> ## Documentation Index
> Fetch the complete documentation index at: https://docs.coreweave.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Automatic authentication with the Pod Identity Webhook
> Configure automatic OIDC credential injection for AI Object Storage using the Pod Identity Webhook on CKS
This tutorial shows you how to deploy CKS Workload Federation for AI Object Storage automatically by configuring the [Pod Identity Webhook](/products/cks/clusters/coreweave-charts/pod-identity-webhook). With the webhook in place, your Pods receive AI Object Storage credentials automatically through their service account, so your workloads can access buckets without managing long-lived access keys. By the end, you'll have a CKS cluster federated with AI Object Storage and a sample workload that uses an annotated service account to obtain credentials on demand.
## Prerequisites
* A [CKS cluster](/products/cks/clusters/create) with [OIDC Workload Identity](/products/cks/auth-access/workload-identity/introduction) enabled on the cluster. The AI Object Storage federation configuration is covered in the steps below.
* [Helm](https://helm.sh/docs/intro/install/) version 3.8 or later.
* [`kubectl`](https://kubernetes.io/docs/reference/kubectl/) installed and configured for your cluster.
* Appropriate IAM roles (for example, CKS Admin and Object Storage Admin) assigned through an [IAM Access Policy](/security/iam/access-policies).
## Install the Pod Identity Webhook
If you install the Pod Identity Webhook, you can use AI Object Storage with minimal configuration. You can install the Pod Identity Webhook from [CoreWeave Charts](/products/cks/clusters/coreweave-charts/introduction) with the following steps:
1. Set environment variables for your organization ID and region:
```bash theme={"system"}
export ORG_ID=[YOUR-ORG-ID]
export REGION=[YOUR-REGION]
```
* Replace `[YOUR-ORG-ID]` with your organization's ID. You can find your organization ID on the [CoreWeave Console settings page](https://console.coreweave.com/account/settings).
* Replace `[YOUR-REGION]` with your CoreWeave availability zone. Make sure to use an eligible CoreWeave availability zone that supports AI Object Storage.
- `US-CENTRAL-05A`
- `US-CENTRAL-06A`
- `US-CENTRAL-07A`
- `US-CENTRAL-08A`
- `US-CENTRAL-08B`
* `US-EAST-01A`
* `US-EAST-02A`
* `US-EAST-03A`
* `US-EAST-04A`
* `US-EAST-04B`
* `US-EAST-06A`
* `US-EAST-08A`
* `US-EAST-13A`
* `US-EAST-14A`
* `RNO2A`
* `US-WEST-01A`
* `US-WEST-04A`
* `US-WEST-09B`
* `US-WEST-10A`
* `CA-EAST-01A`
* `EU-NORTH-05A`
* `EU-SOUTH-03B`
* `EU-SOUTH-04A`
Learn more about [Regions and Availability Zones](/platform/regions/about-regions-and-azs).
2. Add the CoreWeave Charts repository and install the Pod Identity Webhook:
```bash theme={"system"}
helm repo add coreweave https://charts.core-services.ingress.coreweave.com
helm install pod-identity-webhook coreweave/pod-identity-webhook -n pod-identity-webhook --create-namespace --set config.orgID=$ORG_ID --set config.region=$REGION
```
Successful output should look like this:
```text theme={"system"}
"coreweave" has been added to your repositories
NAME: cks
LAST DEPLOYED: Fri Mar 13 20:05:00 2026
NAMESPACE: default
STATUS: deployed
REVISION: 1
DESCRIPTION: Install complete
```
The Pod Identity Webhook is now running in your cluster, ready to inject credentials into annotated Pods.
## Configure OIDC Workload Federation
Before the Pod Identity Webhook can obtain credentials, you must register your CKS cluster as an OIDC provider for AI Object Storage. Your cluster must have [OIDC Workload Identity](/products/cks/auth-access/workload-identity/introduction) enabled so it can issue signed tokens.
1. In the Cloud Console, retrieve the OIDC Issuer URL for your CKS cluster:
* Go to the [Clusters](https://console.coreweave.com/clusters) page.
* Click the name of your cluster. A cluster details panel opens on the right.
* Copy the **OIDC Issuer URL** from the **Overview** section. You need this URL again when you configure access policies.
2. On the [Workload Federation](https://console.coreweave.com/organization/iam/workload-federation/oidc) page, create a new OIDC Configuration:
* Click **Create OIDC configuration**. The configuration form opens.
* Set the configuration name (choose a name that indicates it's for federating CKS tokens with AI Object Storage).
* Enter the CKS cluster's OIDC Issuer URL into both the **Issuer URL** and **Client ID (Audience)** fields.
* Click **Create** to save the configuration.
With the OIDC configuration in place, AI Object Storage trusts tokens issued by your CKS cluster and can map them to access policies.
## Use your service account
The Pod Identity Webhook injects the configuration your Pods need to obtain AI Object Storage credentials. Add one of these annotations to the service account that your workload uses:
| Audience type | Annotation syntax |
| ---------------- | --------------------------------------------------------------------------------------------------------------- |
| Default audience | `caios.coreweave.com/inject: "true"` |
| Custom audience | `caios.coreweave.com/audience: custom`
(use when you need to match a specific WIF audience) |
Create a service account with the appropriate annotation, then run your workload with that service account.
1. Create the following manifest and save it to a file named `object-storage-sa.yaml`. This example uses the default audience annotation. Adjust it if you want to use a custom audience:
```yaml title="object-storage-sa.yaml" highlight={6-7} theme={"system"}
apiVersion: v1
kind: ServiceAccount
metadata:
name: my-object-storage-sa
namespace: default
annotations:
caios.coreweave.com/inject: "true"
```
2. Apply the manifest to create the service account:
```bash theme={"system"}
kubectl apply -f object-storage-sa.yaml
```
3. Verify the service account has been created and has the appropriate annotation:
```bash theme={"system"}
kubectl get serviceaccounts my-object-storage-sa -o jsonpath='{.metadata.annotations.caios\.coreweave\.com/inject}'
true
```
## Grant the service account access to Object Storage
You must grant the service account's federated identity access to AI Object Storage through an [organization access policy](/products/storage/object-storage/auth-access/organization-policies/about). Use the OIDC Issuer URL you copied earlier and the service account name to construct the WIF principal:
```text theme={"system"}
role/[OIDC-ISSUER-URL]:system:serviceaccount:default:my-object-storage-sa
```
Replace `[OIDC-ISSUER-URL]` with the OIDC Issuer URL from your cluster's details panel.
The following example policy grants the service account full S3 access to all buckets in your organization:
```json theme={"system"}
{
"policy": {
"version": "v1alpha1",
"name": "wif-service-account-access",
"statements": [
{
"name": "allow-s3-access-for-cks-workload",
"effect": "Allow",
"actions": ["s3:*", "cwobject:CreateAccessKeyOIDC"],
"resources": ["*"],
"principals": ["role/[OIDC-ISSUER-URL]:system:serviceaccount:default:my-object-storage-sa"]
}
]
}
}
```
Create this policy using the [Cloud Console](https://console.coreweave.com/organization/iam/workload-federation/oidc), with the [CoreWeave Terraform Provider](https://registry.terraform.io/providers/coreweave/coreweave/latest/docs/resources/object_storage_organization_access_policy), or the AI Object Storage API. For more granular policies (read-only access, specific buckets, multiple principals), see [Organization access policy examples](/products/storage/object-storage/auth-access/organization-policies/examples).
After the policy is in place, the service account's federated identity is authorized to call AI Object Storage.
## Create a workload that uses the service account
With federation, the service account, and an access policy all configured, you can now deploy a workload that obtains credentials through the webhook. This example creates a Pod that uses the service account you created earlier.
1. Configure the Pod's S3 endpoints:
To work with AI Object Storage, configure your Pod's S3 endpoints to use virtual addressing style and set the appropriate endpoint URL.
Because the environment variables handle credential exchange, you only need to configure the S3 endpoint and addressing style in your application. For example, with the AWS CLI:
```bash theme={"system"}
aws configure set s3.addressing_style virtual
aws configure set endpoint_url "http://cwlota.com"
```
Alternatively, you can mount this configuration file into the container from a ConfigMap and set the `AWS_CONFIG_FILE` variable to the location of the mounted file.
```ini theme={"system"}
[default]
s3 =
addressing_style = virtual
endpoint_url = http://cwlota.com
```
When your workloads run inside a CKS cluster, use the LOTA endpoint (`cwlota.com`) for optimal performance. For more configuration options (Boto3, s3cmd, Multi-Storage Client), see [Attaching endpoints](/products/storage/object-storage/using-object-storage/configure-endpoints#full-configuration-examples).
2. Create the following manifest and save it to a file named `object-storage-pod.yaml`, making the following adjustments:
* Fill in the container image with the image you want to use for your workload.
* Reference the same service account in your Pod so the Pod Identity Webhook can inject credentials:
```yaml title="object-storage-pod.yaml" highlight={7, 10} theme={"system"}
apiVersion: v1
kind: Pod
metadata:
name: my-workload
namespace: default
spec:
serviceAccountName: my-object-storage-sa
containers:
- name: app
image: "[CONTAINER-IMAGE]"
# Your app uses the injected env or volume to obtain S3 credentials.
```
3. Apply the manifest to create the workload:
```bash theme={"system"}
kubectl apply -f object-storage-pod.yaml
```
Pods that use this service account receive the necessary environment or volume configuration to call AI Object Storage.
## Optional: Verify the webhook injection
To confirm the Pod Identity Webhook injects credentials correctly before you deploy your real workload, create a test Pod that uses the `amazon/aws-cli` image and run an S3 command against AI Object Storage.
1. Create a test Pod that uses the service account and lists your buckets:
```yaml title="test-webhook-pod.yaml" theme={"system"}
apiVersion: v1
kind: Pod
metadata:
name: test-webhook
namespace: default
spec:
serviceAccountName: my-object-storage-sa
containers:
- name: test
image: amazon/aws-cli
command:
- sh
- -c
- |
aws configure set s3.addressing_style virtual
aws configure set endpoint_url http://cwlota.com
aws s3api list-buckets
```
2. Apply the manifest:
```bash theme={"system"}
kubectl apply -f test-webhook-pod.yaml
```
3. Check the Pod logs for the response:
```bash theme={"system"}
kubectl logs test-webhook
```
If the webhook injection and your organization access policies are configured correctly, you should see a JSON response listing your buckets. If you see an `AccessDenied` error, verify that your [organization access policies](/products/storage/object-storage/auth-access/organization-policies/about) grant the `s3:ListAllMyBuckets` action to the correct WIF principal.
4. Clean up the test Pod:
```bash theme={"system"}
kubectl delete pod test-webhook
```
## Next steps
* To configure OIDC Workload Federation manually or for debugging, see [Manual OIDC token exchange](/security/tutorials/cks-object-storage-authentication/manual).
* Learn more about [OIDC Workload Identity for CKS](/products/cks/auth-access/workload-identity/introduction).
* Learn more about [Workload Identity Federation for AI Object Storage](/products/storage/object-storage/auth-access/workload-identity-federation/use-oidc-tokens).
* Learn more about the [CoreWeave Pod Identity Webhook for AI Object Storage](/products/cks/clusters/coreweave-charts/pod-identity-webhook).