Skip to main content
CoreWeave IAM Access Policies let administrators and privileged users define which principals (CoreWeave IAM users or groups) are allowed to perform specific actions across CoreWeave services. Policies are created once and then evaluated wherever authorization is required, enabling consistent, least-privilege access across the Cloud Platform. IAM Access Policies don’t govern actions for the following services, which host their own authorization infrastructure:

Core concepts

TermDescription
PrincipalA CoreWeave IAM identity (either a user or a group) that can be referenced in a policy.
RoleA permission string enabling a set of actions that, when assigned to a principal, are permitted.
RuleAn assignment of a role or set of roles to a principal.
PolicyA collection of rules that assign entitlements to a set of principals. When a principal is referenced in a policy, the principal is allowed to perform the actions assigned to it by the policy.
CoreWeave IAM operates on a default-deny posture: without an access policy that assigns privileges to principals, that principal isn’t allowed to perform an action. Structurally, the policy contains one or more rules, and each rule assigns a role to a principal. For example: IAM Access Policy In this example, the policy grants the following permissions:
  • User A has the CKS Admin role, which lets them manage Kubernetes resources.
  • User B has the IAM Admin and Billing Viewer roles, which lets them manage IAM resources and view billing data.
  • Engineering Group has the CKS Viewer role, which lets them view Kubernetes resources.

Roles

CoreWeave IAM supports the following actions permitted in roles:
NameRole Description
Access Token ViewerRead-only visibility into personal access tokens (list and view).
Access Token AdminFull management of personal access tokens: create and delete tokens for the current user as permitted by org policy.
IAM ViewerRead-only visibility across IAM configuration (for example, view organization user permitted actions, SAML configuration, AUP provisioning, API tokens, groups and memberships).
IAM AdminAdministrative control over IAM: invite/revoke users, create/delete/update groups and memberships, and configure identity integrations (for example, SAML SSO, AUP provisioning, API tokens).
CKS ViewerRead-only visibility into Kubernetes resources: list and view clusters and VPC resources.
CKS AdminAdministrative control over Kubernetes resources: create, update, and delete clusters and VPC resources.
Inference ViewerRead-only visibility into inference resources: list and view gateways, deployments, and capacity claims.
Inference AdminAdministrative control over inference resources: create, update, and delete gateways, deployments, and capacity claims. Includes Inference Viewer permissions.
Object Storage AdminFull administration for AI Object Storage: create/delete buckets, manage organization access policies, and create/revoke/list access keys. Includes listing buckets and ensuring/setting bucket access policies.
Billing ViewerRead-only access to billing data, including viewing the billing dashboard, current balance, and listing/downloading invoices.
Observability ViewerRead-only access to observability data (for example, cluster metrics/dashboards) for troubleshooting and performance monitoring.
Notifications ViewerRead-only access to alert history, notification delivery statuses, and the alert configuration page.
Notifications AdminManage which alerts the organization receives and where they are delivered: subscribe and unsubscribe alerts per destination on the alert configuration page. Includes Notifications Viewer permissions.
Integrations ViewerRead-only visibility into notification destinations and credentials, including the Integrations page and the destinations list on the alert configuration page.
Integrations AdminFull management of notification destinations and credentials: create, update, and delete Slack and webhook integrations. Includes Integrations Viewer permissions.
Support ViewerRead-only access to support tickets/records in the integrated support system (Freshdesk).
Access Request ApproverApproves or denies privileged access requests. Can view the list of pending Service Account Management access requests.
Administrators can manage resources in the Cloud Console, the API, and with infrastructure as code (IaC) tools like Terraform.

Legacy group role assignments

User permissions depended on the group they were assigned to. The following table shows the CoreWeave legacy permissions and their corresponding new roles:
CoreWeave Legacy GroupCorresponding IAM Roles
adminIAM Admin, CKS Admin, Object Storage Admin, Access Token Admin, Access Request Approver
writeCKS Admin, Object Storage Admin, Access Token Admin
readIAM Viewer, CKS Viewer, Access Token Viewer
metricsObservability Viewer
billing_viewerBilling Viewer
Roles added for newer platform features may not be automatically included in legacy admin policies. If you expect access to a feature but can’t reach it, check your organization’s access policies and add the relevant role if it’s missing. You can review and modify these role assignments or create new groups with different role combinations using IAM Access Policy management.

Next steps

Last modified on May 28, 2026