Skip to main content
This guide describes how to request access tokens for CoreWeave AI Object Storage operations through federation between CKS clusters (operating as OIDC Providers) and an organization’s Object Storage infrastructure.

Prerequisites

Authentication methods

CKS Workload Federation supports two methods for authenticating to AI Object Storage:
  • Automatic using the Pod Identity Webhook, which is recommended for most use cases.
  • Manual by configuring the OIDC Workload Federation manually, which is useful for debugging or when the Pod Identity Webhook isn’t available.

How the three authorization systems relate

CoreWeave uses separate authorization systems that apply at different stages of this setup:
SystemWhat it controlsWhen it applies in this flow
CoreWeave IAM Access PoliciesWho can manage the platform and Object Storage control plane (create clusters, create buckets, edit org policies, create WIF config). The Object Storage Admin role doesn’t grant S3 data access.You need appropriate IAM roles (for example, CKS Admin, Object Storage Admin) to create the cluster, configure OIDC Workload Federation, and manage org and bucket policies.
Kubeconfig and Kubernetes RBACA kubeconfig is a config file with the cluster server URL and an API key (the same type used for other CoreWeave APIs). No separate kubeconfig permissions are required. Kubernetes RBAC controls what you can do inside the cluster (for example, creating Pods and service accounts).You use a kubeconfig to run kubectl and create the workload. The API key authenticates you to the cluster, and Kubernetes RBAC authorizes your requests.
AI Object Storage org and bucket access policiesWho can perform S3 operations (read or write objects, list buckets). Principals include federated OIDC roles such as role/[ISSUER]:system:serviceaccount:namespace:name.When a Pod uses OIDC to obtain temporary S3 credentials, only org and bucket policies are evaluated for that Pod’s S3 requests. IAM and kubeconfig aren’t checked.
In short: IAM governs your ability to manage the platform and create the cluster. The API key in your kubeconfig (the same type as for other CoreWeave APIs) authenticates you to the cluster, and Kubernetes RBAC governs what you can do inside it. Org and bucket policies govern what each identity (including the Pod’s OIDC role) can do with AI Object Storage data.
Last modified on June 10, 2026