Skip to main content
This page shows bucket owners and administrators how to create and update bucket access policies for CoreWeave AI Object Storage buckets. Use these policies to control which principals can perform which actions on a specific bucket and its objects. An Object Storage bucket access policy is a JSON object that defines access to operations and the objects for the bucket it’s assigned to. Each bucket access policy applies to an individual bucket and controls access to the resources inside the bucket. Before you set a bucket access policy, you must set at least one organization access policy for your organization to access the bucket. Bucket access policies are evaluated after organization access policies. You can set bucket access policies programmatically with the S3-compatible API using standard S3 tools like aws s3api or s3cmd, or with the CoreWeave Terraform provider. Although you can set organization access policies in the Cloud Console, you can’t set bucket access policies there.

Prerequisites

Only principals from the bucket’s owning organization can set or update its bucket access policy. Cross-organization users can’t modify bucket policies, even if they have other permissions on the bucket.

Find your Org ID

You need your Org ID to scope your bucket access policies safely to your organization. Your Org ID is a short hexadecimal string (for example, ab1cd2). Find it on the Settings page of your Cloud Console account.

Policy evaluation

CoreWeave allows or denies access to a bucket by evaluating both the organization and bucket access policies as follows:

Example policies

For sample bucket policies, see Bucket access policy examples.

Set a policy with CLI tools

The s3:PutBucketPolicy API call sets a policy for a bucket. The following tabs describe how to set a bucket access policy with different tools. After you run one of these commands successfully, the new policy applies to the specified bucket, and CoreWeave evaluates access according to it on subsequent requests.
Fill in the following parameters:
  • [BUCKET-NAME] with the name of the bucket you want to set the policy for.
  • [FILE-PATH] with the path to the file containing the policy.
Example command
aws s3api put-bucket-policy --bucket [BUCKET-NAME] --policy [FILE-PATH]

Set a policy with Terraform

To use the CoreWeave Terraform provider to set a bucket access policy, use the coreweave_object_storage_bucket_policy resource. You can set the policy in one of the following ways:
  • Pass an encoded JSON string directly to the policy attribute.
  • Use the coreweave_object_storage_bucket_policy_document data source to create the policy.
The following tabs show one example for each approach. Both examples allow all CoreWeave principals from the organization to perform all S3 actions on the bucket and its objects.
Be cautious when you use * in the Principal field: it grants access to all principals, including those from other organizations. You must use Condition to restrict access to only CoreWeave principals from the specific organization.
## Example using jsonencode to pass a raw JSON string to the policy attribute

locals {
  bucket_policy = {
    Version = "2012-10-17"
    Statement = [
      {
        Sid    = "AllowAllInOrg"
        Effect = "Allow"
        Principal = {
          "CW" : ["*"]
        }
        Action   = ["s3:*"]
        Resource = [
          "arn:aws:s3:::${coreweave_object_storage_bucket.raw.name}",
          "arn:aws:s3:::${coreweave_object_storage_bucket.raw.name}/*",
        ]
        Condition = {
        "StringEquals" = {
          "cw:PrincipalOrgID" = ["${var.org_id}"]
          }
        }
      },
    ]
  }
}

resource "coreweave_object_storage_bucket" "raw" {
  name = "bucket-policy-raw-example"
  zone = "US-EAST-04A"
}

resource "coreweave_object_storage_bucket_policy" "raw" {
  bucket = coreweave_object_storage_bucket.raw.name
  policy = jsonencode(local.bucket_policy)
}
This resource is also available in OpenTofu. See Use Terraform to manage CoreWeave AI Object Storage infrastructure as code for more information.

Roles for bucket access policies

You can use roles in bucket access policies to specify a set of permissions for a user or group of users. This lets you grant permissions to identities defined outside of CoreWeave (for example, through SAML) as well as to CoreWeave Cloud Console users. Define roles in the Principal field of the policy. The following table describes the fields that define roles in a bucket access policy.
ValueDescription
org-idA static identifier for your organization at CoreWeave. If you use Conditions instead of the Principal field, you can substitute a variable like cw:ResourceOrgId for the actual value.
principal-providerSpecifies where the principal came from. For example, the principal-provider for a SAML integration is saml. Similarly, it’s coreweave for a user inside CoreWeave’s cloud. You can also use this field to specify a role targeting principals who have credentials for specific roles.
principal-nameIdentifies the actual actor from the specified provider. For example, if the principal-provider is saml, then that name is the value of the PrincipalName attribute in the SAML assertion. For Cloud Console users, this value is the user’s UID, which appears in that user’s Settings in Cloud Console.

Additional resources

For more information, see:
Last modified on May 29, 2026