Skip to main content
This guide explains how to configure and enable inventory reports for CoreWeave AI Object Storage buckets and objects. Inventory reports provide a scheduled, machine-readable list of the objects in a bucket, which you can use to audit object counts, track storage growth, and feed downstream analytics or compliance workflows.

Prerequisites

This guide assumes you’ve already met the following prerequisites:
  • You’ve already created a source bucket that you want to inventory.
  • You have permissions to create a destination bucket for the output.
  • You have permissions to set bucket access policies on the destination bucket.
To revisit any of these prerequisites, follow the links to the relevant guides:

Choose a destination bucket

The destination bucket is where inventory reports are written. You can create a separate destination bucket for your inventory output, or use the same bucket as the source bucket. The rest of this guide refers to both options as the “destination bucket”. To use a separate destination bucket for your inventory reports, create a new bucket. When you create the bucket, choose a name that follows the bucket naming rules.
Bucket names must be globally unique and adhere to the following rules:
  • Length: 3 to 63 characters.
  • Characters: Only lowercase letters (a-z), numbers (0-9), and hyphens (-). No dots, uppercase letters, underscores, spaces, or other special characters.
  • Start and end: Must begin and end with a letter or number. Cannot start or end with a hyphen (-).
  • Prohibited patterns: Cannot start with xn--.
  • Reserved: Must not begin with cw-, vip-, or log-stitcher-ch-. Must not be the exact name int. CoreWeave reserves these for internal use.
Replace [DESTINATION-BUCKET] with the name for your destination bucket and [AVAILABILITY-ZONE] with the Availability Zone to create it in. 
aws s3api create-bucket \
  --bucket [DESTINATION-BUCKET] \
  --create-bucket-configuration LocationConstraint=[AVAILABILITY-ZONE]
Inventory reporting is available in all AI Object Storage regions.

Set bucket access policies

To enable inventory reporting, you must grant the CoreWeave inventory service permission to write reports to your destination bucket. This requires setting a bucket access policy on the destination bucket. This policy is required whether you use a separate destination bucket or write reports to the same bucket as your source data. The following permissions are required:
  1. Allow the CoreWeave inventory service account to write to the destination bucket. This is a CoreWeave-managed service account that generates and writes inventory reports to your destination bucket. On a bucket access policy for the destination bucket, grant write permission (s3:PutObject) to the service account with the ARN arn:aws:iam::static:role/static/inventory.
  2. Allow the user or entity that manages the bucket and accesses the reports to read and write to the destination bucket. The user configuring the inventory report needs the following permissions on the source bucket to apply the inventory configuration:
    • s3:PutInventoryConfiguration
    • s3:ListInventoryConfigurations
    • s3:GetInventoryConfiguration
    • s3:DeleteInventoryConfiguration
Depending on your use case, you might need to grant additional permissions to the user or entity.

Create source bucket policy

The following example bucket policy allows the entity requesting the inventory configuration to apply and manage the inventory configuration on the source bucket.
  1. Create a source bucket policy file. Replace [SOURCE-BUCKET] with the name of the bucket you want to inventory, [ORG-ID] with your organization ID, and [USER-UID] with the UID of the user managing the inventory configuration.
    source-bucket-policy.json
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowInventoryConfigurationAccess",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:PutInventoryConfiguration",
        "s3:ListInventoryConfigurations",
        "s3:GetInventoryConfiguration",
        "s3:DeleteInventoryConfiguration"
      ],
      "Resource": [
        "arn:aws:s3:::[SOURCE-BUCKET]/*"
      ],
      "Principal": {
        "CW": ["arn:aws:iam::[ORG-ID]:coreweave/[USER-UID]"]
      }
    }
  ]
}
  2. Apply the source bucket policy: 
    aws s3api put-bucket-policy \
  --bucket [SOURCE-BUCKET] \
  --policy file://source-bucket-policy.json

Create destination bucket policy

The following example bucket policy allows the CoreWeave inventory service account to write inventory reports to the destination bucket, and the user or entity that issues the inventory list request to access the destination bucket. Create a destination bucket policy file. Replace [DESTINATION-BUCKET] with the name of your destination bucket, [ORG-ID] with your organization ID, and [USER-UID] with the UID of the user managing the reports.
destination-bucket-policy.json
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowServiceAccountWriteReportsToDestination",
      "Effect": "Allow",
      "Principal": {
        "CW": "arn:aws:iam::static:role/static/inventory"
      },
      "Action": "s3:PutObject",
      "Resource": [
        "arn:aws:s3:::[DESTINATION-BUCKET]/*"
      ]
    },
    {
      "Sid": "AllowOwnerAccessToDestination",
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:ListObjects"
      ],
      "Resource": [
        "arn:aws:s3:::[DESTINATION-BUCKET]",
        "arn:aws:s3:::[DESTINATION-BUCKET]/*"
      ],
      "Principal": {
        "CW": ["arn:aws:iam::[ORG-ID]:coreweave/[USER-UID]"]
      }
    }
  ]
}
  • The first statement, AllowServiceAccountWriteReportsToDestination, allows the CoreWeave inventory service account to write to the destination bucket. The Principal field is set to arn:aws:iam::static:role/static/inventory, which is a CoreWeave-managed service account that generates and writes inventory reports to your destination bucket.
  • The second statement, AllowOwnerAccessToDestination, allows the entity to access the destination bucket. The Principal field is set to the ARN of the user who reads and manages the inventory reports.

Apply source and destination bucket policies

With both policy files prepared, apply them to their respective buckets so the inventory service and the user managing the configuration have the access they need: 
aws s3api put-bucket-policy \
  --bucket [SOURCE-BUCKET] \
  --policy file://source-bucket-policy.json

aws s3api put-bucket-policy \
  --bucket [DESTINATION-BUCKET] \
  --policy file://destination-bucket-policy.json

Use the same bucket for source and destination

Alternatively, to write inventory reports to the same bucket as the source bucket, grant access to the service account to write to the source bucket. You still need the inventory configuration permissions. If you created the bucket, you likely already have these permissions.
  1. Create the following bucket policy file:
    same-bucket-policy.json
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "AllowPutObject",
      "Effect": "Allow",
      "Principal": {
        "CW": "arn:aws:iam::static:role/static/inventory"
      },
      "Action": "s3:PutObject",
      "Resource": [
        "arn:aws:s3:::[SOURCE-BUCKET]/*"
      ]
    }
  ]
}
    Replace [SOURCE-BUCKET] with the name of your source bucket.
  2. Apply this policy to the source bucket: 
    aws s3api put-bucket-policy \
  --bucket [SOURCE-BUCKET] \
  --policy file://same-bucket-policy.json

Configure the inventory report

With the destination bucket and access policies in place, you can now configure the inventory report itself. To configure inventory reporting, you specify:
  • A source bucket to inventory. You can inventory all the objects in the bucket or only prefixes that you specify. If you don’t specify a prefix, all objects are inventoried.
  • A destination bucket where reports are written. You can use a separate destination bucket or the same bucket as the source bucket.
  • An optional prefix (subdirectory) within the destination bucket for organizing reports. If you don’t specify a prefix, the reports are written to the root of the destination bucket. Use a prefix (like inventory-reports/) in your inventory configuration to separate reports from your source data.
You can configure your inventory report using the S3-compatible API with standard S3 tools like aws s3api. The configuration is a JSON object that defines the inventory configuration for the bucket. The following fields are available:
FieldDescriptionNote
Destination.S3BucketDestinationConfigures destination bucket for inventory report
Destination.S3BucketDestination.BucketDestination bucket name, can be same as source bucketExample: [DESTINATION-BUCKET]
Destination.S3BucketDestination.FormatReport object formatAccepts: CSV, TSV, JSON, ORC, Parquet
Destination.S3BucketDestination.PrefixPrefix for report objectsExample: inventory/
Inventory report objects are created with inventory/ prefix in the object key.
IsEnabledControls enablement of the inventory configurationAccepts: true or false
FilterFilters source objects to include in inventory report
Filter.PrefixSource objects’ prefixExample: documents/
Only objects with prefix documents/ are included in the report.
IdInventory configuration IDExample: my-inventory-config
IncludedObjectVersionsControls which object versions are included in the inventory reportAccepts: All or Latest
- All: Include all versions
- Latest: Only latest versions
OptionalFieldsControls additional information to include in the reportExample: ["Size", "LastAccessedDate"]
Inventory report then has fields:
- BucketName
- ObjectKey
- Size
- LastAccessedDate
ScheduleControls the schedule of inventory reporting
Schedule.FrequencySets schedule frequencyAccepts: Daily or Weekly
  1. Create a bucket inventory configuration file. The following is an example bucket inventory configuration: Replace [DESTINATION-BUCKET] with the name of the bucket where inventory reports are written.
    bucket-inventory-config.json
        {
    "Destination": {
        "S3BucketDestination": {
            "Bucket": "arn:aws:s3:::[DESTINATION-BUCKET]",
            "Format": "ORC",
            "Prefix": "inventory/"
        }
    },
    "IsEnabled": true,
    "Filter": {
        "Prefix": "documents/"
    },
    "Id": "my-inventory-config",
    "IncludedObjectVersions": "All",
    "OptionalFields": [
        "LastAccessedDate"
    ],
    "Schedule": {
        "Frequency": "Daily"
    }
}
  2. Apply the bucket inventory configuration: Replace [SOURCE-BUCKET] with the name of the bucket you want to inventory. 
    aws s3api put-bucket-inventory-configuration \
  --bucket [SOURCE-BUCKET] \
  --id my-inventory-config \
  --inventory-configuration file://bucket-inventory-config.json

Manage inventory report configurations

After an inventory configuration is in place, you can update, inspect, or remove it as your needs change. You can manage your inventory report configurations using the S3 API with standard S3 tools. The following is an example of how to create, update, get, and delete inventory report configurations using the AWS CLI: Replace [SOURCE-BUCKET] with the name of the bucket you’re inventorying. 
# Create or update bucket inventory configuration by ID
aws s3api put-bucket-inventory-configuration \
  --bucket [SOURCE-BUCKET] \
  --id my-inventory-config \
  --inventory-configuration file://bucket-inventory-config.json

# List bucket inventory configurations
aws s3api list-bucket-inventory-configurations --bucket [SOURCE-BUCKET]

# Get bucket inventory configuration by ID
aws s3api get-bucket-inventory-configuration \
  --bucket [SOURCE-BUCKET] \
  --id my-inventory-config

# Delete bucket inventory configuration by ID
aws s3api delete-bucket-inventory-configuration \
  --bucket [SOURCE-BUCKET] \
  --id my-inventory-config
If you check your inventory configuration with the get command, you might see output like this:
bucket-inventory-config.json
{
    "InventoryConfiguration": {
        "Destination": {
            "S3BucketDestination": {
                "Bucket": "arn:aws:s3:::my-destination-bucket",
                "Format": "ORC",
                "Prefix": "inventory/"
            }
        },
        "IsEnabled": true,
        "Filter": {
            "Prefix": "documents/"
        },
        "Id": "my-inventory-config",
        "IncludedObjectVersions": "All",
        "OptionalFields": [
            "LastAccessedDate"
        ],
        "Schedule": {
            "Frequency": "Daily"
        }
    }
}

Use Terraform

If you manage your infrastructure as code, you can use the AWS Terraform provider to manage inventory report configurations alongside your other resources. The following example declares the destination bucket policy, source and destination buckets, and the inventory configuration as Terraform resources. 
resource "aws_s3_bucket_policy" "test_destination_bucket_policy" {
  bucket = aws_s3_bucket.inventory_dest.id
  policy = data.aws_iam_policy_document.allow_access.json
}

data "aws_iam_policy_document" "allow_access" {
  statement {
    sid = "AllowPutObject"
    effect = "Allow"

    principals {
      type = "CW"
      identifiers = ["arn:aws:iam::static:role/static/inventory"]
    }
    actions = [
      "s3:PutObject",
    ]

    resources = [
      "${aws_s3_bucket.inventory_dest.arn}/*",
    ]
  }

  statement {
    sid = "AllowOwnerAccess"
    effect = "Allow"

    principals {
      type = "CW"
      identifiers = ["arn:aws:iam::[ORG-ID]:coreweave/[USER-UID]"]
    }
    actions = [
      "s3:*",
    ]

    resources = [
      aws_s3_bucket.inventory_dest.arn,
      "${aws_s3_bucket.inventory_dest.arn}/*",
    ]
  }
}

resource "aws_s3_bucket" "inventory_test" {
  bucket = "[SOURCE-BUCKET]"
}

resource "aws_s3_bucket" "inventory_dest" {
  bucket = "[DESTINATION-BUCKET]"
}

resource "aws_s3_bucket_inventory" "test-prefix" {
  bucket = aws_s3_bucket.inventory_test.id
  name   = "my-inventory-config"

  enabled = true
  included_object_versions = "All"

  schedule {
    frequency = "Daily"
  }

  filter {
    prefix = "documents/"
  }

  destination {
    bucket {
      format     = "ORC"
      bucket_arn = aws_s3_bucket.inventory_dest.arn
      prefix     = "inventory/"
    }
  }
}

Check your inventory report

After you apply your inventory configuration, allow some time for the inventory report to be generated and written to the destination bucket, then check the path where you configured the inventory report to be written. No notification is sent when the inventory report completes, so you must check the destination bucket to confirm the report is ready. When the inventory report completes, you should see a manifest.json file written to the root of the subdirectory specified in the inventory configuration, and one or more inventory data files. You can use the manifest file to understand the structure of the inventory report. See Manifest file.

Disable inventory reporting

If you no longer need inventory reports for a bucket, you can stop generating new reports without losing the configuration’s history. To disable inventory reporting, either modify the inventory configuration to set IsEnabled to false, or delete the inventory configuration. The following example shows a modified inventory configuration file that disables inventory reporting:
modified-inventory-config.json
{
  "Destination": {
    "S3BucketDestination": {
      "Bucket": "arn:aws:s3:::[DESTINATION-BUCKET]",
      "Format": "ORC",
      "Prefix": "inventory/"
    }
  },
  "IsEnabled": false,
  "Filter": {
    "Prefix": "documents/"
  },
  "Id": "my-inventory-config",
  "IncludedObjectVersions": "All",
  "OptionalFields": [
    "LastAccessedDate"
  ],
  "Schedule": {
    "Frequency": "Daily"
  }
}
Use these commands to apply the modified inventory configuration or delete the inventory configuration: 
# Modify bucket inventory configuration
aws s3api put-bucket-inventory-configuration \
  --bucket [SOURCE-BUCKET] \
  --id my-inventory-config \
  --inventory-configuration file://modified-inventory-config.json

# Delete bucket inventory configuration
aws s3api delete-bucket-inventory-configuration \
  --bucket [SOURCE-BUCKET] \
  --id my-inventory-config
Last modified on June 4, 2026