Direct access token exchange
To exchange a CoreWeave API access token directly for temporary AI Object Storage credentials, you need the
Object Storage Admin role or an organization access policy that grants cwobject:CreateAccessKey.iam:[ORG-ID]:groups condition key for group-based access control.
- Duration: Keys are ephemeral and refresh automatically through the AWS container credentials provider. The keys are valid for 15 minutes.
- Identity format:
coreweave/[UID].
Workload Identity Federation
Workload Identity Federation is recommended for production workloads. Instead of storing long-lived credentials, your applications obtain tokens from your existing identity provider and exchange them for short-lived Access Keys that automatically expire.Workload Identity Federation with OIDC
OIDC is the recommended method for cloud-native and Kubernetes workloads. It uses short-lived tokens from your identity provider, such as GitHub Actions, a Kubernetes service account, or any OIDC-capable IdP, and exchanges them for temporary Access Keys with a 15-minute lifespan. OIDC is the standard approach for machine-to-machine authentication in cloud environments. To generate keys with OIDC tokens, submit API requests toCreateAccessKeyFromOIDC. The endpoint accepts a GET request that includes the Organization ID and uses the token as the authorization header.
- Duration: Keys are ephemeral with a 15-minute lifespan.
- Identity format:
role/[ISSUER-URL]:[SUBJECT-USER-ID].
Workload Identity Federation with SAML
For enterprise use cases, Object Storage also supports SAML assertions. SAML suits organizations that already have SAML-based identity infrastructure and require integration with enterprise IdPs such as Active Directory Federation Services or similar systems. To generate keys with SAML assertions, submit API requests toCreateAccessKeyFromSAML. These keys have the following characteristics:
- Duration: Keys are ephemeral with a maximum lifespan of 12 hours.
- Identity format:
role/[SAML-ROLE]. - Requirements: You must create a valid
configIdfrom a Workload Identity Federation configuration and pass it to the API request. For more information, see Using Workload Identity Federation with SAML.
Static access keys
Creating static access keys requires the
Object Storage Admin role or an organization access policy that grants cwobject:CreateAccessKey.CreateAccessKeyFromJWT. These keys have the following characteristics:
- Duration: Keys can be persistent, or they can be time-limited for up to 12 hours.
- Identity format:
coreweave/[PRINCIPAL-UID]. - Requirements: The API access token used to create the Access Key must have
writepermissions for Object Storage so users can upload data. For details, see Create a CoreWeave API access token.
Identity formats
You can use the Access Key format to audit and diagnose access. To find out how an Access Key was created, examine its identity format:| Creation method | Identity format | Example |
|---|---|---|
| OIDC tokens | role/[ISSUER-URL]:[SUBJECT] | role/https://oidc.cks.coreweave.com/id/3f9a2c14-7d6e-4b81-9a05-2c8e1f4b6d3a:system:serviceaccount:default:default |
| API access token | coreweave/[PRINCIPAL-UID] | coreweave/qT7mWZ4kRb9nXcVp2sLdH |
| CoreWeave internal tools | static/[KEY-ID] | static/audit-logs |
| SAML assertions | role/[SAML-ROLE] | role/SRE_ADMIN |
Types of access keys
Access Keys fall into two categories based on creation method: Static keys come from an API access token and are intended for development, testing, and manual operations:- Permanent keys: Don’t expire. Require manual rotation.
- Temporary keys: Expire after a set duration of up to 12 hours.
- OIDC-generated keys: 15-minute lifespan, automatically refreshed by your application.
- SAML-generated keys: Up to 12-hour lifespan, automatically refreshed through SAML assertion exchange.
Manage your access keys
This section covers the full lifecycle of access key management:- Create access keys: Generate new keys for users and workloads.
- Revoke access keys: Remove keys that are no longer needed.