> ## Documentation Index
> Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Bucket access policy examples

> Example bucket access policies for AI Object Storage

The following examples show common bucket access policy patterns. For details on how to apply a policy to a bucket, see [Manage bucket policies](/products/storage/object-storage/auth-access/bucket-access/manage-bucket-policies).

## Allow organization-wide read access

The following policy allows organization-wide `read` access for the specified bucket.

Fill in the following parameters in the policy:

* `[ORG-ID]` with your organization's ID.
* `[BUCKET-NAME]` with the name of the bucket you want to grant read access to.

```json title="Allow organization-wide read access for the specified bucket" theme={"system"}
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowGetObject",
      "Principal": {
          "AWS": "*"
      },
      "Effect": "Allow",
      "Action": [
          "s3:GetObject",
          "s3:ListBucket"
          ],
      "Resource": [
        "arn:aws:s3:::[BUCKET-NAME]",
        "arn:aws:s3:::[BUCKET-NAME]/*"
        ],
      "Condition": {
          "StringEquals": {
              "cw:PrincipalOrgID": ["[ORG-ID]"]
          }
      }
    }
  ]
}
```

## Allow access from another organization

You can also use bucket access policies to grant users from other organizations access to your bucket:

```json title="Allow users from other organizations to access your bucket" theme={"system"}
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowGetObject",
      "Principal": {
          "AWS": "*"
      },
      "Effect": "Allow",
      "Action": [
          "s3:GetObject",
          "s3:ListBucket"
          ],
      "Resource": [
        "arn:aws:s3:::[BUCKET-NAME]",
        "arn:aws:s3:::[BUCKET-NAME]/*"
        ],
      "Condition": {
          "StringEquals": {
              "cw:PrincipalOrgID": ["[ORG-ID]", "[OTHER-ORG-ID]"]
          }
      }
    }
  ]
}
```

## Prevent a specific user from deleting objects

This policy prevents a specific user from deleting objects. Replace `[ORG-ID]` with your organization's ID and `[USER-ID]` with the user's ID.

```json title="Prevent a specific user from deleting objects" theme={"system"}
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "statement",
      "Effect": "Deny",
      "Principal": {
        "CW": "arn:aws:iam::[ORG-ID]:coreweave/[USER-ID]"
      },
      "Action": [
        "s3:DeleteObject",
        "s3:DeleteObjectVersion",
        "s3:PutLifecycleConfiguration"
      ],
      "Resource": [
        "arn:aws:s3:::[BUCKET-NAME]",
        "arn:aws:s3:::[BUCKET-NAME]/*"
      ]
    }
  ]
}
```

## Additional resources

* [Manage bucket policies](/products/storage/object-storage/auth-access/bucket-access/manage-bucket-policies)
* [Bucket access policies](/products/storage/object-storage/auth-access/bucket-access/bucket-policies)
* [Access control for AI Object Storage](/products/storage/object-storage/auth-access/about)