Object Storage Admin role only governs the control plane (managing buckets, keys, and policies through the cwobject: API). It does not grant S3 data-plane access. To give a user read or write access to objects, create an Object Storage organization access policy that grants specific s3: actions (for example, s3:GetObject, s3:ListBucket) on the resources they need, and add the user as the principal. For bucket-specific rules, layer a bucket access policy on top.
Do not attach the Object Storage Admin IAM role to a user you intend to keep read-only or scoped. Organization access policies accept individual user UIDs or SAML users and groups, not CoreWeave IAM groups.
For full details, see Object Storage policies and Organization access policies. For example policies, see Policy examples.
Administrator Authentication & Access