aws s3api or s3cmd, or with the CoreWeave Terraform provider.
Prerequisites
- You are a member of the CoreWeave organization that owns the bucket (the “bucket owner”).
- Your organization access policy allows
s3:PutBucketPolicyon the target bucket (ors3:*on all buckets). - You have an AI Object Storage Access Key.
- You have an S3-compatible client (
aws s3api,s3cmd, or Boto3) configured for AI Object Storage, or you’re using the CoreWeave Terraform provider.
Only principals from the bucket’s owning organization can set or update its bucket access policy. Cross-organization users can’t modify bucket policies, even if they have other permissions on the bucket.
Find your Org ID
You need your Org ID to scope your bucket access policies safely to your organization. Your Org ID is a short hexadecimal string (for example,ab1cd2). Find it on the Settings page of your Cloud Console account.
Policy evaluation
CoreWeave allows or denies access to a bucket by evaluating both the organization and bucket access policies as follows:Example policies
For sample bucket policies, see Bucket access policy examples.Set a policy with the Cloud Console
You can view, create, edit, and delete a bucket’s access policy directly from the Cloud Console with no CLI tools required. Your organization access policy must allows3:GetBucketPolicy to view a policy, s3:PutBucketPolicy to create or edit one, and s3:DeleteBucketPolicy to delete one. See the Console permissions reference for the full list.
- Sign in to the Cloud Console and navigate to Object Storage > Buckets.
- In the bucket’s row, open the More options menu (the ellipsis icon) and select Bucket policy. A drawer opens with the bucket’s current policy.
- In the drawer:
- To create a policy when none is attached, click Create default policy to populate a starter template, customize it, and click Create policy.
- To edit an existing policy, update the JSON and click Save. Live validation disables Save on invalid JSON.
- To replace a hidden policy (when you lack
s3:GetBucketPolicy), compose a new policy and click Overwrite…, then confirm. - To delete the policy, click Delete policy and confirm. The button only appears when your organization access policy allows
s3:DeleteBucketPolicy.
Changes can take a few seconds to appear after saving.
Default policy template
The Create default policy button populates the editor with the following structure, scoped to your organization and your user:s3:GetBucketPolicy, s3:PutBucketPolicy, and s3:DeleteBucketPolicy deliberately. Keep these actions for any user that needs to manage the policy later.
Set a policy with CLI tools
Thes3:PutBucketPolicy API call sets a policy for a bucket. The following tabs describe how to set a bucket access policy with different tools. After you run one of these commands successfully, the new policy applies to the specified bucket, and CoreWeave evaluates access according to it on subsequent requests.
- AWS CLI
- s3cmd
- Boto3
Fill in the following parameters:
[BUCKET-NAME]with the name of the bucket you want to set the policy for.[FILE-PATH]with the path to the file containing the policy.
Example command
Set a policy with Terraform
To use the CoreWeave Terraform provider to set a bucket access policy, use thecoreweave_object_storage_bucket_policy resource.
You can set the policy in one of the following ways:
- Pass an encoded JSON string directly to the
policyattribute. - Use the
coreweave_object_storage_bucket_policy_documentdata source to create the policy.
- Pass JSON to policy attribute
- Use the policy document data source
Roles for bucket access policies
You can use roles in bucket access policies to specify a set of permissions for a user or group of users. This lets you grant permissions to identities defined outside of CoreWeave (for example, through SAML) as well as to CoreWeave Cloud Console users. Define roles in thePrincipal field of the policy. The following table describes the fields that define roles in a bucket access policy.
| Value | Description |
|---|---|
org-id | A static identifier for your organization at CoreWeave. If you use Conditions instead of the Principal field, you can substitute a variable like cw:ResourceOrgId for the actual value. |
principal-provider | Specifies where the principal came from. For example, the principal-provider for a SAML integration is saml. Similarly, it’s coreweave for a user inside CoreWeave’s cloud. You can also use this field to specify a role targeting principals who have credentials for specific roles. |
principal-name | Identifies the actual actor from the specified provider. For example, if the principal-provider is saml, then that name is the value of the PrincipalName attribute in the SAML assertion. For Cloud Console users, this value is the user’s UID, which appears in that user’s Settings in Cloud Console. |