> ## Documentation Index
> Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Manage bucket policies
> How to manage bucket policies in CoreWeave AI Object Storage
This page shows bucket owners and administrators how to create and update bucket access policies for CoreWeave AI Object Storage buckets. Use these policies to control which principals can perform which actions on a specific bucket and its objects.
An Object Storage [bucket access policy](/products/storage/object-storage/auth-access/bucket-access/bucket-policies) is a JSON object that defines access to operations and the objects for the bucket it's assigned to. Each bucket access policy applies to an individual bucket and controls access to the resources inside the bucket.
Before you set a bucket access policy, you must set at least one [organization access policy](/products/storage/object-storage/auth-access/organization-policies/manage) for your organization to access the bucket. Bucket access policies are evaluated after organization access policies.
You can set bucket access policies programmatically with the [S3-compatible API](/products/storage/object-storage/reference/object-storage-s3) using standard S3 tools like `aws s3api` or `s3cmd`, or with the [CoreWeave Terraform provider](https://registry.terraform.io/providers/coreweave/coreweave/latest/docs/resources/object_storage_bucket_policy). Although you can set organization access policies in the Cloud Console, you can't set bucket access policies there.
## Prerequisites
* You are a member of the CoreWeave organization that owns the bucket (the "bucket owner").
* Your [organization access policy](/products/storage/object-storage/auth-access/organization-policies/manage) allows `s3:PutBucketPolicy` on the target bucket (or `s3:*` on all buckets).
* You have an [AI Object Storage Access Key](/products/storage/object-storage/auth-access/manage-access-keys/create-keys).
* You have an S3-compatible client (`aws s3api`, `s3cmd`, or Boto3) [configured for AI Object Storage](/products/storage/object-storage/using-object-storage/configure-endpoints), or you're using the [CoreWeave Terraform provider](https://registry.terraform.io/providers/coreweave/coreweave/latest/docs/resources/object_storage_bucket_policy).
Only principals from the bucket's owning organization can set or update its bucket access policy. Cross-organization users can't modify bucket policies, even if they have other permissions on the bucket.
### Find your Org ID
You need your Org ID to scope your bucket access policies safely to your organization.
Your **Org ID** is a short hexadecimal string (for example, `ab1cd2`). Find it on the [Settings page](https://console.coreweave.com/account/settings) of your Cloud Console account.
## Policy evaluation
CoreWeave allows or denies access to a bucket by evaluating both the [organization and bucket access policies](/products/storage/object-storage/reference/object-storage-api-ref#ensureaccesspolicy) as follows:
```mermaid theme={"system"}
graph LR
A[Start] --> B{An Org
Access Policy
exists?}
B -->|No| E[Deny]
B -->|Yes| C{Evaluate the
Org Policy}
C --> |Deny| G[Deny]
C --> |Allow| F{A Bucket Access
Policy exists?}
F --> |No| H{Does principal's
Org match the
Bucket's Org?}
H --> |No| J[Deny]
H --> |Yes| L[Allow]
F --> |Yes| I{Evaluate the
Bucket Access Policy}
I --> |Deny| M[Deny]
I --> |Allow| K[Allow]
```
## Example policies
For sample bucket policies, see [Bucket access policy examples](/products/storage/object-storage/auth-access/bucket-access/examples).
## Set a policy with CLI tools
The `s3:PutBucketPolicy` API call sets a policy for a bucket. The following tabs describe how to set a bucket access policy with different tools. After you run one of these commands successfully, the new policy applies to the specified bucket, and CoreWeave evaluates access according to it on subsequent requests.
Fill in the following parameters:
* `[BUCKET-NAME]` with the name of the bucket you want to set the policy for.
* `[FILE-PATH]` with the path to the file containing the policy.
```bash title="Example command" theme={"system"}
aws s3api put-bucket-policy --bucket [BUCKET-NAME] --policy [FILE-PATH]
```
Fill in the following parameters:
* `[BUCKET-NAME]` with the name of the bucket you want to set the policy for.
* `[FILE-PATH]` with the path to the file containing the policy.
```bash title="Example command" theme={"system"}
s3cmd setpolicy [FILE-PATH] s3://[BUCKET-NAME]
```
1. Set environment variables for your CoreWeave credentials:
```bash theme={"system"}
export ACCESS_KEY_ID="[ACCESS-KEY-ID]"
export SECRET_ACCESS_KEY="[SECRET-ACCESS-KEY]"
```
2. Replace `[BUCKET-NAME]` with the name of the bucket and `[ORG-ID]` with your organization's ID.
```python title="Set a bucket policy" theme={"system"}
import os
import json
import boto3
from botocore.client import Config
boto_config = Config(
region_name='US-EAST-04A',
s3={'addressing_style': 'virtual'}
)
s3 = boto3.client(
's3',
endpoint_url='https://cwobject.com',
aws_access_key_id=os.environ['ACCESS_KEY_ID'],
aws_secret_access_key=os.environ['SECRET_ACCESS_KEY'],
config=boto_config
)
bucket_name = '[BUCKET-NAME]'
org_id = '[ORG-ID]'
policy = {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPutObject",
"Effect": "Allow",
"Principal": {"AWS": "*"},
"Action": ["s3:PutObject", "s3:PutObjectAcl"],
"Resource": [f"arn:aws:s3:::{bucket_name}/*"],
"Condition": {
"StringEquals": {
"cw:PrincipalOrgID": [org_id]
}
}
}
]
}
response = s3.put_bucket_policy(
Bucket=bucket_name,
Policy=json.dumps(policy)
)
print(response)
```
## Set a policy with Terraform
To use the CoreWeave Terraform provider to set a bucket access policy, use the [`coreweave_object_storage_bucket_policy` resource](https://registry.terraform.io/providers/coreweave/coreweave/latest/docs/resources/object_storage_bucket_policy).
You can set the policy in one of the following ways:
* Pass an encoded JSON string directly to the `policy` attribute.
* Use the `coreweave_object_storage_bucket_policy_document` data source to create the policy.
The following tabs show one example for each approach. Both examples allow all CoreWeave principals from the organization to perform all S3 actions on the bucket and its objects.
Be cautious when you use `*` in the `Principal` field: it grants access to all principals, including those from other organizations. You must use `Condition` to restrict access to only CoreWeave principals from the specific organization.
```hcl theme={"system"}
## Example using jsonencode to pass a raw JSON string to the policy attribute
locals {
bucket_policy = {
Version = "2012-10-17"
Statement = [
{
Sid = "AllowAllInOrg"
Effect = "Allow"
Principal = {
"CW" : ["*"]
}
Action = ["s3:*"]
Resource = [
"arn:aws:s3:::${coreweave_object_storage_bucket.raw.name}",
"arn:aws:s3:::${coreweave_object_storage_bucket.raw.name}/*",
]
Condition = {
"StringEquals" = {
"cw:PrincipalOrgID" = ["${var.org_id}"]
}
}
},
]
}
}
resource "coreweave_object_storage_bucket" "raw" {
name = "bucket-policy-raw-example"
zone = "US-EAST-04A"
}
resource "coreweave_object_storage_bucket_policy" "raw" {
bucket = coreweave_object_storage_bucket.raw.name
policy = jsonencode(local.bucket_policy)
}
```
```hcl theme={"system"}
## Example using the coreweave_object_storage_bucket_policy_document data source
resource "coreweave_object_storage_bucket" "doc" {
name = "bucket-policy-doc-example"
zone = "US-EAST-04A"
}
data "coreweave_object_storage_bucket_policy_document" "doc" {
version = "2012-10-17"
statement {
sid = "AllowAllInOrg"
effect = "Allow"
action = ["s3:*"]
resource = [
"arn:aws:s3:::${coreweave_object_storage_bucket.doc.name}",
"arn:aws:s3:::${coreweave_object_storage_bucket.doc.name}/*",
]
principal = {
"CW" : ["*"]
}
condition = {
"StringEquals" = {
"cw:PrincipalOrgID" = ["${var.org_id}"]
}
}
}
}
resource "coreweave_object_storage_bucket_policy" "doc" {
bucket = coreweave_object_storage_bucket.doc.name
policy = data.coreweave_object_storage_bucket_policy_document.doc.json
}
```
[This resource is also available in OpenTofu](https://search.opentofu.org/provider/coreweave/coreweave/latest/docs/resources/object_storage_bucket_policy). See [Use Terraform to manage CoreWeave AI Object Storage infrastructure as code](/products/storage/object-storage/use-terraform-aws-provider) for more information.
## Roles for bucket access policies
You can use roles in bucket access policies to specify a set of permissions for a user or group of users. This lets you grant permissions to identities defined outside of CoreWeave (for example, through SAML) as well as to CoreWeave Cloud Console users. Define roles in the `Principal` field of the policy. The following table describes the fields that define roles in a bucket access policy.
| Value | Description |
| -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `org-id` | A static identifier for [your organization at CoreWeave](/security/authn-authz/orgs-users#organization-ids). If you use `Conditions` instead of the `Principal` field, you can substitute a variable like `cw:ResourceOrgId` for the actual value. |
| `principal-provider` | Specifies where the principal came from. For example, the `principal-provider` for a SAML integration is `saml`. Similarly, it's `coreweave` for a user inside CoreWeave's cloud. You can also use this field to specify a `role` targeting principals who have credentials for specific roles. |
| `principal-name` | Identifies the actual actor from the specified provider. For example, if the `principal-provider` is `saml`, then that name is the value of [the `PrincipalName` attribute in the SAML assertion](/products/storage/object-storage/auth-access/manage-access-keys/about). For Cloud Console users, this value is the user's `UID`, which appears in that user's **Settings** in Cloud Console. |
## Additional resources
For more information, see:
* [About authentication and access control](/products/storage/object-storage/auth-access/about).
* [About organization access policies](/products/storage/object-storage/auth-access/organization-policies/about).
* [About bucket access policies](/products/storage/object-storage/auth-access/bucket-access/bucket-policies).
* [Use Terraform to manage CoreWeave AI Object Storage infrastructure as code](/products/storage/object-storage/use-terraform-aws-provider).