Platform
W&B Models
W&B Weave
W&B Inference
W&B Training
Release Notes- Pre-signed URLs for AWS S3, which also applies to S3-compatible storage like CoreWeave AI Object Storage.
- Signed URLs for Google Cloud Storage
- Shared Access Signature for Azure Blob Storage
- When needed, AI workloads or user browser clients within your network request pre-signed URLs from W&B.
- W&B responds to the request by accessing the blob storage to generate the pre-signed URL with the required permissions.
- W&B returns the pre-signed URL to the client.
- The client uses the pre-signed URL to read or write to the blob storage.
- Reading: 1 hour
- Writing: 24 hours, to allow more time to upload large objects in chunks.
Team-level access control
Each pre-signed URL is restricted to specific buckets based on team level access control in the W&B platform. If a user is part of a team which is mapped to a storage bucket using secure storage connector, and if that user is part of only that team, then the pre-signed URLs generated for their requests would not have permissions to access storage buckets mapped to other teams.W&B recommends adding users to only the teams that they are supposed to be a part of.
Network restriction
W&B recommends using IAM policies to restrict the networks that can use pre-signed URLs to access external storage using pre-signed URLs. This helps to ensure that your W&B specific buckets are accessed only from networks where your AI workloads are running, or from gateway IP addresses that map to your user machines.- For CoreWeave AI Object Storage, refer to Bucket policy reference in the CoreWeave documentation.
- For AWS S3 or S3-compatible storage like MiniIO hosted on your premises, refer to the S3 userguide, the MinIO documentation, or the documentation for your S3-compatible storage provider.
Audit logs
W&B recommends using W&B audit logs together with blob storage specific audit logs. For blob storage audit logs, refer to the documentation for each cloud provider: Admin and security teams can use audit logs to keep track of which user is doing what in the W&B product and take necessary action if they determine that some operations need to be limited for certain users.Pre-signed URLs are the only supported blob storage access mechanism in W&B. W&B recommends configuring some or all of the above list of security controls according to your organization’s needs.
Determine the user that requested a pre-signed URL
When W&B returns a pre-signed URL, a query parameter in the URL contains the requester’s username:| Storage provider | Signed URL query parameter |
|---|---|
| CoreWeave AI Object Storage | X-User |
| AWS S3 storage | X-User |
| Google Cloud storage | X-User |
| Azure blob storage | scid |