> ## Documentation Index
> Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Console permissions reference
> Permissions required to perform AI Object Storage actions in the Cloud Console
This table lists the permissions required to perform CoreWeave AI Object Storage actions in the Cloud Console. Object Storage Admins already have these permissions by default. This reference is for granting specific permissions to non-admin users.
To grant these permissions to users, you need the `Object Storage Admin` role. Then, you can [create an organization access policy](/products/storage/object-storage/auth-access/organization-policies/manage) to grant the permissions to the users. When these permissions are granted to a user, they will be able to perform the corresponding actions in the Cloud Console. For more information about organization access policies, see [About organization access policies](/products/storage/object-storage/auth-access/organization-policies/about).
| Feature in Console | AI Object Storage Permission Requirement |
| ------------------------------------------------- | --------------------------------------------------------------------------------------------- |
| List (view) buckets | `cwobject:ListBucketInfo` |
| Create buckets | `s3:CreateBucket`
`cwobject:CreateAccessKey` |
| Delete buckets | `s3:DeleteBucket` *(policy can include ability to delete individual buckets or all buckets)* |
| Open a bucket and browse its contents (read-only) | `cwobject:ListBucketInfo`
`cwobject:CreateAccessKey`
`s3:ListBucket` |
| Download objects | `s3:GetObject` |
| Upload objects, rename, or create folders | `s3:PutObject` |
| Delete objects or folders | `s3:DeleteObject` |
| Create access keys | `cwobject:CreateAccessKeySAML`
`cwobject:CreateAccessKey` |
| Revoke access keys | `cwobject:RevokeAccessKeyByAccessKey` |
| List access keys | `cwobject:ListAccessKeyInfo` |
| Create or edit organization policies | `cwobject:EnsureAccessPolicy` |
| Delete organization policies | `cwobject:DeleteAccessPolicy` |
| View organization policies | `cwobject:ListAccessPolicy` |
| View a bucket's policy | `s3:GetBucketPolicy` |
| Create or edit a bucket's policy | `s3:PutBucketPolicy` |
| Delete a bucket's policy | `s3:DeleteBucketPolicy` |
* All `cwobject:` permissions are global operations and must specify `"resources": ["*"]` in the policy statement.
* Cloud Console groups aren't allowed in organization access policies. Use UIDs (from the Cloud Console) or SAML users and groups instead.
### Required bucket policy permissions
To browse a bucket in the Cloud Console, the bucket's [bucket access policy](/products/storage/object-storage/auth-access/bucket-access/bucket-policies) must grant the read-only permissions listed in the table. If a bucket policy doesn't grant these permissions to a principal, that principal can't browse the bucket in the Cloud Console even when their organization access policy does.
## Next steps
* Navigate to the [Organization Access Policies](https://console.coreweave.com/object-storage/access-policies) page in the Cloud Console to create an organization access policy.
* Learn more about creating [organization access policies](/products/storage/object-storage/auth-access/organization-policies/manage).