Authentication methods
Object Storage supports several authentication methods. Choose the method that best fits your use case, then continue to Configure your client.OIDC Workload Identity Federation (recommended)
For production workloads, Workload Identity Federation with OIDC provides a secure authentication method. Your applications obtain tokens from your identity provider and exchange them for temporary CoreWeave access credentials that automatically expire. In Kubernetes environments, the Container Credentials API enables automatic credential rotation without application changes. For setup details, see Configure AWS CLI and boto3.Direct access token exchange
If you already authenticate with a CoreWeave API access token, you can exchange it directly for temporary credentials using the Container Credentials API, without creating a separate static Access Key. The temporary credentials also carry the principal’s SCIM group memberships for group-based and attribute-based access control. For setup details, see Direct access token exchange.Process Credential Provider
For environments that need interactive sign-in flows or custom token exchange, AWS SDKs support a Process Credential Provider that invokes a custom command to fetch and refresh credentials. This approach works for both human and machine workloads. For examples, see Configure AWS CLI and boto3.Static credentials
For initial testing and development, you can use static Access Keys created through the Cloud Console. Static credentials are long-lived and require manual rotation, so they aren’t recommended for production use.Configure your client
After choosing an authentication method, configure your S3-compatible client:- Cloud Console: no additional client configuration required. Sign in to the Cloud Console and browse objects directly.
- AWS CLI and boto3
- rclone
- Cyberduck
- s3cmd