Key considerations
AI Object Storage organization access policies have specific aspects and considerations to understand:| Policy aspect | Description |
|---|---|
| Admin access | Principals with the Object Storage Admin IAM role (assigned through CoreWeave IAM access policies) have unrestricted access to all cwobject: API actions (control plane), but that role does not grant S3-compatible API access. S3-compatible access must still be granted through Object Storage organization and bucket access policies. |
| Group usage | Organization access policies don’t allow CoreWeave IAM groups (created in the Cloud Console). Use individual user UIDs (from Cloud Console) or SAML users and groups instead. |
s3:PutBucketPolicy | The s3:PutBucketPolicy action is a global operation that only evaluates organization policies (it ignores bucket-level policies) and requires org policies to explicitly allow s3:PutBucketPolicy or s3:* with "resources": ["*"] or specific bucket names. This behavior prevents users from accidentally locking themselves out of a bucket with a misconfigured bucket access policy. |
| Global operations | All cwobject: API actions and the s3:ListAllMyBuckets operation are global operations that must specify "resources": ["*"] in organization access policies. |
| Policy evaluation order | CoreWeave evaluates policies in two steps and evaluates organization policies first (before any bucket-level policies). |
| Policy management recommendation | Prefer to manage access through organization policies for broad, centralized control. Use bucket policies only for bucket-specific features such as bucket lifecycle configuration. |