Skip to main content
CoreWeave IAM Access Policies let administrators and privileged users define which principals (CoreWeave IAM users or groups) can perform specific actions across CoreWeave services. You create a policy once, and CoreWeave evaluates it wherever authorization is required, which enforces consistent, least-privilege access across the Cloud Platform. IAM Access Policies don’t govern actions for the following services, which host their own authorization infrastructure:

Core concepts

The following terms are central to how IAM Access Policies work:
TermDescription
PrincipalA CoreWeave IAM identity (either a user or a group) that can be referenced in a policy.
RoleA permission string enabling a set of actions that, when assigned to a principal, are permitted.
RuleAn assignment of a role or set of roles to a principal.
PolicyA collection of rules that assign entitlements to a set of principals. When a principal is referenced in a policy, that principal can perform the actions the policy assigns to it.
CoreWeave IAM operates on a default-deny posture. Without an access policy that grants privileges to a principal, that principal can’t perform an action.

How groups, policies, and roles relate

If you’re new to CoreWeave IAM, the following plain-language summary describes how the pieces fit together:
  • A role is a named bundle of permissions. Each role grants a specific set of actions, such as viewing clusters or managing billing data. You don’t grant individual actions directly. You grant a role.
  • A group is a named set of users. Instead of assigning roles to people one at a time, you put related users in a group and assign roles to the group. Anyone you add to the group gains the roles the group has. An IAM Admin creates and manages groups and their memberships.
  • A policy ties everything together. A policy holds one or more rules, and each rule assigns one or more roles to a principal (a user or a group). The policy is where access is granted.
In short: roles define what someone can do, groups collect the people who should be able to do it, and a policy connects roles to users or groups through its rules. To grant access, you add a rule to a policy that assigns the right role to the right principal. For a typical ML team, a common starting point is:
  • Put platform administrators in a group and assign it the admin roles they need, such as IAM Admin and CKS Admin.
  • Put engineers who run workloads in a group and assign it the roles for the services they use, such as CKS Admin and Inference Admin.
  • Assign read-only roles, such as CKS Viewer or Observability Viewer, to anyone who needs visibility but shouldn’t make changes.
For concrete examples built from the following roles, see Recommended role combinations. Structurally, the policy contains one or more rules, and each rule assigns a role to a principal. For example: Example IAM Access Policy assigning CKS Admin, IAM Admin, Billing Viewer, and CKS Viewer roles to two users and a group In this example, the policy grants the following permissions:
  • User A has the CKS Admin role, which lets them manage Kubernetes resources.
  • User B has the IAM Admin and Billing Viewer roles, which let them manage IAM resources and view billing data.
  • Engineering Group has the CKS Viewer role, which lets them view Kubernetes resources.

Roles

A role is the unit of access you assign in a policy rule. Each role grants a fixed set of actions. Most services have a Viewer role for read-only access and an Admin role for full management. Assign the least privileged role that lets a principal do their job. The following roles are grouped by functional area to help you pick the right one. The description states what the role grants. The “When to assign” column suggests who typically needs it.

Access control and IAM

These roles manage identities, groups, access policies, and personal access tokens.
NameRole descriptionWhen to assign
IAM ViewerRead-only visibility across IAM configuration (for example, view organization user permitted actions, SAML configuration, AUP provisioning, API tokens, groups and memberships).Assign to anyone who needs to review users, groups, and access policies without changing them.
IAM AdminAdministrative control over IAM: invite and revoke users, create, delete, and update groups and memberships, and configure identity integrations (for example, SAML SSO, AUP provisioning, API tokens).Assign to administrators who manage users, groups, and identity integrations for the organization.
Access Token ViewerRead-only visibility into personal access tokens (list and view).Assign to users who need to see their personal access tokens but not create or delete them.
Access Token AdminFull management of personal access tokens: create and delete tokens for the current user as permitted by org policy.Assign to users who need to create and delete their own API access tokens.
Access Request ApproverApproves or denies privileged access requests. Can view the list of pending Service Account Management access requests.Assign to people who approve support and privileged access requests. Because approved access expires after 8 hours, assign the role to multiple approvers so requests can be reviewed promptly.

CKS clusters

These roles manage CoreWeave Kubernetes Service clusters and VPC resources.
NameRole descriptionWhen to assign
CKS ViewerRead-only visibility into Kubernetes resources: list and view clusters and VPC resources.Assign to engineers who need to inspect clusters and VPC resources but not change them.
CKS AdminAdministrative control over Kubernetes resources: create, update, and delete clusters and VPC resources.Assign to engineers who create and manage clusters and VPC resources.

Inference

These roles manage inference gateways, deployments, and capacity claims.
NameRole descriptionWhen to assign
Inference ViewerRead-only visibility into inference resources: list and view gateways, deployments, and capacity claims.Assign to users who need to monitor inference resources without changing them.
Inference AdminAdministrative control over inference resources: create, update, and delete gateways, deployments, and capacity claims. Includes Inference Viewer permissions.Assign to engineers who deploy and manage inference workloads.

Object storage

This role administers CoreWeave AI Object Storage control plane resources. Access to bucket data (buckets and objects) through the S3-compatible API is governed separately by organization and bucket access policies, not by this role.
NameRole descriptionWhen to assign
Object Storage AdminFull administration for AI Object Storage: create and delete buckets, manage organization access policies, and create, revoke, and list access keys. Includes listing buckets and ensuring and setting bucket access policies.Assign to administrators who manage buckets, access keys, and organization access policies.

Observability and telemetry

These roles cover observability data and Telemetry Relay configuration.
NameRole descriptionWhen to assign
Observability ViewerRead-only access to observability data (for example, cluster metrics and dashboards) for troubleshooting and performance monitoring.Assign to engineers who monitor metrics and dashboards to troubleshoot workloads.
Telemetry Relay ReaderRead-only visibility into Telemetry Relay: list and view forwarding endpoints, pipelines, and telemetry streams.Assign to users who need to review Telemetry Relay endpoints and pipelines without changing them.
Telemetry Relay AdminAdministrative control over Telemetry Relay: create, update, and delete forwarding endpoints and pipelines. Includes Telemetry Relay Reader permissions.Assign to engineers who configure log forwarding to external endpoints.

Billing

This role grants read-only access to billing data.
NameRole descriptionWhen to assign
Billing ViewerRead-only access to billing data, including viewing the billing dashboard, current balance, and listing and downloading invoices.Assign to users who need to review balances and invoices.

Notifications and integrations

These roles manage alert subscriptions and the destinations that receive them.
NameRole descriptionWhen to assign
Notifications ViewerRead-only access to alert history, notification delivery statuses, and the alert configuration page.Assign to users who need to review alerts and delivery status without changing subscriptions.
Notifications AdminManage which alerts the organization receives and where they are delivered: subscribe and unsubscribe alerts per destination on the alert configuration page. Includes Notifications Viewer permissions.Assign to users who manage which alerts the organization receives and where they go.
Integrations ViewerRead-only visibility into notification destinations and credentials, including the Integrations page and the destinations list on the alert configuration page.Assign to users who need to review notification destinations without changing them.
Integrations AdminFull management of notification destinations and credentials: create, update, and delete Slack and webhook integrations. Includes Integrations Viewer permissions.Assign to users who configure Slack and webhook destinations for alerts.

Support

This role grants read-only access to support records.
NameRole descriptionWhen to assign
Support ViewerRead-only access to support tickets and records in the integrated support system (Freshdesk).Assign to users who need to review the organization’s support tickets.
Administrators can manage resources in the Cloud Console, the API, and with infrastructure-as-code (IaC) tools like Terraform. The following combinations are starting points for common roles on an ML team. Each one uses only the roles defined in the preceding sections. Adjust them to match your organization’s needs, and prefer the least privileged role that still lets a principal do their job.
ArchetypeRecommended rolesWhat it enables
Platform engineerIAM Admin, CKS Admin, Object Storage AdminManage users and groups, create and manage clusters and VPC resources, and administer buckets.
AI engineerCKS Admin, Inference Admin, Observability ViewerRun workloads on clusters, deploy and manage inference, and monitor performance.
Billing adminBilling ViewerReview balances and download invoices without access to infrastructure.
Observability engineerObservability Viewer, Telemetry Relay AdminMonitor metrics and dashboards and configure log forwarding to external endpoints.

Legacy group role assignments

Before IAM Access Policies, user permissions were determined by the legacy group a user belonged to. The following table shows how each legacy group maps to the new IAM roles:
CoreWeave legacy groupCorresponding IAM roles
adminIAM Admin, CKS Admin, Object Storage Admin, Access Token Admin, Access Request Approver
writeCKS Admin, Object Storage Admin, Access Token Admin
readIAM Viewer, CKS Viewer, Access Token Viewer
metricsObservability Viewer
billing_viewerBilling Viewer
Roles added for newer platform features may not be automatically included in legacy admin policies. If you expect access to a feature but can’t reach it, check your organization’s access policies and add the relevant role if it’s missing. You can review and modify these role assignments or create new groups with different role combinations using IAM Access Policy management.

Default Access Policies

CoreWeave creates and maintains Default Access Policies. The Cloud Console marks each default policy with a Default badge next to its name. Default policies bundle the roles required for a common access pattern. For example, the Administrator default policy includes all available roles, and CoreWeave adds new roles to it as they become available. Default policies behave differently from policies you create yourself:
  • CoreWeave manages the roles. The role set of a default policy is immutable: you can’t add, remove, or otherwise edit its roles. As CoreWeave ships new products and actions, or introduces more fine-grained permissions for existing roles, CoreWeave adds the relevant roles to the applicable default policies automatically. Roles are rarely removed.
  • You manage the principals. You can add and remove principals (users and groups) on a default policy to control who it applies to.
  • They can’t be deleted. Default policies don’t offer a delete option.
This keeps a default policy current with the platform: principals assigned to it gain access to new capabilities as they ship, without an administrator needing to track and add each new role, closing the gap described in Legacy group role assignments.
You may see a duplicate-looking policy. When CoreWeave introduces a new default policy, it’s added alongside your existing policies rather than replacing them. Because CoreWeave never removes a policy you already have, a new default policy can look substantially similar to one already in your organization. This is expected behavior.Review the principals on each policy to decide how to proceed. Your existing non-default policies remain fully under your control: you can edit or delete them. The default policy itself can’t be deleted.

Next steps

Last modified on July 10, 2026