Policy types
Object Storage uses two types of policies: organization access policies and bucket access policies. Organization access policies apply to all principals and resources across the entire organization. They are set in the Cloud Console or through the AI Object Storage API with HTTP clients likecurl. Organization access policies are evaluated first in the policy evaluation order.
Bucket access policies apply to a specific bucket and the objects within it. They are set using the S3-compatible API with standard S3 tools like aws s3api or s3cmd. Bucket access policies are evaluated after organization access policies, if allowed. You can use bucket access policies to allow users from other organizations to access your bucket.
Policy evaluation
The AI Object Storage API evaluates policies in a specific order to determine whether a request should be allowed or denied. This evaluation process ensures that access controls are applied consistently and predictably. First, the API evaluates organization access policies, which apply to all principals and resources across the organization.- If no explicit organization access policy exists, the request is rejected.
- If an organization access policy explicitly denies a request, the request is rejected.
- If an organization access policy allows the request, the API evaluates any bucket access policies that apply to the specific bucket and its objects.
- If no bucket access policies exist, the request is implicitly allowed.
- If a bucket access policy explicitly denies the request, the request is rejected.
- If a bucket access policy explicitly allows the request, the request is accepted.
- If a bucket access policy exists but doesn’t explicitly allow or deny the request, the request is implicitly rejected.
Differences between policy types
Organization and bucket access policies in Object Storage share a similar JSON structure and policy language, but they serve different purposes and have distinct characteristics. The following table compares the two policy types:| Characteristic | Organization access policies | Bucket access policies |
|---|---|---|
| Use cases | Broad control at the organizational level. | Granular bucket access and bucket lifecycles. |
| Scope | Applies to all principals and resources across the entire organization. | Applies only to a specific bucket and the objects within it. |
| Evaluation order | Evaluated first in the policy evaluation order. | Evaluated second, if allowed by organization access policies. |
| Management API | Managed through the Cloud Console or the Object Storage API. | Managed through the S3 API. |
| Policy version | Use "version": "v1alpha1". This is an internal CoreWeave version. | Use "Version": "2012-10-17". (Some older policies may use "2008-10-17".) |
| API actions | Includes both S3 API and AI Object Storage API actions. | Only includes S3 API actions. |
s3:PutBucketPolicy | s3:PutBucketPolicy only evaluates organization access policies. | To prevent lock-out, the s3:PutBucketPolicy action is ignored in bucket access policy evaluation. You can’t set a bucket access policy that prevents you from setting bucket access policies. |
| Resource format | Use short format my-bucket. | Use ARN format arn:aws:s3:::my-bucket. |
| Principal format (Cloud Console) | Use short format coreweave/UserUID. | Use ARN format arn:aws:iam::123456789012:coreweave/UserUID. |
| Principal format (SAML groups) | Use short format role/Admin. | Use ARN format arn:aws:iam::123456789012:role/Admin. |