> ## Documentation Index
> Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Manage bucket policies

> How to manage bucket policies in CoreWeave AI Object Storage

This page shows bucket owners and administrators how to create and update bucket access policies for CoreWeave AI Object Storage buckets. Use these policies to control which principals can perform which actions on a specific bucket and its objects.

An Object Storage [bucket access policy](/products/storage/object-storage/auth-access/bucket-access/bucket-policies) is a JSON object that defines access to operations and the objects for the bucket it's assigned to. Each bucket access policy applies to an individual bucket and controls access to the resources inside the bucket.

Before you set a bucket access policy, you must set at least one [organization access policy](/products/storage/object-storage/auth-access/organization-policies/manage) for your organization to access the bucket. Bucket access policies are evaluated after organization access policies.

You can set bucket access policies from the [Cloud Console](https://console.coreweave.com/object-storage/buckets), programmatically with the [S3-compatible API](/products/storage/object-storage/reference/object-storage-s3) using standard S3 tools like `aws s3api` or `s3cmd`, or with the [CoreWeave Terraform provider](https://registry.terraform.io/providers/coreweave/coreweave/latest/docs/resources/object_storage_bucket_policy).

## Prerequisites

* You are a member of the CoreWeave organization that owns the bucket (the "bucket owner").
* Your [organization access policy](/products/storage/object-storage/auth-access/organization-policies/manage) allows `s3:PutBucketPolicy` on the target bucket (or `s3:*` on all buckets).
* You have an [AI Object Storage Access Key](/products/storage/object-storage/auth-access/manage-access-keys/create-keys).
* You have an S3-compatible client (`aws s3api`, `s3cmd`, or Boto3) [configured for AI Object Storage](/products/storage/object-storage/using-object-storage/configure-endpoints), or you're using the [CoreWeave Terraform provider](https://registry.terraform.io/providers/coreweave/coreweave/latest/docs/resources/object_storage_bucket_policy).

<Note>
  Only principals from the bucket's owning organization can set or update its bucket access policy. Cross-organization users can't modify bucket policies, even if they have other permissions on the bucket.
</Note>

### Find your Org ID

You need your Org ID to scope your bucket access policies safely to your organization.

Your **Org ID** is a short hexadecimal string (for example, `ab1cd2`). Find it on the [Settings page](https://console.coreweave.com/account/settings) of your Cloud Console account.

## Policy evaluation

CoreWeave allows or denies access to a bucket by evaluating both the [organization and bucket access policies](/products/storage/object-storage/reference/object-storage-api-ref/cwobject/apply-or-update-access-policy) as follows:

```mermaid theme={"system"}
graph LR
    A[Start] --> B{An Org<br />Access Policy<br />exists?}
    B -->|No| E[Deny]
    B -->|Yes| C{Evaluate the<br />Org Policy}


    C --> |Deny| G[Deny]
    C --> |Allow| F{A Bucket Access<br />Policy exists?}

    F --> |No| H{Does principal's<br />Org match the<br />Bucket's Org?}
    H --> |No| J[Deny]
    H --> |Yes| L[Allow]

    F --> |Yes| I{Evaluate the<br />Bucket Access Policy}
    I --> |Deny| M[Deny]
    I --> |Allow| K[Allow]
```

## Example policies

For sample bucket policies, see [Bucket access policy examples](/products/storage/object-storage/auth-access/bucket-access/examples).

## Set a policy with the Cloud Console

You can view, create, edit, and delete a bucket's access policy directly from the [Cloud Console](https://console.coreweave.com/object-storage/buckets) with no CLI tools required. Your organization access policy must allow `s3:GetBucketPolicy` to view a policy, `s3:PutBucketPolicy` to create or edit one, and `s3:DeleteBucketPolicy` to delete one. See the [Console permissions reference](/products/storage/object-storage/auth-access/organization-policies/console-permissions) for the full list.

1. Sign in to the [Cloud Console](https://console.coreweave.com/object-storage/buckets) and navigate to **Object Storage** > **Buckets**.
2. In the bucket's row, open the **More options** menu (the ellipsis icon) and select **Bucket policy**. A drawer opens with the bucket's current policy.
3. In the drawer:
   * To **create a policy** when none is attached, click **Create default policy** to populate a starter template, customize it, and click **Create policy**.
   * To **edit an existing policy**, update the JSON and click **Save**. Live validation disables **Save** on invalid JSON.
   * To **replace a hidden policy** (when you lack `s3:GetBucketPolicy`), compose a new policy and click **Overwrite…**, then confirm.
   * To **delete the policy**, click **Delete policy** and confirm. The button only appears when your organization access policy allows `s3:DeleteBucketPolicy`.

<Note>
  Changes can take a few seconds to appear after saving.
</Note>

### Default policy template

The **Create default policy** button populates the editor with the following structure, scoped to your organization and your user:

```json theme={"system"}
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowOrgAccess",
      "Effect": "Allow",
      "Principal": {
        "CW": [
          "arn:aws:iam::[ORG-ID]:coreweave/*",
          "arn:aws:iam::[ORG-ID]:coreweave/[YOUR-USER-ID]"
        ]
      },
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:ListBucket",
        "s3:ListBucketMultipartUploads",
        "s3:ListMultipartUploadParts",
        "s3:AbortMultipartUpload",
        "s3:GetBucketPolicy",
        "s3:PutBucketPolicy",
        "s3:DeleteBucketPolicy"
      ],
      "Resource": [
        "arn:aws:s3:::[BUCKET-NAME]",
        "arn:aws:s3:::[BUCKET-NAME]/*"
      ],
      "Condition": {
        "StringEquals": { "cw:PrincipalOrgID": ["[ORG-ID]"] }
      }
    }
  ]
}
```

The template includes `s3:GetBucketPolicy`, `s3:PutBucketPolicy`, and `s3:DeleteBucketPolicy` deliberately. Keep these actions for any user that needs to manage the policy later.

## Set a policy with CLI tools

The `s3:PutBucketPolicy` API call sets a policy for a bucket. The following tabs describe how to set a bucket access policy with different tools. After you run one of these commands successfully, the new policy applies to the specified bucket, and CoreWeave evaluates access according to it on subsequent requests.

<Tabs>
  <Tab title="AWS CLI">
    Fill in the following parameters:

    * `[BUCKET-NAME]` with the name of the bucket you want to set the policy for.
    * `[FILE-PATH]` with the path to the file containing the policy.

    ```bash title="Example command" theme={"system"}
    aws s3api put-bucket-policy --bucket [BUCKET-NAME] --policy [FILE-PATH]
    ```
  </Tab>

  <Tab title="s3cmd">
    Fill in the following parameters:

    * `[BUCKET-NAME]` with the name of the bucket you want to set the policy for.
    * `[FILE-PATH]` with the path to the file containing the policy.

    ```bash title="Example command" theme={"system"}
    s3cmd setpolicy [FILE-PATH] s3://[BUCKET-NAME]
    ```
  </Tab>

  <Tab title="Boto3">
    1. Set environment variables for your CoreWeave credentials:

       ```bash theme={"system"}
       export ACCESS_KEY_ID="[ACCESS-KEY-ID]"
       export SECRET_ACCESS_KEY="[SECRET-ACCESS-KEY]"
       ```

    2. Replace `[BUCKET-NAME]` with the name of the bucket and `[ORG-ID]` with your organization's ID.

       ```python title="Set a bucket policy" theme={"system"}
       import os
       import json
       import boto3
       from botocore.client import Config

       boto_config = Config(
           region_name='US-EAST-04A',
           s3={'addressing_style': 'virtual'}
       )

       s3 = boto3.client(
           's3',
           endpoint_url='https://cwobject.com',
           aws_access_key_id=os.environ['ACCESS_KEY_ID'],
           aws_secret_access_key=os.environ['SECRET_ACCESS_KEY'],
           config=boto_config
       )

       bucket_name = '[BUCKET-NAME]'
       org_id = '[ORG-ID]'

       policy = {
           "Version": "2012-10-17",
           "Statement": [
               {
                   "Sid": "AllowPutObject",
                   "Effect": "Allow",
                   "Principal": {"AWS": "*"},
                   "Action": ["s3:PutObject", "s3:PutObjectAcl"],
                   "Resource": [f"arn:aws:s3:::{bucket_name}/*"],
                   "Condition": {
                       "StringEquals": {
                           "cw:PrincipalOrgID": [org_id]
                       }
                   }
               }
           ]
       }

       response = s3.put_bucket_policy(
           Bucket=bucket_name,
           Policy=json.dumps(policy)
       )

       print(response)
       ```
  </Tab>
</Tabs>

## Set a policy with Terraform

To use the CoreWeave Terraform provider to set a bucket access policy, use the [`coreweave_object_storage_bucket_policy` resource](https://registry.terraform.io/providers/coreweave/coreweave/latest/docs/resources/object_storage_bucket_policy).

You can set the policy in one of the following ways:

* Pass an encoded JSON string directly to the `policy` attribute.
* Use the `coreweave_object_storage_bucket_policy_document` data source to create the policy.

The following tabs show one example for each approach. Both examples allow all CoreWeave principals from the organization to perform all S3 actions on the bucket and its objects.

<Warning>
  Be cautious when you use `*` in the `Principal` field: it grants access to all principals, including those from other organizations. You must use `Condition` to restrict access to only CoreWeave principals from the specific organization.
</Warning>

<Tabs>
  <Tab title="Pass JSON to policy attribute">
    ```hcl theme={"system"}
    ## Example using jsonencode to pass a raw JSON string to the policy attribute

    locals {
      bucket_policy = {
        Version = "2012-10-17"
        Statement = [
          {
            Sid    = "AllowAllInOrg"
            Effect = "Allow"
            Principal = {
              "CW" : ["*"]
            }
            Action   = ["s3:*"]
            Resource = [
              "arn:aws:s3:::${coreweave_object_storage_bucket.raw.name}",
              "arn:aws:s3:::${coreweave_object_storage_bucket.raw.name}/*",
            ]
            Condition = {
            "StringEquals" = {
              "cw:PrincipalOrgID" = ["${var.org_id}"]
              }
            }
          },
        ]
      }
    }

    resource "coreweave_object_storage_bucket" "raw" {
      name = "bucket-policy-raw-example"
      zone = "US-EAST-04A"
    }

    resource "coreweave_object_storage_bucket_policy" "raw" {
      bucket = coreweave_object_storage_bucket.raw.name
      policy = jsonencode(local.bucket_policy)
    }
    ```
  </Tab>

  <Tab title="Use the policy document data source">
    ```hcl theme={"system"}
    ## Example using the coreweave_object_storage_bucket_policy_document data source

    resource "coreweave_object_storage_bucket" "doc" {
      name = "bucket-policy-doc-example"
      zone = "US-EAST-04A"
    }

    data "coreweave_object_storage_bucket_policy_document" "doc" {
      version = "2012-10-17"

      statement {
        sid      = "AllowAllInOrg"
        effect   = "Allow"
        action   = ["s3:*"]
        resource = [
          "arn:aws:s3:::${coreweave_object_storage_bucket.doc.name}",
          "arn:aws:s3:::${coreweave_object_storage_bucket.doc.name}/*",
        ]
        principal = {
          "CW" : ["*"]
        }
        condition = {
          "StringEquals" = {
            "cw:PrincipalOrgID" = var.org_id
          }
        }
      }
    }

    resource "coreweave_object_storage_bucket_policy" "doc" {
      bucket = coreweave_object_storage_bucket.doc.name
      policy = data.coreweave_object_storage_bucket_policy_document.doc.json
    }
    ```
  </Tab>
</Tabs>

[This resource is also available in OpenTofu](https://search.opentofu.org/provider/coreweave/coreweave/latest/docs/resources/object_storage_bucket_policy). See [Use Terraform to manage CoreWeave AI Object Storage infrastructure as code](/products/storage/object-storage/use-terraform-aws-provider) for more information.

## Roles for bucket access policies

You can use roles in bucket access policies to specify a set of permissions for a user or group of users. This lets you grant permissions to identities defined outside of CoreWeave (for example, through SAML) as well as to CoreWeave Cloud Console users. Define roles in the `Principal` field of the policy. The following table describes the fields that define roles in a bucket access policy.

| Value                | Description                                                                                                                                                                                                                                                                                                                                                                                    |
| -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| `org-id`             | A static identifier for [your organization at CoreWeave](/security/authn-authz/orgs-users#organization-ids). If you use `Conditions` instead of the `Principal` field, you can substitute a variable like `cw:ResourceOrgId` for the actual value.                                                                                                                                             |
| `principal-provider` | Specifies where the principal came from. For example, the `principal-provider` for a SAML integration is `saml`. Similarly, it's `coreweave` for a user inside CoreWeave's cloud. You can also use this field to specify a `role` targeting principals who have credentials for specific roles.                                                                                                |
| `principal-name`     | Identifies the actual actor from the specified provider. For example, if the `principal-provider` is `saml`, then that name is the value of [the `PrincipalName` attribute in the SAML assertion](/products/storage/object-storage/auth-access/manage-access-keys/about). For Cloud Console users, this value is the user's `UID`, which appears in that user's **Settings** in Cloud Console. |

## Additional resources

For more information, see:

* [About authentication and access control](/products/storage/object-storage/auth-access/about).
* [About organization access policies](/products/storage/object-storage/auth-access/organization-policies/about).
* [About bucket access policies](/products/storage/object-storage/auth-access/bucket-access/bucket-policies).
* [Use Terraform to manage CoreWeave AI Object Storage infrastructure as code](/products/storage/object-storage/use-terraform-aws-provider).
