> ## Documentation Index
> Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Get Started with AI Object Storage

> Set up AI Object Storage authentication, policies, and storage access for enterprise workloads

This guide provides a high-level overview of the steps required to set up and use AI Object Storage.

## Prerequisites

* A CoreWeave IAM user (or group) that has the [Object Storage Admin IAM role](/security/iam/access-policies) (or equivalent legacy access such as membership in the `admin` group).
* A [Cloud Console API Access Token](/products/storage/object-storage/auth-access/create-access-tokens) created for that user, to authenticate calls to the AI Object Storage API and Cloud Console actions.

## Configure authentication

[Access keys](/products/storage/object-storage/auth-access/manage-access-keys/about) are required for users and workloads to call the AI Object Storage S3-compatible API.

For quick testing and validation, you can create access keys using a Cloud Console API Access Token. (For production workloads, we recommend using [Workload Identity Federation](#set-up-authentication-for-production-workloads).)

You must be signed in as a user who has the **Object Storage Admin** IAM role (or equivalent legacy access, such as membership in the `admin` or `write` group).

1. Navigate to the [Access Keys](https://console.coreweave.com/object-storage/access-keys) page in the Cloud Console.
2. In the upper right corner, click **Create Key**.
3. In the **Create Key** modal:
   * Enter a **Name** for the access key.
   * For a **Temporary** key, enter the desired duration in seconds and click **Create**.
   * For a **Permanent** key, select **Enable Permanent Key** and click **Create**.
4. Save the **Access Key ID** and **Secret Key** for later use.

For the most secure setup in production, [use SAML assertions with Workload Identity Federation to generate workload Access Keys](/products/storage/object-storage/auth-access/workload-identity-federation/saml-workload-federation).

## Set an organization access policy

You must create an [organization access policy](/products/storage/object-storage/auth-access/organization-policies/about) in order to access the Object Storage S3-compatible API. This sets a baseline level of access for your organization to the Object Storage S3-compatible API.

For testing and validation, you can start with a simple policy that grants full access to all S3 buckets and objects to all SAML admins. Create a policy using the Cloud Console:

1. In the [Cloud Console](https://console.coreweave.com/object-storage/access-policies), navigate to **Object Storage** > **Organization Access Policies**.
2. In the upper right corner, click **Create Policy**.
3. In the **Create Policy** page, enter the **Policy Name**. For example, "admin-test-policy".
4. Within the policy, add one statement. In the **Statement** section, enter a descriptive **Name** for the statement. For example, "full-admin-access".
5. For **Access**, select **Allow access**.
6. For **Principals**, enter `role/Admin`.
7. For both **Actions** and **Resources**, enter `*`.
8. Click **Submit** to create the policy.

Alternatively, you can [create a policy programmatically](/products/storage/object-storage/auth-access/organization-policies/manage) using the AI Object Storage API or the CoreWeave Terraform provider. See [examples of organization access policies](/products/storage/object-storage/auth-access/organization-policies/examples).

After setting up an organization access policy, you can configure your development environment and then set up buckets and objects.

## Set CoreWeave-specific configurations

Before you create your first bucket in AI Object Storage, ensure the following settings are applied in your AWS configuration file or environment variables. This is a one-time configuration to add CoreWeave-specific settings to your development environment.

1. Create a new credentials file and profile in your CoreWeave configuration directory. Using a separate profile for CoreWeave AI Object Storage is recommended to avoid conflicts with your other AWS profiles and S3-compatible services.

   ```bash title="Create a new credentials file and profile" theme={"system"}
   $ AWS_SHARED_CREDENTIALS_FILE=~/.coreweave/cw.credentials aws configure --profile cw
   ```

2. When prompted for information, provide the following values:

   * **AWS Access Key ID**: The [Access Key](/products/storage/object-storage/auth-access/manage-access-keys/create-keys) ID of your CoreWeave AI Object Storage Access Key.
   * **AWS Secret Access Key**: The Secret Key of your CoreWeave AI Object Storage Access Key.
   * **Default region name**: Optional. To set a default region, refer to the [CoreWeave Availability Zones](/products/storage/object-storage/buckets/manage-buckets#availability-zones).
   * **Default output format**: Use `json` for JSON output.

3. Set the default endpoint URL to the appropriate endpoint for your use case:

   * The primary endpoint, `https://cwobject.com`, for use when running outside of a CoreWeave cluster.
   * The LOTA endpoint, `http://cwlota.com`, for use when running inside a CoreWeave cluster. The LOTA endpoint routes to the LOTA path for best performance.

   ```bash title="Set the primary endpoint for local development" theme={"system"}
   $ AWS_CONFIG_FILE=~/.coreweave/cw.config aws configure set endpoint_url https://cwobject.com --profile cw
   ```

4. Set the S3 `addressing_style` to `virtual`:

   ```bash title="Set virtual addressing style" theme={"system"}
   $ AWS_CONFIG_FILE=~/.coreweave/cw.config aws configure set s3.addressing_style virtual --profile cw
   ```

For more details and full configuration examples, including Boto3, see [Attaching endpoints](/products/storage/object-storage/using-object-storage/configure-endpoints).

## Create a bucket

After creating access keys, an organization access policy, and setting your global configuration, [create a bucket](/products/storage/object-storage/buckets/create-bucket) to store data. Buckets are the primary organizational unit used by CoreWeave AI Object Storage to store object data.

To create a bucket with the CoreWeave Cloud Console, follow these steps:

1. In the Cloud Console, navigate to [Buckets](https://console.coreweave.com/object-storage/buckets).
2. In the upper right corner, click **Create Bucket**.
3. In the **Create Bucket** modal, enter a **Bucket Name**.

   {/* Single source of truth for bucket naming rules. When adding or changing reserved prefixes or exact names, edit the "Reserved" bullet below. Call this snippet on its own line (not inline) so local mint dev and deployment behave consistently. */}

   <Accordion title="Bucket naming rules">
     Bucket names must be globally unique and adhere to the following rules:

     * **Length:** 3 to 63 characters.
     * **Characters:** Only lowercase letters (`a-z`), numbers (`0-9`), and hyphens (`-`). No dots, uppercase letters, underscores, spaces, or other special characters.
     * **Start and end:** Must begin and end with a letter or number. Cannot start or end with a hyphen (`-`).
     * **Prohibited patterns:** Cannot start with `xn--`.
     * **Reserved:** Must not begin with `cw-`, `vip-`, or `log-stitcher-ch-`. Must not be the exact name `int`. CoreWeave reserves these for internal use.
   </Accordion>
4. Choose an **Availability Zone** from the dropdown menu.
5. Click **Create**.

Alternatively, you can create buckets programmatically using [popular S3-compatible tools](/products/storage/object-storage/buckets/create-bucket#create-a-bucket-with-cli-clients).

## Use objects and buckets

AI Object Storage is S3-compatible, so you can use any S3-compatible tool to manage your data. See [Manage Objects](/products/storage/object-storage/using-object-storage/manage-objects) to learn how to use AI Object Storage with s3cmd, Boto3, the AWS CLI, or s5cmd. For high-performance and bulk transfers, use the [CoreWeave fork of s5cmd](https://github.com/coreweave/s5cmd); see [Migrate data to AI Object Storage](/products/storage/object-storage/migrate-data#migrate-data-with-s5cmd).

For example, use the AWS CLI to copy a file into a bucket addressed using the `s3://` scheme:

Replace `[LOCAL-FILE-PATH]` with the path to the file to upload and `[BUCKET-NAME]` with the name of your bucket.

```bash title="Example command" theme={"system"}
aws s3 cp [LOCAL-FILE-PATH] s3://[BUCKET-NAME] --profile cw
```

```text title="Example output" theme={"system"}
upload: ./my-important-file.txt to s3://my-bucket-name/my-important-file.txt
```

Alternatively, you can [use Cyberduck](/products/storage/object-storage/using-object-storage/cyberduck) to manage your buckets and objects in a graphical interface. Currently, the Cloud Console does not support managing objects.

CoreWeave AI Object Storage has default quota limits. See [Manage quota limits](/products/storage/object-storage/manage-quotas) for more information.

### Endpoint selection for best performance

AI Object Storage works with [LOTA (Local Object Transport Accelerator)](/products/storage/object-storage/improving-performance/about-lota), an intelligent proxy that provides a highly efficient, local gateway to AI Object Storage. Always use the LOTA endpoint when running inside a CoreWeave cluster to improve performance. See [Performance best practices](/products/storage/object-storage/improving-performance/best-practices) for tuning guidance.

| Endpoint         | URL                    | Notes                                                                                                                                                                  |
| ---------------- | ---------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Primary endpoint | `https://cwobject.com` | Uses HTTPS and requires **TLS v1.3**. Ensure your S3-compatible tools and OpenSSL use TLS v1.3. Use this endpoint when running outside of a CoreWeave cluster.         |
| LOTA endpoint    | `http://cwlota.com`    | Uses **HTTP** protocol, not HTTPS. For best performance, the LOTA cache routes to the LOTA endpoint. Always use this endpoint when running inside a CoreWeave cluster. |

## Next steps

Now that you've created a bucket and uploaded data, you can set up authentication for production workloads and configure bucket access policies and versioned buckets.

### Set a bucket access policy

You can set a [bucket access policy](/products/storage/object-storage/auth-access/bucket-access/bucket-policies) to refine access control for each bucket. Bucket access policies are used to control access to data and govern who can manage [bucket lifecycle policies](/products/storage/object-storage/buckets/lifecycle-policies) and auditing. Bucket access policies are [evaluated after organization access policies](/products/storage/object-storage/auth-access/policies#policy-evaluation), and can be used with a broader organization access policy to narrow permissions on specific buckets. You can also use bucket access policies to allow users from other organizations to access your bucket.

You can set bucket access policies programmatically using S3-compatible tools like the AWS CLI, s3cmd, or Boto3, and also using the CoreWeave Terraform provider. See [how to manage bucket access policies](/products/storage/object-storage/auth-access/bucket-access/manage-bucket-policies).

### Manage versioned buckets

Versioned buckets provide a way to keep multiple variants of an object in the same bucket. When enabled, all objects are assigned a unique version ID. This allows you to retrieve, restore, or delete specific versions of an object. Versioning is disabled by default.

You can use rclone and the AWS CLI to manage versioned buckets with AI Object Storage. See [Versioned Buckets](/products/storage/object-storage/buckets/rclone-versioned-buckets) for more information.

### Set up authentication for production workloads

This section covers how to implement secure, automated credential management for production workloads.

**Workload Identity Federation** provides a more secure, controlled way to generate time-limited Access Keys, and is recommended for granting workloads access to AI Object Storage in production environments.

Before you can generate Access Keys for AI Object Storage using Workload Identity Federation, you must first configure Workload Identity Federation for your organization.

[Configure Workload Identity Federation for AI Object Storage](/products/storage/object-storage/auth-access/workload-identity-federation/about)

<Note>
  For advanced enterprise use-cases, [Using SAML assertions with Workload Identity Federation](/products/storage/object-storage/auth-access/workload-identity-federation/saml-workload-federation) is also supported.
</Note>

After you configure Workload Identity Federation, you can use it to generate access keys for your workloads by submitting a [`CreateAccessKeyFromOIDC`](/products/storage/object-storage/auth-access/workload-identity-federation/use-oidc-tokens) or [`CreateAccessKeyFromSAML`](/products/storage/object-storage/reference/object-storage-api-ref#createaccesskeyfromsaml) request to the AI Object Storage API.

Learn more about [creating access keys with Workload Identity Federation](/products/storage/object-storage/auth-access/workload-identity-federation/about).

### API reference and compatibility information

* For **API reference for AI Object Storage**, refer to the [API documentation](/products/storage/object-storage/reference/object-storage-api-ref).
* For **S3-compatible API** reference, refer to the [S3-compatible API documentation](/products/storage/object-storage/reference/object-storage-s3).