Skip to main content
The right approach depends on whether the vendor has their own CoreWeave organization or is on a different platform (AWS, GCP, on-prem, and others). If the vendor is on CoreWeave: Attach a bucket access policy that allows their organization’s principals on the buckets they need. Use a wildcard Principal scoped with a cw:PrincipalOrgID condition listing both organization IDs, as shown in Allow access from another organization. The vendor uses their own CoreWeave credentials. If the vendor is external: Create a CoreWeave access key for a user or service principal whose organization access policy grants only the actions and resources the vendor needs (for example, s3:GetObject on the short-form resource [BUCKET-NAME]/[PREFIX]/*). Share the key with the vendor through a secure channel and rotate it on a defined schedule. For more secure short-lived credentials, see Workload Identity Federation. For full details, see Object Storage policies.
Administrator
Last modified on June 18, 2026