Skip to main content
This page shows bucket owners and administrators how to create and update bucket access policies for CoreWeave AI Object Storage buckets. Use these policies to control which principals can perform which actions on a specific bucket and its objects. An Object Storage bucket access policy is a JSON object that defines access to operations and the objects for the bucket it’s assigned to. Each bucket access policy applies to an individual bucket and controls access to the resources inside the bucket. Before you set a bucket access policy, you must set at least one organization access policy for your organization to access the bucket. Bucket access policies are evaluated after organization access policies. You can set bucket access policies from the Cloud Console, programmatically with the S3-compatible API using standard S3 tools like aws s3api or s3cmd, or with the CoreWeave Terraform provider.

Prerequisites

Only principals from the bucket’s owning organization can set or update its bucket access policy. Cross-organization users can’t modify bucket policies, even if they have other permissions on the bucket.

Find your Org ID

You need your Org ID to scope your bucket access policies safely to your organization. Your Org ID is a short hexadecimal string (for example, ab1cd2). Find it on the Settings page of your Cloud Console account.

Policy evaluation

CoreWeave allows or denies access to a bucket by evaluating both the organization and bucket access policies as follows:

Example policies

For sample bucket policies, see Bucket access policy examples.

Set a policy with the Cloud Console

You can view, create, edit, and delete a bucket’s access policy directly from the Cloud Console with no CLI tools required. Your organization access policy must allow s3:GetBucketPolicy to view a policy, s3:PutBucketPolicy to create or edit one, and s3:DeleteBucketPolicy to delete one. See the Console permissions reference for the full list.
  1. Sign in to the Cloud Console and navigate to Object Storage > Buckets.
  2. In the bucket’s row, open the More options menu (the ellipsis icon) and select Bucket policy. A drawer opens with the bucket’s current policy.
  3. In the drawer:
    • To create a policy when none is attached, click Create default policy to populate a starter template, customize it, and click Create policy.
    • To edit an existing policy, update the JSON and click Save. Live validation disables Save on invalid JSON.
    • To replace a hidden policy (when you lack s3:GetBucketPolicy), compose a new policy and click Overwrite…, then confirm.
    • To delete the policy, click Delete policy and confirm. The button only appears when your organization access policy allows s3:DeleteBucketPolicy.
Changes can take a few seconds to appear after saving.

Default policy template

The Create default policy button populates the editor with the following structure, scoped to your organization and your user:
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowOrgAccess",
      "Effect": "Allow",
      "Principal": {
        "CW": [
          "arn:aws:iam::[ORG-ID]:coreweave/*",
          "arn:aws:iam::[ORG-ID]:coreweave/[YOUR-USER-ID]"
        ]
      },
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:ListBucket",
        "s3:ListBucketMultipartUploads",
        "s3:ListMultipartUploadParts",
        "s3:AbortMultipartUpload",
        "s3:GetBucketPolicy",
        "s3:PutBucketPolicy",
        "s3:DeleteBucketPolicy"
      ],
      "Resource": [
        "arn:aws:s3:::[BUCKET-NAME]",
        "arn:aws:s3:::[BUCKET-NAME]/*"
      ],
      "Condition": {
        "StringEquals": { "cw:PrincipalOrgID": ["[ORG-ID]"] }
      }
    }
  ]
}
The template includes s3:GetBucketPolicy, s3:PutBucketPolicy, and s3:DeleteBucketPolicy deliberately. Keep these actions for any user that needs to manage the policy later.

Set a policy with CLI tools

The s3:PutBucketPolicy API call sets a policy for a bucket. The following tabs describe how to set a bucket access policy with different tools. After you run one of these commands successfully, the new policy applies to the specified bucket, and CoreWeave evaluates access according to it on subsequent requests.
Fill in the following parameters:
  • [BUCKET-NAME] with the name of the bucket you want to set the policy for.
  • [FILE-PATH] with the path to the file containing the policy.
Example command
aws s3api put-bucket-policy --bucket [BUCKET-NAME] --policy [FILE-PATH]

Set a policy with Terraform

To use the CoreWeave Terraform provider to set a bucket access policy, use the coreweave_object_storage_bucket_policy resource. You can set the policy in one of the following ways:
  • Pass an encoded JSON string directly to the policy attribute.
  • Use the coreweave_object_storage_bucket_policy_document data source to create the policy.
The following tabs show one example for each approach. Both examples allow all CoreWeave principals from the organization to perform all S3 actions on the bucket and its objects.
Be cautious when you use * in the Principal field: it grants access to all principals, including those from other organizations. You must use Condition to restrict access to only CoreWeave principals from the specific organization.
## Example using jsonencode to pass a raw JSON string to the policy attribute

locals {
  bucket_policy = {
    Version = "2012-10-17"
    Statement = [
      {
        Sid    = "AllowAllInOrg"
        Effect = "Allow"
        Principal = {
          "CW" : ["*"]
        }
        Action   = ["s3:*"]
        Resource = [
          "arn:aws:s3:::${coreweave_object_storage_bucket.raw.name}",
          "arn:aws:s3:::${coreweave_object_storage_bucket.raw.name}/*",
        ]
        Condition = {
        "StringEquals" = {
          "cw:PrincipalOrgID" = ["${var.org_id}"]
          }
        }
      },
    ]
  }
}

resource "coreweave_object_storage_bucket" "raw" {
  name = "bucket-policy-raw-example"
  zone = "US-EAST-04A"
}

resource "coreweave_object_storage_bucket_policy" "raw" {
  bucket = coreweave_object_storage_bucket.raw.name
  policy = jsonencode(local.bucket_policy)
}
This resource is also available in OpenTofu. See Use Terraform to manage CoreWeave AI Object Storage infrastructure as code for more information.

Roles for bucket access policies

You can use roles in bucket access policies to specify a set of permissions for a user or group of users. This lets you grant permissions to identities defined outside of CoreWeave (for example, through SAML) as well as to CoreWeave Cloud Console users. Define roles in the Principal field of the policy. The following table describes the fields that define roles in a bucket access policy.
ValueDescription
org-idA static identifier for your organization at CoreWeave. If you use Conditions instead of the Principal field, you can substitute a variable like cw:ResourceOrgId for the actual value.
principal-providerSpecifies where the principal came from. For example, the principal-provider for a SAML integration is saml. Similarly, it’s coreweave for a user inside CoreWeave’s cloud. You can also use this field to specify a role targeting principals who have credentials for specific roles.
principal-nameIdentifies the actual actor from the specified provider. For example, if the principal-provider is saml, then that name is the value of the PrincipalName attribute in the SAML assertion. For Cloud Console users, this value is the user’s UID, which appears in that user’s Settings in Cloud Console.

Additional resources

For more information, see:
Last modified on June 25, 2026