3-compatible API](/products/storage/object-storage/reference/object-storage-s3) with standard S3 tools like `aws s3api` or `s3cmd`, or use the [CoreWeave Terraform provider](https://registry.terraform.io/providers/coreweave/coreweave/latest/docs/resources/object_storage_bucket_policy). The policy is a JSON object that defines the access rules for the bucket and its objects.
For example, the following command applies a JSON policy file to a bucket. Replace `[BUCKET-NAME]` with the name of your bucket and `[POLICY-FILE]` with the path to the JSON file that contains the policy.
```bash theme={"system"}
aws s3api put-bucket-policy --bucket [BUCKET-NAME] --policy file://[POLICY-FILE]
```
The policy file must be a valid JSON object that adheres to the structure and rules defined in this guide. After the command succeeds, the bucket enforces the new policy in addition to your organization access policies. The sections that follow describe the constraints to keep in mind and the JSON fields you use to author the policy.
## Key considerations
Keep the following aspects of bucket access policies in mind:
| Policy aspect | Details |
| --------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Policy scope** | Bucket access policies can only grant S3-compatible API permissions. Actions under the `cwobject:` API (for example, managing access keys or audit logging) must be allowed through an organization access policy that uses `"Resource": ["*"]`. |
| **Lifecycle configuration** | Bucket access policies uniquely govern [bucket lifecycle configuration](#bucket-lifecycle-policy), including:
- Expiration actions (delete by date, age, or expired-marker)
- Noncurrent version expiration
- Abort incomplete multipart uploads |
| **Access policies versus lifecycle policies** | Bucket access policies are not the same as [lifecycle policies](#bucket-lifecycle-policy). Lifecycle policies manage object lifecycles, while bucket access policies control access to the bucket and its objects.
- Set access policies with `s3:PutBucketPolicy`.
- Set lifecycle policies with `s3:PutBucketLifecycleConfiguration`. |
| **Global operations** | Certain actions are global and only evaluate organization policies:
- `s3:ListAllMyBuckets` must specify `"Resources": ["*"]`.
- `s3:PutBucketPolicy` is global and only checks organization access policies to avoid lock-out. |
| **Principal specification** | You can't use CoreWeave IAM groups in bucket access policies. Instead, specify principals by UID (from Cloud Console) or through SAML users and groups. |
| **Explicit S3-compatible API access** | The `Object Storage Admin` IAM role (or membership in the legacy `admin` group) does not grant S3-compatible API access. You must explicitly allow it through organization or bucket access policies. |
Make sure that your policy fits within the maximum policy size of 20 KB.
## Structure of bucket access policies
Bucket access policies use JSON objects with two top-level fields: `Version`, `Statement`. The `Statement` field is an array of objects, each defining the access rules for a specific bucket or object. Each statement can include the following:
| Field | Description |
| ----------- | ----------------------------------------------------------------------------------- |
| `Sid` | Optional identifier for the policy statement. |
| `Effect` | Indicates whether the policy allows or denies access. |
| `Principal` | The user, role, or group to which the policy applies. |
| `Action` | The specific actions that the policy allows or denies. |
| `Resource` | The resources to which the policy applies, specified in ARN format. |
| `Condition` | Optional element that specifies additional constraints for when the policy applies. |
### Version
`Version` is required. It defines the version of the policy language. Use `2012-10-17` for all policies. Some old policies use `2008-10-17`. Any other value is invalid.
```json highlight={2} theme={"system"}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "UniquePolicyName",
"Effect": "Allow",
"Principal": { ... },
"Action": [ ... ],
"Resource": [ ... ],
"Condition": { ... }
}
]
}
```
### Statement
`Statement` is required. It's the main policy element that defines the access rules for buckets and objects. It can contain a single policy or an array. Enclose each policy in curly braces, and enclose arrays of policies in square brackets.
```json highlight={3-14} theme={"system"}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "UniquePolicyName",
"Effect": "Allow",
"Principal": { ... },
"Action": [ ... ],
"Resource": [ ... ],
"Condition": { ... }
},
{ ... },
{ ... }
]
}
```
### Sid
`Sid` (Statement ID) is optional. It's a short, human-readable identifier for the policy statement, which is useful for tracking and managing policies. Each `Statement` in an array of statements can have an assigned `Sid`. Each `Sid` must be unique within the JSON policy, and may only consist of ASCII uppercase letters, lowercase letters, or numbers.
```json highlight={5} theme={"system"}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "UniquePolicyName",
"Effect": "Allow",
"Principal": { ... },
"Action": [ ... ],
"Resource": [ ... ],
"Condition": { ... }
}
]
}
```
### Effect
`Effect` is required. It specifies whether the statement allows or denies the action. The valid options are `Allow` or `Deny`, and these are case-sensitive. By default, CoreWeave denies access to resources. To allow access to a resource, set the `Effect` element to `Allow`. To override an allow that is otherwise in force, set the `Effect` element to `Deny`.
```json highlight={6} theme={"system"}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "UniquePolicyName",
"Effect": "Allow",
"Principal": { ... },
"Action": [ ... ],
"Resource": [ ... ],
"Condition": { ... }
}
]
}
```
### Principal / NotPrincipal
This field defines who gets access to the resources specified in the policy. Either `Principal` or `NotPrincipal` is required. You can't use them together.
* Use `Principal` to specify the user, role, or group allowed for this policy.
* Use `NotPrincipal` to deny access to all except the principal specified. `NotPrincipal` is only supported with `"Effect": "Deny"`. You can't use it with `"Effect": "Allow"`.
Troubleshooting the side effects of `NotPrincipal` can be difficult. We recommend using options such as `Condition` instead.
The key in the `Principal` object specifies the identity type:
* Use `CW` for users from the CoreWeave Cloud Console.
* Use `AWS` for identities from a federated SAML provider.
The value in the Principal object must be an ARN (Amazon Resource Name). In the path, indicate the source of the `Principal`:
* For Console users: `arn:aws:iam::[ORG-ID]:coreweave/[USER-ID]`
* For SAML users: `arn:aws:iam::[ORG-ID]:saml/[USER-ID]`
You can find your organization ID and user UID on the [Settings page](https://console.coreweave.com/account/settings) of your Cloud Console account.
For OIDC users who set up Workload Identity Federation:
* Use `arn:aws:iam::[ORG-ID]:role/[JWT-ISSUER-URL]:[JWT-SUBJECT-USER-ID]`, where `[JWT-ISSUER-URL]` is the issuer of the JWT token and `[JWT-SUBJECT-USER-ID]` is the subject of the JWT token.
Do not use `user/` in the ARN path. It isn't a valid prefix for CoreWeave or SAML identities.
To specify multiple principals in a single policy statement, include multiple entries in the `Principal` object:
```json highlight={7-12} theme={"system"}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "UniquePolicyName",
"Effect": "Allow",
"Principal": {
"CW": [
"arn:aws:iam::[ORG-ID]:coreweave/[USER-ID-1]",
"arn:aws:iam::[ORG-ID]:coreweave/[USER-ID-2]"
],
},
"Action": [ ... ],
"Resource": [ ... ],
"Condition": { ... }
}
]
}
```
### Action / NotAction
Either `Action` or `NotAction` is required. You can't use them together.
* Use `Action` to describe the specific actions that are allowed or denied.
* Use `NotAction` to match everything except the specified actions.
Wildcards such as `s3:*` are allowed to match multiple actions. Be careful when you combine `NotAction` and `"Effect": "Allow"` in the same policy because it could grant users more permissions than intended. See the list of [API calls and required actions](#required-policies-and-actions) to determine what actions must be allowed for each API call.
```json highlight={8-11} theme={"system"}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "UniquePolicyName",
"Effect": "Allow",
"Principal": { ... },
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [ ... ],
"Condition": { ... }
}
]
}
```
### Resource / NotResource
Either `Resource` or `NotResource` is required. You can't use them together.
* Use `Resource` to apply the policy to the listed resources.
* Use `NotResource` to apply the policy to all resources except the ones listed.
Use ARN format to specify resources. Wildcards `*` and `?` are allowed within each colon-separated ARN segment. Wildcards don't extend past colon boundaries.
Don't use `NotResource` in tandem with `"Effect": "Allow"` and `"Action": "*"` because this allows all actions on all resources except those listed.
```json highlight={9-12} theme={"system"}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "UniquePolicyName",
"Effect": "Allow",
"Principal": { ... },
"Action": [ ... ],
"Resource": [
"arn:aws:s3:::[BUCKET-NAME]/[OBJECT-KEY]",
"arn:aws:s3:::???-bucket/*/test"
],
"Condition": { ... }
}
]
}
```
### Condition
`Condition` is optional. A `Condition` consists of an operator, and a key with a value. CoreWeave evaluates the condition to grant or deny access based on the request context.
#### Condition operators
The supported condition operators are:
| Field | Description |
| --------------------------- | ----------------------------------------------------------- |
| `IpAddress` | The specified IP address or range, such as `203.0.113.0/24` |
| `NotIpAddress` | All IP addresses except the specified address |
| `StringEquals` | Exact, case-sensitive match |
| `StringNotEquals` | Match all except specified string, case-sensitive |
| `StringLike` | Case-sensitive match allowing wildcards |
| `StringNotLike` | Negated case-sensitive match allowing wildcards |
| `StringEqualsIgnoreCase` | Exact match, ignores case |
| `StringNotEqualsIgnoreCase` | Negated exact match, ignores case |
| `Null` | Check for absent condition key |
#### Condition keys
The supported condition keys are:
| Field | Description |
| ------------------- | ------------------------------------------------------------------------------------------------------ |
| `cw:PrincipalArn` | The principal, formatted as `arn:partition:service:region:[ACCOUNT-ID]:[RESOURCE-TYPE/][RESOURCE-ID]`. |
| `cw:ResourceArn` | The resource ARN of the request. |
| `cw:ResourceOrgID` | The organization ID from the owner of a resource. |
| `cw:PrincipalOrgID` | The organization ID from the principal. |
| `cw:SourceIP` | The source IP address of the request. |
| `cw:Bucket` | The bucket name of the request. |
| `s3:prefix` | The prefix of the request, used to list objects. |
```json highlight={10-16} theme={"system"}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "UniquePolicyName",
"Effect": "Allow",
"Principal": { ... },
"Action": [ ... ],
"Resource": [ ... ],
"Condition": {
// Operator
"IpAddress": {
// Key with value
"cw:SourceIP": "203.0.113.0/24"
}
}
}
]
}
```
## Example use cases
The following examples show bucket access policies for common scenarios. Use them as templates and adapt the principals, resources, and conditions to your own buckets.
### Full access to a specific bucket for one user
This policy grants full access to a specific bucket for one user. It has two statements:
* The first statement allows the specified user to perform all S3 actions on the bucket and its contents.
* The second statement denies all other users access to the bucket and its contents.
Fill in the following parameters:
* `[ORG-ID]` with your organization's ID.
* `[USER-ID]` with the ID of the user you want to grant full access to.
* `[BUCKET-NAME]` with the name of the bucket you want to grant full access to.
```json title="Full access to a specific bucket for one user" theme={"system"}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowOnlyOneUser",
"Effect": "Allow",
"Principal": {
"CW": "arn:aws:iam::[ORG-ID]:coreweave/[USER-ID]"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::[BUCKET-NAME]",
"arn:aws:s3:::[BUCKET-NAME]/*"
]
},
{
"Sid": "DenyAllOthers",
"Effect": "Deny",
"NotPrincipal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::[BUCKET-NAME]",
"arn:aws:s3:::[BUCKET-NAME]/*"
]
}
]
}
```
### Read-only for a specific bucket for all users in your organization
This policy grants read-only access to a specific bucket for all users in your organization. It has two statements:
* The first statement allows all users in the organization to list the bucket and get its location.
* The second statement allows all users in the organization to get objects from the bucket.
Replace `[BUCKET-NAME]` with the name of the bucket and `[ORG-ID]` with your organization's ID.
Always include a `Condition` with `cw:PrincipalOrgID` when using `"Principal": "*"`. Without it, the bucket is accessible to anyone on the internet, not just users in your organization.
```json title="Read-only for a specific bucket for all users in your organization" theme={"system"}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListBucket",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::[BUCKET-NAME]",
"Condition": {
"StringEquals": {
"cw:PrincipalOrgID": ["[ORG-ID]"]
}
}
},
{
"Sid": "AllowGetObjects",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::[BUCKET-NAME]/*",
"Condition": {
"StringEquals": {
"cw:PrincipalOrgID": ["[ORG-ID]"]
}
}
}
]
}
```
### Read-only for a specific bucket for a specific user
This policy grants read-only access to a specific bucket for a specific user. It has two statements:
* The first statement allows the specified user to list the bucket and get its location.
* The second statement allows the specified user to get objects from the bucket.
Fill in the following parameters:
* `[ORG-ID]` with your organization's ID.
* `[USER-ID]` with the ID of the user you want to grant read-only access to.
* `[BUCKET-NAME]` with the name of the bucket you want to grant read-only access to.
```json title="Read-only for a specific bucket for a specific user" theme={"system"}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "UserReadBucket",
"Effect": "Allow",
"Principal": {
"CW": "arn:aws:iam::[ORG-ID]:coreweave/[USER-ID]"
},
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::[BUCKET-NAME]"
},
{
"Sid": "UserGetObjects",
"Effect": "Allow",
"Principal": {
"CW": "arn:aws:iam::[ORG-ID]:coreweave/[USER-ID]"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::[BUCKET-NAME]/*"
}
]
}
```
### All buckets read-only for all users in your organization
This policy grants read-only access to all buckets for all users in your organization. It has three statements:
* The first statement allows all users in the organization to list all buckets.
* The second statement allows all users in the organization to list and describe all buckets.
* The third statement allows all users in the organization to get objects from all buckets.
Replace `[ORG-ID]` with your organization's ID.
Always include a `Condition` with `cw:PrincipalOrgID` when using `"Principal": "*"`. Without it, the bucket is accessible to anyone on the internet, not just users in your organization.
```json title="All buckets read-only for all users in your organization" theme={"system"}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListAllBuckets",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*",
"Condition": {
"StringEquals": {
"cw:PrincipalOrgID": ["[ORG-ID]"]
}
}
},
{
"Sid": "ListAndDescribeBuckets",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::*",
"Condition": {
"StringEquals": {
"cw:PrincipalOrgID": ["[ORG-ID]"]
}
}
},
{
"Sid": "GetAllObjects",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::*/*",
"Condition": {
"StringEquals": {
"cw:PrincipalOrgID": ["[ORG-ID]"]
}
}
}
]
}
```
### Limit to a specific prefix
This policy restricts the `ListBucket` action to a specific prefix within a bucket. It has two statements:
* The first statement allows the user to list objects in the bucket only if the prefix matches `projects`.
* The second statement denies the user from listing objects in the bucket if the prefix doesn't match `projects`.
The Condition statement allows the user to list only object keys that start with the `projects` prefix. An explicit `Deny` statement blocks the user from listing any other keys, even if other policies grant broader permissions. For instance, the user might later receive permissions to list all keys through an updated user policy or bucket policy. But because `Deny` takes precedence over `Allow`, CoreWeave denies any request to list keys outside the `projects` prefix.
Replace `[BUCKET-NAME]` with the name of the bucket and `[ORG-ID]` with your organization's ID.
```json title="Limit to a specific prefix" theme={"system"}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowIfPrefixEquals",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::[BUCKET-NAME]",
"Condition": {
"StringEquals": {
"s3:prefix": "projects",
"cw:PrincipalOrgID": ["[ORG-ID]"]
}
}
},
{
"Sid": "DenyIfPrefixNotEquals",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::[BUCKET-NAME]",
"Condition": {
"StringNotEquals": {
"s3:prefix": "projects"
}
}
}
]
}
```
## Required policies and actions
Each API call requires permission to perform one or more related actions, and those action names don't always match the API calls. Some API calls perform multiple actions that require permission to separate actions. For example, copying an object requires permission to perform both `s3:PutObject` and `s3:GetObject` actions.
Use the following permission mapping when you plan bucket access policies. See [Object Storage API features](/products/storage/object-storage/reference/object-storage-s3#api-calls) for a complementary list of API calls mapped to their associated actions.
| Required action permission | API call |
| --------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `s3:AbortMultipartUpload` | `s3:AbortMultiPartUpLoad` |
| `s3:CreateBucket` | `s3:CreateBucket` |
| `s3:DeleteBucket` | `s3:DeleteBucket` |
| `s3:DeleteObject` | `s3:DeleteObject`
`s3:DeleteObjects`
`s3:RenameObject` |
| `s3:DeleteObjectTagging` | `s3:DeleteObjectTagging` |
| `s3:DeleteObjectVersion` | `s3:DeleteObject`
`s3:DeleteObjects` |
| `s3:DeleteLifecycleConfiguration` | `s3:DeleteBucketLifeCycle` |
| `s3:DeleteBucketPolicy` | `s3:DeleteBucketPolicy` |
| `s3:DeleteBucketTagging` | `s3:DeleteBucketTagging` |
| `s3:GetLifecycleConfiguration` | `s3:GetBucketLifecycleConfiguration` |
| `s3:GetBucketLocation` | `s3:GetBucketLocation` |
| `s3:GetBucketPolicy` | `s3:GetBucketPolicy` |
| `s3:GetBucketTagging` | `s3:GetBucketTagging` |
| `s3:GetBucketVersioning` | `s3:GetBucketVersioning` |
| `s3:GetObject` | `s3:CopyObject`
`s3:GetObject`
`s3:GetObjectAcl`
`s3:GetObjectAttributes`
`s3:HeadObject`
`s3:UploadPartCopy` |
| `s3:GetObjectTagging` | `s3:GetObjectTagging` |
| `s3:ListAllMyBuckets` | `s3:ListBuckets` |
| `s3:ListBucket` | `s3:GetBucketACL`
`s3:HeadBucket`
`s3:ListObjectsV2`
`s3:ListObjectVersions` |
| `s3:ListMultipartUploadParts` | `s3:ListParts` |
| `s3:ListBucketMultipartUploads` | `s3:ListMultiPartUploads` |
| `s3:PutLifecycleConfiguration` | `s3:PutBucketLifecycleConfiguration` |
| `s3:PutBucketPolicy` | `s3:PutBucketPolicy`
If no policy exists, CoreWeave grants access to create a new policy if the user's organization ID matches the bucket's organization. |
| `s3:PutBucketTagging` | `s3:PutBucketTagging` |
| `s3:PutBucketVersioning` | `s3:PutBucketVersioning` |
| `s3:PutObject` | `s3:CompleteMultiPartUpLoad`
`s3:CopyObject`
`s3:CreateMultiPartUpLoad`
`s3:PutObject`
`s3:RenameObject`
`s3:UploadPart`
`s3:UploadPartCopy`
`PutObject`, `CompleteMultiPartUpLoad`, `CopyObject`, and `RenameObject` support [conditional writes](/products/storage/object-storage/reference/object-storage-s3#conditional-writes). |
| `s3:PutObjectTagging` | `s3:PutObjectTagging` |
## Bucket lifecycle policy
Bucket lifecycle policies automate object management in CoreWeave AI Object Storage. Each policy consists of rules that apply actions to objects or their versions.
A lifecycle rule can perform the following actions:
* **Transition**: Move objects to a different storage class. Not supported.
* **Expiration**: Delete objects after a specified period. CoreWeave AI Object Storage handles deletion automatically. If multiple rules apply, the earliest expiration wins.
* **Noncurrent version expiration**: For versioned buckets, remove older object versions after a defined count or time.
* **Abort incomplete multipart uploads**: Delete multipart upload parts that remain incomplete after a set number of days.
The following example shows how to configure each action. The field reference describes each field.
```json theme={"system"}
{
"Rules": [
{
"Expiration": {
"Date": timestamp,
"Days": integer,
"ExpiredObjectDeleteMarker": true|false
},
"ID": "string",
"Prefix": "string",
"Filter": {
"Prefix": "string",
"Tag": {
"Key": "string",
"Value": "string"
},
"ObjectSizeGreaterThan": long,
"ObjectSizeLessThan": long,
"And": {
"Prefix": "string",
"Tags": [
{
"Key": "string",
"Value": "string"
}
...
],
"ObjectSizeGreaterThan": long,
"ObjectSizeLessThan": long
}
},
"Status": "Enabled"|"Disabled",
"NoncurrentVersionExpiration": {
"NoncurrentDays": integer,
"NewerNoncurrentVersions": integer
},
"AbortIncompleteMultipartUpload": {
"DaysAfterInitiation": integer
}
}
...
]
}
```
| Rule | Definition |
| -------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `Expiration` | This type of rule specifies that CoreWeave deletes an object when it reaches either a listed Date, a number of days old, or when an expired `Delete` marker is present. The date must be in `ISO 8601` format and the time in UTC 0000. |
| `ExpiredObjectDeleteMarker` | Indicates whether CoreWeave removes a delete marker with no noncurrent versions. If set to `true`, CoreWeave expires the delete marker. If set to `false`, the policy takes no action. You can't specify this with Days or Date. |
| `ID` | Identifier for the rule itself. Can be up to 255 characters. |
| `Filter` | Specifies objects for which a rule applies. Must contain only one of a `Prefix`, `Tag`, or `And` value. An empty Filter indiscriminately applies to **all** objects in a bucket. |
| `Prefix` | A prefix to match on for an object. For instance, `foo/` matches both `foo/bar` and `foo/baz`. Only one prefix per rule can match. |
| `Tag` | An object that specifies a tag (key) and its value. Use multiple tags at once with `And`. |
| `And` | Lets you match on multiple tags and up to one prefix. |
| `ObjectSize` | You can specify a range of sizes in bytes with `ObjectSizeGreaterThan` and `ObjectSizeLessThan`. |
| `Status` | Status shows whether this rule is enabled or not. If the rule is disabled, CoreWeave doesn't apply it. |
| `NoncurrentVersionExpiration` | Specifies how long and how many noncurrent versions of a versioned (or versioning suspended) object to keep. |
| `NoncurrentDays` | How many days after an object becomes noncurrent before deletion. |
| `NewerNoncurrentVersions` | Deletion only occurs after the specified number of noncurrent versions is reached. The process starts with the oldest version. |
| `AbortIncompleteMultipartUpload` | Specify a number of days after the start of a multipart upload with `DaysAfterInitiation` to delete all parts if the upload is aborted. |