Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Workload Identity Federation (WIF) enables your applications to access CoreWeave AI Object Storage using tokens from your existing identity provider, eliminating the need to store long-lived credentials in your applications or configuration files.

How it works

Instead of managing static API keys, your applications obtain tokens from your identity provider and exchange them for temporary CoreWeave access credentials. These credentials automatically expire after a configurable duration, and your applications refresh them by exchanging new tokens as needed.
Diagram showing the authentication flow from workloads, CI/CD pipelines, and people through identity providers to CoreWeave IAM and AI Object Storage
Workload Identity Federation handles only authentication, verifying that your workload is who it claims to be based on your IdP’s tokens. What those credentials can do is controlled separately by your organization access policies and optional bucket access policies.

Supported protocols

CoreWeave supports two industry-standard protocols for Workload Identity Federation:
  • OIDC is the preferred option for cloud-native applications and modern identity providers. It uses JSON Web Tokens (JWT) that integrate easily with programmatic access patterns and are simpler to debug. Use OIDC if your workloads run on Kubernetes, in cloud environments with OIDC-capable identity providers, or anywhere you can obtain JWTs.
  • SAML works well for enterprise environments with existing SAML infrastructure. It uses XML-based assertions that support complex attribute mappings and integrates with traditional enterprise IdPs.

Connecting WIF to access policies

Workload Identity Federation issues temporary credentials tied to a role identity, and then you must create access policies that grant permissions to that role. This is separate from the authentication process, and you must configure both. Organization access policies are required to grant permissions to WIF roles, while bucket access policies are optional. For most WIF deployments, organization access policies are sufficient. Add bucket access policies only when you have a specific cross-org or bucket-level requirement.

Getting started

Choose your protocol and follow the end-to-end guide: Both guides cover the full workflow: configuring your IdP, creating a WIF configuration in the Cloud Console, setting up access policies, and exchanging tokens for credentials.
Last modified on April 30, 2026