Manage bucket policies - CoreWeave Docs

An Object Storage bucket access policy is a JSON object that defines access to operations, and the objects for the bucket it’s assigned to. Bucket access policies are applied to an individual bucket, and are used to control access to the resources inside the bucket. Before setting a bucket access policy, you must set at least one organization access policy for your organization to access the bucket. Bucket access policies are evaluated after organization access policies. You can set bucket access policies programmatically using the S3-compatible API with standard S3 tools like aws s3api or s3cmd, or using the CoreWeave Terraform provider. Although you can set organization access policies in the Cloud Console, bucket access policies cannot be set in the Cloud Console.

Prerequisites

You are a member of the CoreWeave organization that owns the bucket (the “bucket owner”).
Your organization access policy allows s3:PutBucketPolicy on the target bucket (or s3:* on all buckets).
You have an AI Object Storage Access Key.
You have an S3-compatible client (aws s3api, s3cmd, or Boto3) configured for AI Object Storage, or you’re using the CoreWeave Terraform provider.

Only principals from the bucket’s owning organization can set or update its bucket access policy. Cross-organization users cannot modify bucket policies, even if they have other permissions on the bucket.

Find your Org ID

You need your Org ID to safely scope your bucket access policies to your organization. Your Org ID is a short hexadecimal string (for example, ab1cd2). Find it on the Settings page of your Cloud Console account.

Policy evaluation

Access to a bucket is allowed or denied by evaluating both the organization and bucket access policies as follows:

Example policies

For sample bucket policies, see Bucket access policy examples.

Set a policy with CLI tools

The S3:PutBucketPolicy API call is used to set a policy for a bucket. Here is how bucket access policies are set using different tools.

AWS CLI
s3cmd
Boto3

Fill in the following parameters:

[BUCKET-NAME] with the name of the bucket you want to set the policy for.
[FILE-PATH] with the path to the file containing the policy.

Example command

aws s3api put-bucket-policy --bucket [BUCKET-NAME] --policy [FILE-PATH]

Fill in the following parameters:

[FILE-PATH] with the path to the file containing the policy.
[BUCKET-NAME] with the name of the bucket you want to set the policy for.

Example command

s3cmd setpolicy [FILE-PATH] s3://[BUCKET-NAME]

Set environment variables for your CoreWeave credentials:

export ACCESS_KEY_ID="[ACCESS-KEY-ID]"
export SECRET_ACCESS_KEY="[SECRET-ACCESS-KEY]"

Replace [BUCKET-NAME] with the name of the bucket and [ORG-ID] with your organization’s ID.

Set a bucket policy

import os
import json
import boto3
from botocore.client import Config

boto_config = Config(
    region_name='US-EAST-04A',
    s3={'addressing_style': 'virtual'}
)

s3 = boto3.client(
    's3',
    endpoint_url='https://cwobject.com',
    aws_access_key_id=os.environ['ACCESS_KEY_ID'],
    aws_secret_access_key=os.environ['SECRET_ACCESS_KEY'],
    config=boto_config
)

bucket_name = '[BUCKET-NAME]'
org_id = '[ORG-ID]'

policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowPutObject",
            "Effect": "Allow",
            "Principal": {"AWS": "*"},
            "Action": ["s3:PutObject", "s3:PutObjectAcl"],
            "Resource": [f"arn:aws:s3:::{bucket_name}/*"],
            "Condition": {
                "StringEquals": {
                    "cw:PrincipalOrgID": [org_id]
                }
            }
        }
    ]
}

response = s3.put_bucket_policy(
    Bucket=bucket_name,
    Policy=json.dumps(policy)
)

print(response)

Set a policy with Terraform

To use the CoreWeave Terraform provider to set a bucket access policy, use the coreweave_object_storage_bucket_policy resource. You can set the policy in one of the following ways:

passing an encoded JSON string directly to the policy attribute
using the coreweave_object_storage_bucket_policy_document data source to create the policy

There is one example below for each approach. Both examples allow all CoreWeave principals from the organization to perform all S3 actions on the bucket and its objects. Be cautious when using * in the Principal field: it grants access to all principals, including those from other organizations. Use Condition to restrict access to only CoreWeave principals from the specific organization.

Pass JSON to policy attribute
Bucket Policy Document Data Source

## Example using jsonencode to pass a raw JSON string to the policy attribute

locals {
  bucket_policy = {
    Version = "2012-10-17"
    Statement = [
      {
        Sid    = "AllowAllInOrg"
        Effect = "Allow"
        Principal = {
          "CW" : ["*"]
        }
        Action   = ["s3:*"]
        Resource = [
          "arn:aws:s3:::${coreweave_object_storage_bucket.raw.name}",
          "arn:aws:s3:::${coreweave_object_storage_bucket.raw.name}/*",
        ]
        Condition = {
        "StringEquals" = {
          "cw:PrincipalOrgID" = ["${var.org_id}"]
          }
        }
      },
    ]
  }
}

resource "coreweave_object_storage_bucket" "raw" {
  name = "bucket-policy-raw-example"
  zone = "US-EAST-04A"
}

resource "coreweave_object_storage_bucket_policy" "raw" {
  bucket = coreweave_object_storage_bucket.raw.name
  policy = jsonencode(local.bucket_policy)
}

## Example using the coreweave_object_storage_bucket_policy_document data source

resource "coreweave_object_storage_bucket" "doc" {
  name = "bucket-policy-doc-example"
  zone = "US-EAST-04A"
}

data "coreweave_object_storage_bucket_policy_document" "doc" {
  version = "2012-10-17"

  statement {
    sid      = "AllowAllInOrg"
    effect   = "Allow"
    action   = ["s3:*"]
    resource = [
      "arn:aws:s3:::${coreweave_object_storage_bucket.doc.name}",
      "arn:aws:s3:::${coreweave_object_storage_bucket.doc.name}/*",
    ]
    principal = {
      "CW" : ["*"]
    }
    condition = {
      "StringEquals" = {
        "cw:PrincipalOrgID" = ["${var.org_id}"]
      }
    }
  }
}

resource "coreweave_object_storage_bucket_policy" "doc" {
  bucket = coreweave_object_storage_bucket.doc.name
  policy = data.coreweave_object_storage_bucket_policy_document.doc.json
}

This resource is also available in OpenTofu. See Use Terraform to manage CoreWeave AI Object Storage infrastructure as code for more information.

Roles for bucket access policies

Roles can be used in bucket access policies to specify a set of permissions for a user or group of users. Roles are defined in the Principal field of the policy. The following table describes the fields used to define roles in a bucket access policy.

Value	Description
`org-id`	A static identifier for your organization at CoreWeave. If you use `Conditions` instead of the `Principal` field you can substitute a variable like `cw:ResourceOrgId` for the actual value.
`principal-provider`	Specifies where the principal came from. For example, the `principal-provider` for a SAML integration would be `saml`. Similarly, It would be `coreweave` for a user inside of CoreWeave’s cloud. You can also use this field to specify a `role` targeting principals who have credentials for specific roles.
`principal-name`	Used to identify the actual actor from the specified provider. For example, if the `principal-provider` is `saml`, then that name would be what is present in the `PrincipalName` attribute in the SAML assertion. For Cloud Console users, this value is the user’s `UID`, which is found in that user’s Settings in Cloud Console.

Additional resources

For more information, see:

Storage

Documentation Index

​Prerequisites

​Find your Org ID

​Policy evaluation

​Example policies

​Set a policy with CLI tools

​Set a policy with Terraform

​Roles for bucket access policies

​Additional resources

Prerequisites

Find your Org ID

Policy evaluation

Example policies

Set a policy with CLI tools

Set a policy with Terraform

Roles for bucket access policies

Additional resources