With OIDC Workload Identity Federation, your workloads obtain an OIDC JWT from your Identity Provider (IdP) and exchange it for temporary AI Object Storage credentials. This eliminates the need to store long-lived secrets in your applications. This guide walks through the complete workflow: configuring your OIDC provider, creating a WIF configuration in the Cloud Console, setting up organization access policies, and exchanging tokens for credentials.Documentation Index
Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt
Use this file to discover all available pages before exploring further.
How OIDC WIF works
Your workload obtains an OIDC token from your identity provider and sends it to the AI Object Storage WIF endpoint. CoreWeave validates the token against your WIF configuration, derives a role identity from the token’siss (issuer) and sub (subject) claims, and returns a temporary Access Key / Secret Key pair for AI Object Storage.
The role identity follows the format role/<ISSUER_URL>:<SUBJECT_USER_ID>. For example, if your IdP issues tokens with iss: https://idp.example.com and sub: svc-data-ingest, the derived role is role/https://idp.example.com:svc-data-ingest.
What the returned credentials can do is determined by your organization access policies and optional bucket access policies, which must reference this role as a principal.
Prerequisites
Before you begin, ensure you have:- A CoreWeave organization with AI Object Storage enabled
- Administrator privileges for your organization (the IAM Admin role and Object Storage Admin role, or equivalent legacy access)
- The CoreWeave organization ID (find this on the Settings page in Cloud Console)
- Your AWS CLI version updated to at least
2.33.2. If using Python SDKs, make sure your SDK is at leastboto3 >= 1.42.5. - An OIDC Identity Provider capable of issuing JWTs with the required claims (see Required OIDC claims)
Step 1: Configure your OIDC provider
Configure your IdP to issue JWTs for the workloads that need AI Object Storage access. The tokens must include the standard claims described below.Required OIDC claims
The following standard OIDC claims are required. Note that theaud claim is the one that varies most depending on your OIDC provider.
| Claim | Description |
|---|---|
iss | Issuer URL of your OIDC provider. Must match the issuer configured in your WIF configuration. |
aud | Audience for the token. Must match the audience configured in your WIF configuration. |
sub | Stable subject identifier for the workload (for example, a service account, client ID, or application ID). |
exp | Expiration time (Unix timestamp). The token must not be expired. |
iat | Issued-at time (Unix timestamp). |
nbf (not before) claim is supported. If present, the token is invalid before that time.
Example JWT payload
role/https://idp.example.com:svc-data-ingest.
Step 2: Create a WIF configuration in Cloud Console
Create an OIDC Workload Identity Federation configuration to tell CoreWeave how to validate tokens from your IdP.- Log in to the Cloud Console and navigate to the Workload Federation page.
- Click Create OIDC configuration. The configuration form opens:
- Name: A unique name for the configuration.
- Issuer URL: Your OIDC provider’s identifier URL, such as
https://your-domain.okta.comorhttps://accounts.google.com. CoreWeave uses this to verify that tokens were issued by your trusted identity provider and to fetch the provider’s JWKS for signature validation. - Client ID (Audience): The client identifier that tokens must be intended for. CoreWeave validates that incoming tokens contain this value in their
audclaim. - Description: A brief description of the configuration.
Step 3: Create organization access policies
Organization access policies control what your WIF role can do. Before your workload can exchange OIDC tokens for credentials, you must grant thecwobject:CreateAccessKeyOIDC action to the WIF role.
The principal for your OIDC role follows the format role/<ISSUER_URL>:<SUBJECT_USER_ID>, matching the role identity derived from your token.
The following policy grants the WIF role permission to create temporary credentials via the OIDC endpoint. The cwobject: actions are global and must use "resources": ["*"]. Optionally, you can also grant other cwobject: actions to the WIF role.
Grant S3 permissions
Once your workload can create credentials, you need policies that grant those credentials permission to access buckets. This policy grants read and write access to a specific bucket:Step 4: (Optional) Add bucket access policies
In most cases, organization access policies are sufficient. However, you can layer on bucket access policies when you need cross-organization access to specific buckets or bucket-level lifecycle configuration. Organization access policies and bucket access policies have different syntax requirements:| Aspect | Organization access policies | Bucket access policies |
|---|---|---|
| Principals | Simple strings (for example, role/https://idp.example.com:svc-data-ingest) | Full ARNs (for example, arn:aws:iam::[ORG-ID]:role/https://idp.example.com:svc-data-ingest) |
| Resources | Short bucket names ([BUCKET-NAME], [BUCKET-NAME]/*) | Full S3 ARNs (arn:aws:s3:::[BUCKET-NAME], arn:aws:s3:::[BUCKET-NAME]/*) |
Step 5: Configure your environment
Once your IdP, WIF configuration, and organization access policies are in place, your workload can request temporary credentials from CoreWeave. All you need to do is configure your environment to use the temporary credentials, and then you can use any S3-compatible client to interact with your buckets.-
Ensure you are using the correct version of the AWS CLI. The minimum required version is
awscli >= 2.33.2. If using Python SDKs, it requiresboto3 >= 1.42.5.Check the AWS CLI version -
Set the following environment variables, filling in the values for your CoreWeave organization ID, the path to your JWT token file, and the CoreWeave region you are using. Note: This uses the AWS container credentials feature, so although the environment variables reference AWS CLI environment variables, you must fill in your CoreWeave-specific values:
Set the environment variables
-
Test your configuration by listing your buckets:
List your buckets
Expiration field indicates when the credentials expire. The credentials inherit permissions from your organization access policies and any applicable bucket policies.
If you receive an error message like the following, check that you are using the correct version of the AWS CLI (awscli >= 2.33.2) or Python SDK (boto3 >= 1.42.5):
Credentials request and response
This uses the AWS container credentials feature, which pulls from your configured credentials file and runs a GET request to the CoreWeave OIDC WIF endpoint as follows:Request
Response
Troubleshooting
Token exchange returns “permission denied”
If the/temporary-credentials/oidc call returns an error like {"code": 7, "message": "permission denied", "details": []}, check:
- Missing cwobject permission: Ensure your organization access policy grants
cwobject:CreateAccessKeyOIDCto the WIF role. This permission is required for the token exchange to succeed. - Token validity: Ensure the
issandaudclaims match your WIF configuration. Verify the token is not expired (exp) and is not being used beforenbf(if set). - WIF configuration: Confirm the Issuer URL and Client ID in your WIF configuration exactly match the values in your tokens.
Token exchange succeeds but S3 operations return AccessDenied
If you receive credentials but S3 operations fail, the issue is in your access policies. Check that at least one organization access policy:- Allows the needed
s3:*actions (e.g.,s3:Get*,s3:List*,s3:Put*) - Uses the correct short-form resources (
"my-bucket","my-bucket/*") - Lists the correct WIF role in
principalsusing the formatrole/<ISSUER_URL>:<SUBJECT_USER_ID>
Deny statements can override other Allow statements.