Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt

Use this file to discover all available pages before exploring further.

This guide describes how to request access tokens for AI Object Storage storage operations through federation between CKS clusters (operating as OIDC Providers) and an organization’s AI Object Storage infrastructure.

Prerequisites

Authentication methods

There are two methods for authenticating to AI Object Storage using CKS Workload Federation:
  1. Automatic using the Pod Identity Webhook, which is recommended for most use cases.
  2. Manual by configuring the OIDC Workload Federation manually, which is useful for debugging or when the Pod Identity Webhook is not available.

How the three authorization systems relate

CoreWeave uses separate authorization systems that apply at different stages of this setup:
SystemWhat it controlsWhen it applies in this flow
CoreWeave IAM Access PoliciesWho can manage the platform and Object Storage control plane (create clusters, create buckets, edit org policies, create WIF config). The Object Storage Admin role does not grant S3 data access.You need appropriate IAM roles (for example CKS Admin, Object Storage Admin) to create the cluster, configure OIDC Workload Federation, and manage org and bucket policies.
Kubeconfig and Kubernetes RBACA kubeconfig is a config file with the cluster server URL and an API key (the same type used for other CoreWeave APIs). No separate kubeconfig permissions are required. Kubernetes RBAC controls what you can do inside the cluster (create pods, service accounts, and so on).You use a kubeconfig to run kubectl and create the workload; the API key authenticates you to the cluster and RBAC authorizes your requests.
AI Object Storage org and bucket access policiesWho can perform S3 operations (read/write objects, list buckets). Principals include federated OIDC roles such as role/<issuer>:system:serviceaccount:namespace:name.When a pod uses OIDC to obtain temporary S3 credentials, only org (and bucket) policies are evaluated for that pod’s S3 requests. IAM and kubeconfig are not checked.
In short: IAM governs your ability to manage the platform and create the cluster. The API key in your kubeconfig (the same type as for other CoreWeave APIs) authenticates you to the cluster, and Kubernetes RBAC governs what you can do inside it. Org and bucket policies govern what each identity (including the pod’s OIDC role) can do with AI Object Storage data.
Last modified on April 2, 2026