> ## Documentation Index
> Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt
> Use this file to discover all available pages before exploring further.
# About policies
> How organization-level and bucket-level access policies are evaluated for AI Object Storage requests
Policies in CoreWeave AI Object Storage control access to resources, define permitted actions, and manage data lifecycles. They are crucial for enforcing security, ensuring compliance, and managing data retention. Policies follow a defined evaluation order: organization-level policies override bucket-level policies. This hierarchy ensures that users and systems can only perform explicitly authorized actions.
This guide covers how policy evaluation works, compares organization and bucket access policies, and outlines key exceptions to consider when designing secure and predictable access controls.
## Policy types
Object Storage uses two types of policies: [organization access policies](/products/storage/object-storage/auth-access/organization-policies/about) and [bucket access policies](/products/storage/object-storage/auth-access/bucket-access/bucket-policies).
Organization access policies apply to all principals and resources across the entire organization. They are set in the [Cloud Console](https://console.coreweave.com/object-storage/access-policies) or through the [AI Object Storage API](/products/storage/object-storage/reference/object-storage-api-ref#ensureaccesspolicy) with HTTP clients like `curl`. Organization access policies are evaluated first in the policy evaluation order.
Bucket access policies apply to a specific bucket and the objects within it. They are set using the [S3-compatible API](/products/storage/object-storage/reference/object-storage-s3) with standard S3 tools like `aws s3api` or `s3cmd`. Bucket access policies are evaluated after organization access policies, if allowed. You can use bucket access policies to allow users from other organizations to access your bucket.
## Policy evaluation
The AI Object Storage API evaluates policies in a specific order to determine whether a request should be allowed or denied. This evaluation process ensures that access controls are applied consistently and predictably.
First, the API evaluates organization access policies, which apply to all principals and resources across the organization.
* If no explicit organization access policy exists, the request is rejected.
* If an organization access policy explicitly denies a request, the request is rejected.
* If an organization access policy allows the request, the API evaluates any bucket access policies that apply to the specific bucket and its objects.
Next, the API evaluates bucket access policies, which apply to specific buckets and their objects. The evaluation follows these rules:
* If no bucket access policies exist, the request is implicitly allowed.
* If a bucket access policy explicitly denies the request, the request is rejected.
* If a bucket access policy explicitly allows the request, the request is accepted.
* If a bucket access policy exists but doesn't explicitly allow or deny the request, the request is implicitly rejected.
The following diagram illustrates the workflow:
```mermaid theme={"system"}
flowchart LR
A([Start]) --> B{Evaluate All Organization Access Policies}
B --> |Explicit Deny Exists| R1[Reject request]
B --> |Explicit Allow Exists| D
B --> |No Explicit Policy| R2[Reject request]
D{Evaluate All Valid Bucket access policies}
D --> |No Bucket access policy Exists| A2[Accept request]
D --> |Explicit Deny
Bucket access policy Exists| R3[Reject request]
D --> |Explicit Allow
Bucket access policy Exists| A3[Accept request]
D --> |Bucket access policy Exists, but no Explicit Allow or Deny| R4[Reject request]
```
## Differences between policy types
Organization and bucket access policies in Object Storage share a similar JSON structure and policy language, but they serve different purposes and have distinct characteristics. The following table compares the two policy types:
| Characteristic | Organization access policies | Bucket access policies |
| ------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| **Use cases** | Broad control at the organizational level. | Granular [bucket access](/products/storage/object-storage/auth-access/bucket-access/bucket-policies) and [bucket lifecycles](/products/storage/object-storage/auth-access/bucket-access/bucket-policies#bucket-lifecycle-policy). |
| **Scope** | Applies to **all principals and resources** across the entire organization. | Applies only to **a specific bucket and the objects within it**. |
| **Evaluation order** | Evaluated first in the [policy evaluation order](#policy-evaluation). | Evaluated second, if allowed by organization access policies. |
| **Management API** | Managed through the [Cloud Console](https://console.coreweave.com/object-storage/access-policies) or the [Object Storage API](/products/storage/object-storage/reference/object-storage-api-ref#ensureaccesspolicy). | Managed through the [S3 API](/products/storage/object-storage/reference/object-storage-s3). |
| **Policy version** | Use `"version": "v1alpha1"`. This is an internal CoreWeave version. | Use `"Version": "2012-10-17"`. (Some older policies may use `"2008-10-17"`.) |
| **API actions** | Includes **both** S3 API and AI Object Storage API actions. | Only includes **S3 API** actions. |
| **`s3:PutBucketPolicy`** | `s3:PutBucketPolicy` **only evaluates organization access policies**. | To prevent lock-out, the `s3:PutBucketPolicy` action is **ignored** in bucket access policy evaluation. You can't set a bucket access policy that prevents you from setting bucket access policies. |
| **Resource format** | Use **short format** `my-bucket`. | Use **ARN format** `arn:aws:s3:::my-bucket`. |
| **Principal format (Cloud Console)** | Use **short format** `coreweave/UserUID`. | Use **ARN format** `arn:aws:iam::123456789012:coreweave/UserUID`. |
| **Principal format (SAML groups)** | Use **short format** `role/Admin`. | Use **ARN format** `arn:aws:iam::123456789012:role/Admin`. |
## Learn more
For more information about organization and bucket access policies, and their associated APIs, see the following guides:
* [Organization access policies](/products/storage/object-storage/auth-access/organization-policies/about)
* [Bucket access policies](/products/storage/object-storage/auth-access/bucket-access/bucket-policies)
* [AI Object Storage API](/products/storage/object-storage/reference/object-storage-api-ref)
* [S3 API](/products/storage/object-storage/reference/object-storage-s3)