iam:[ORG-ID]:groups condition key for group-based and attribute-based access control.
The exchange uses the AWS container credentials feature. Your client requests credentials from the AI Object Storage API access token endpoint, passing your API access token as a bearer token.
Exchanging an API access token for temporary credentials requires the
Object Storage Admin role or an organization access policy that grants cwobject:CreateAccessKey.Configure your environment
-
Ensure you’re using a supported S3 client. The minimum supported versions are
awscli >= 2.33.2andboto3 >= 1.42.5. -
Set the following environment variables. Replace
[API-ACCESS-TOKEN]with your API access token and[AVAILABILITY-ZONE]with the CoreWeave Availability Zone you’re using:Set the environment variables -
Test your configuration by listing your buckets:
List your buckets
coreweave/[UID]. The returned credentials inherit permissions from your organization access policies and any applicable bucket access policies.
Group-based access control
Because the temporary credentials carry the principal’s SCIM group memberships in theiam:[ORG-ID]:groups condition key, you can write access policies that grant or deny access based on group membership instead of naming individual principals. To use this:
- Attribute-based access control: how principal attributes such as group memberships are referenced in policy conditions.
- Group-based access: an example bucket policy that grants access to members of a specific group.