Configure Inventory Reporting for CoreWeave AI Object Storage

This guide explains how to configure and enable inventory reports for CoreWeave AI Object Storage buckets and objects.

Prerequisites

This guide assumes you have already met the following prerequisites:

You have already created a source bucket that you want to inventory.
You have permissions to create a destination bucket for the output.
You have permissions to set bucket access policies on the destination bucket.

If you need to revisit any of these prerequisites, you can do so by following the links to the relevant guides:

Set up an access key
Set up an organization access policy, which is required before you can create a bucket.
Create a bucket to inventory.

Choose a destination bucket

You can choose to create a separate destination bucket for your inventory output, or use the same bucket as the source bucket. The rest of this guide refers to both options as the “destination bucket”. If you want to use a separate destination bucket for your inventory reports, create a new bucket. When creating the bucket, choose a name that follows the bucket naming rules.

Bucket naming rules

Bucket names must be globally unique, and adhere to the following rules:

Length: 3 to 63 characters.
Characters: Only lowercase letters (a-z), numbers (0-9), and hyphens (-). No dots, uppercase letters, underscores, spaces, or other special characters.
Start and end: Must begin and end with a letter or number. Cannot start or end with a hyphen (-).
Prohibited patterns: Cannot start with xn--.- Reserved: Must not begin with cw-, vip-, or log-stitcher-ch-. Must not be the exact name int. These are reserved for internal use.

Replace [DESTINATION-BUCKET] with the name for your destination bucket and [AVAILABILITY-ZONE] with the Availability Zone to create it in.

aws s3api create-bucket \
  --bucket [DESTINATION-BUCKET] \
  --create-bucket-configuration LocationConstraint=[AVAILABILITY-ZONE]

Inventory reporting is available in all AI Object Storage regions.

Set bucket access policies

To enable inventory reporting, you must grant the CoreWeave inventory service permission to write reports to your destination bucket. This requires setting a bucket access policy on the destination bucket. This policy is required whether you use a separate destination bucket or write reports to the same bucket as your source data. The following permissions are required:

Allow the CoreWeave inventory service account to write to the destination bucket. This is a CoreWeave-managed service account that generates and writes inventory reports to your destination bucket. On a bucket access policy for the destination bucket, grant write permission (s3:PutObject) to the service account with the ARN arn:aws:iam::static:role/static/inventory.
Allow the user or entity that will manage the bucket and access the reports to read and write to the destination bucket. The user configuring the inventory report needs the following permissions on the source bucket in order to apply the inventory configuration:
- s3:PutInventoryConfiguration
- s3:ListInventoryConfigurations
- s3:GetInventoryConfiguration
- s3:DeleteInventoryConfiguration

Depending on your use case, you may need to grant additional permissions to the user or entity.

Create source bucket policy

The following is an example bucket policy that allows the entity requesting the inventory configuration to apply and manage the inventory configuration on the source bucket.

Create a source bucket policy file. Replace [SOURCE-BUCKET] with the name of the bucket you want to inventory, [ORG-ID] with your organization ID, and [USER-UID] with the UID of the user managing the inventory configuration.

source-bucket-policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowInventoryConfigurationAccess",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:PutInventoryConfiguration",
        "s3:ListInventoryConfigurations",
        "s3:GetInventoryConfiguration",
        "s3:DeleteInventoryConfiguration"
      ],
      "Resource": [
        "arn:aws:s3:::[SOURCE-BUCKET]/*"
      ],
      "Principal": {
        "CW": ["arn:aws:iam::[ORG-ID]:coreweave/[USER-UID]"]
      }
    }
  ]
}

Apply the source bucket policy:

aws s3api put-bucket-policy \
  --bucket [SOURCE-BUCKET] \
  --policy file://source-bucket-policy.json

Create destination bucket policy

The following is an example bucket policy that allows the CoreWeave inventory service account to write inventory reports to the destination bucket, and the user or entity that will issue the inventory list request to access the destination bucket. Create a destination bucket policy file. Replace [DESTINATION-BUCKET] with the name of your destination bucket, [ORG-ID] with your organization ID, and [USER-UID] with the UID of the user managing the reports.

destination-bucket-policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowServiceAccountWriteReportsToDestination",
      "Effect": "Allow",
      "Principal": {
        "CW": "arn:aws:iam::static:role/static/inventory"
      },
      "Action": "s3:PutObject",
      "Resource": [
        "arn:aws:s3:::[DESTINATION-BUCKET]/*"
      ]
    },
    {
      "Sid": "AllowOwnerAccessToDestination",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:ListObjects"
      ],
      "Resource": [
        "arn:aws:s3:::[DESTINATION-BUCKET]",
        "arn:aws:s3:::[DESTINATION-BUCKET]/*"
      ],
      "Principal": {
        "CW": ["arn:aws:iam::[ORG-ID]:coreweave/[USER-UID]"]
      }
    }
  ]
}

The first statement, AllowServiceAccountWriteReportsToDestination, allows the CoreWeave inventory service account to write to the destination bucket. The Principal field is set to arn:aws:iam::static:role/static/inventory, which is a CoreWeave-managed service account that generates and writes inventory reports to your destination bucket.
The second statement, AllowOwnerAccessToDestination, allows the entity to access the destination bucket. The Principal field is set to the ARN of the user who will read and manage the inventory reports.

Apply source and destination bucket policies

Apply both source and destination bucket policies:

aws s3api put-bucket-policy \
  --bucket [SOURCE-BUCKET] \
  --policy file://source-bucket-policy.json

aws s3api put-bucket-policy \
  --bucket [DESTINATION-BUCKET] \
  --policy file://destination-bucket-policy.json

Use the same bucket for source and destination

Alternatively, if you want to write inventory reports to the same bucket as the source bucket, grant access to the service account to write to the source bucket. You will still need the inventory configuration permissions listed above; if you created the bucket, you likely already have these permissions.

Create the following bucket policy file:

same-bucket-policy.json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowPutObject",
      "Effect": "Allow",
      "Principal": {
        "CW": "arn:aws:iam::static:role/static/inventory"
      },
      "Action": "s3:PutObject",
      "Resource": [
        "arn:aws:s3:::[SOURCE-BUCKET]/*"
      ]
    }
  ]
}

Replace [SOURCE-BUCKET] with the name of your source bucket.

Apply this policy to the source bucket:

aws s3api put-bucket-policy \
  --bucket [SOURCE-BUCKET] \
  --policy file://same-bucket-policy.json

Configure inventory report

To configure inventory reporting, you specify:

A source bucket to inventory. You can inventory all the objects in the bucket or only prefixes that you specify. If you don’t specify a prefix, all objects will be inventoried.
A destination bucket where reports are written. You can choose to use a separate destination bucket or the same bucket as the source bucket.
An optional prefix (subdirectory) within the destination bucket for organizing reports. If you don’t specify a prefix, the reports will be written to the root of the destination bucket. Use a prefix (like inventory-reports/) in your inventory configuration to separate reports from your source data.

You can configure your inventory report using the S3-compatible API with standard S3 tools like aws s3api. The configuration is a JSON object that defines the inventory configuration for the bucket. The following fields are available:

Field	Description	Note
`Destination.S3BucketDestination`	Configures destination bucket for inventory report
`Destination.S3BucketDestination.Bucket`	Destination bucket name; can be same as source bucket	Example: `[DESTINATION-BUCKET]`
`Destination.S3BucketDestination.Format`	Report object format	Accepts: `CSV`, `TSV`, `JSON`, `ORC`, `Parquet`
`Destination.S3BucketDestination.Prefix`	Prefix for report objects	Example: `inventory/` Inventory report objects will be created with `inventory/` prefix in the object key.
`IsEnabled`	Controls enablement of the inventory configuration	Accepts: `true` or `false`
`Filter`	Filters source objects to include in inventory report
`Filter.Prefix`	Source objects’ prefix	Example: `documents/` Only objects with prefix `documents/` will be included in the report.
`Id`	Inventory configuration ID	Example: `my-inventory-config`
`IncludedObjectVersions`	Controls which object versions are included in the inventory report	Accepts: `All` or `Latest` - `All`: Include all versions - `Latest`: Only latest versions
`OptionalFields`	Controls additional information to include in the report	Example: `["Size", "LastAccessedDate"]` Inventory report will then have fields: - `BucketName` - `ObjectKey` - `Size` - `LastAccessedDate`
`Schedule`	Controls the schedule of inventory reporting
`Schedule.Frequency`	Sets schedule frequency	Accepts: `Daily` or `Weekly`

Create a bucket inventory configuration file. The following is an example bucket inventory configuration: Replace [DESTINATION-BUCKET] with the name of the bucket where inventory reports will be written.

bucket-inventory-config.json

    {
    "Destination": {
        "S3BucketDestination": {
            "Bucket": "arn:aws:s3:::[DESTINATION-BUCKET]",
            "Format": "ORC",
            "Prefix": "inventory/"
        }
    },
    "IsEnabled": true,
    "Filter": {
        "Prefix": "documents/"
    },
    "Id": "my-inventory-config",
    "IncludedObjectVersions": "All",
    "OptionalFields": [
        "LastAccessedDate"
    ],
    "Schedule": {
        "Frequency": "Daily"
    }
}

Apply the bucket inventory configuration: Replace [SOURCE-BUCKET] with the name of the bucket you want to inventory.

aws s3api put-bucket-inventory-configuration \
  --bucket [SOURCE-BUCKET] \
  --id my-inventory-config \
  --inventory-configuration file://bucket-inventory-config.json

Manage inventory report configurations

You can manage your inventory report configurations using the S3 API with standard S3 tools. The following is an example of how to create, update, get, and delete inventory report configurations using the AWS CLI: Replace [SOURCE-BUCKET] with the name of the bucket you are inventorying.

# Create or update bucket inventory configuration by ID
aws s3api put-bucket-inventory-configuration \
  --bucket [SOURCE-BUCKET] \
  --id my-inventory-config \
  --inventory-configuration file://bucket-inventory-config.json

# List bucket inventory configurations
aws s3api list-bucket-inventory-configurations --bucket [SOURCE-BUCKET]

# Get bucket inventory configuration by ID
aws s3api get-bucket-inventory-configuration \
  --bucket [SOURCE-BUCKET] \
  --id my-inventory-config

# Delete bucket inventory configuration by ID
aws s3api delete-bucket-inventory-configuration \
  --bucket [SOURCE-BUCKET] \
  --id my-inventory-config

If you check your inventory configuration with the get command, you may see output like this:

bucket-inventory-config.json

{
    "InventoryConfiguration": {
        "Destination": {
            "S3BucketDestination": {
                "Bucket": "arn:aws:s3:::my-destination-bucket",
                "Format": "ORC",
                "Prefix": "inventory/"
            }
        },
        "IsEnabled": true,
        "Filter": {
            "Prefix": "documents/"
        },
        "Id": "my-inventory-config",
        "IncludedObjectVersions": "All",
        "OptionalFields": [
            "LastAccessedDate"
        ],
        "Schedule": {
            "Frequency": "Daily"
        }
    }
}

Using Terraform

If you manage your infrastructure as code, you can use the AWS Terraform provider to manage inventory report configurations alongside your other resources.

resource "aws_s3_bucket_policy" "test_destination_bucket_policy" {
  bucket = aws_s3_bucket.inventory_dest.id
  policy = data.aws_iam_policy_document.allow_access.json
}

data "aws_iam_policy_document" "allow_access" {
  statement {
    sid = "AllowPutObject"
    effect = "Allow"

    principals {
      type = "CW"
      identifiers = ["arn:aws:iam::static:role/static/inventory"]
    }
    actions = [
      "s3:PutObject",
    ]

    resources = [
      "${aws_s3_bucket.inventory_dest.arn}/*",
    ]
  }

  statement {
    sid = "AllowOwnerAccess"
    effect = "Allow"

    principals {
      type = "CW"
      identifiers = ["arn:aws:iam::[ORG-ID]:coreweave/[USER-UID]"]
    }
    actions = [
      "s3:*",
    ]

    resources = [
      aws_s3_bucket.inventory_dest.arn,
      "${aws_s3_bucket.inventory_dest.arn}/*",
    ]
  }
}

resource "aws_s3_bucket" "inventory_test" {
  bucket = "[SOURCE-BUCKET]"
}

resource "aws_s3_bucket" "inventory_dest" {
  bucket = "[DESTINATION-BUCKET]"
}

resource "aws_s3_bucket_inventory" "test-prefix" {
  bucket = aws_s3_bucket.inventory_test.id
  name   = "my-inventory-config"

  enabled = true
  included_object_versions = "All"

  schedule {
    frequency = "Daily"
  }

  filter {
    prefix = "documents/"
  }

  destination {
    bucket {
      format     = "ORC"
      bucket_arn = aws_s3_bucket.inventory_dest.arn
      prefix     = "inventory/"
    }
  }
}

Checking your inventory report

After you have applied your inventory configuration, allow some time for the inventory report to be generated and written to the destination bucket, then check the path where you configured the inventory report to be written. There is no notification when the inventory report has completed. When the inventory report has completed, you should see a manifest.json file written to the root of the subdirectory specified in the inventory configuration, and one or more inventory data files. You can use the manifest file to understand the structure of the inventory report. See more details about the manifest files.

Disabling inventory reporting

To disable inventory reporting, you can either modify the inventory configuration to set IsEnabled to false, or delete the inventory configuration. The following is an example of a modified inventory configuration file that disables inventory reporting:

modified-inventory-config.json

{
  "Destination": {
    "S3BucketDestination": {
      "Bucket": "arn:aws:s3:::[DESTINATION-BUCKET]",
      "Format": "ORC",
      "Prefix": "inventory/"
    }
  },
  "IsEnabled": false,
  "Filter": {
    "Prefix": "documents/"
  },
  "Id": "my-inventory-config",
  "IncludedObjectVersions": "All",
  "OptionalFields": [
    "LastAccessedDate"
  ],
  "Schedule": {
    "Frequency": "Daily"
  }
}

These commands can be used to apply the modified inventory configuration or delete the inventory configuration:

# Modify bucket inventory configuration
aws s3api put-bucket-inventory-configuration \
  --bucket [SOURCE-BUCKET] \
  --id my-inventory-config \
  --inventory-configuration file://modified-inventory-config.json

# Delete bucket inventory configuration
aws s3api delete-bucket-inventory-configuration \
  --bucket [SOURCE-BUCKET] \
  --id my-inventory-config

Storage

Documentation Index

​Prerequisites

​Choose a destination bucket

​Set bucket access policies

​Create source bucket policy

​Create destination bucket policy

​Apply source and destination bucket policies

​Use the same bucket for source and destination

​Configure inventory report

​Manage inventory report configurations

​Using Terraform

​Checking your inventory report

​Disabling inventory reporting