W&B uses pre-signed URLs to simplify access to blob storage from your AI workloads or user browsers. This page explains how pre-signed URLs work in W&B. It also outlines the access controls, network restrictions, and audit logging that administrators should configure to secure blob storage access. For background on pre-signed URLs, refer to the cloud provider’s documentation:Documentation Index
Fetch the complete documentation index at: https://wb-21fd5541-docs-2661.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
- Pre-signed URLs for AWS S3, which also applies to S3-compatible storage like CoreWeave AI Object Storage.
- Signed URLs for Google Cloud Storage.
- Shared Access Signature for Azure Blob Storage.
- When needed, AI workloads or user browser clients within your network request pre-signed URLs from W&B.
- W&B responds to the request by accessing the blob storage to generate the pre-signed URL with the required permissions.
- W&B returns the pre-signed URL to the client.
- The client uses the pre-signed URL to read from or write to the blob storage.
- Read operations: 1 hour.
- Write operations: 24 hours, to allow more time to upload large objects in chunks.
Team-level access control
Each pre-signed URL is restricted to specific buckets based on team-level access control in the W&B platform. Consider a user who belongs to only one team, and that team is mapped to a storage bucket using the secure storage connector. In this case, the pre-signed URLs generated for their requests can’t access storage buckets mapped to other teams.W&B recommends adding users only to the teams they need to belong to.
Network restriction
W&B recommends using IAM policies to restrict the networks that can use pre-signed URLs to access external storage. This helps ensure that only networks running your AI workloads, or gateway IP addresses that map to your user machines, can access your W&B-specific buckets. Consult your cloud provider’s documentation for guidance on configuring these IAM policies:- For CoreWeave AI Object Storage, refer to Bucket policy reference in the CoreWeave documentation.
- For AWS S3 or S3-compatible storage like MinIO hosted on your premises, refer to the Amazon S3 User Guide, the MinIO documentation, or the documentation for your S3-compatible storage provider.
Audit logs
W&B recommends using W&B audit logs together with blob-storage-specific audit logs. For blob storage audit logs, refer to the documentation for each cloud provider:- CoreWeave audit logs.
- AWS S3 access logs.
- Google Cloud Storage audit logs.
- Monitor Azure Blob Storage.
Pre-signed URLs are the only supported blob storage access mechanism in W&B. W&B recommends configuring some or all of the preceding security controls to fit your organization’s needs.
Determine the user that requested a pre-signed URL
To correlate pre-signed URL activity with specific W&B users when reviewing audit logs, inspect the query parameter that W&B appends to each URL. When W&B returns a pre-signed URL, a query parameter in the URL contains the requester’s username:| Storage provider | Signed URL query parameter |
|---|---|
| CoreWeave AI Object Storage | X-User |
| AWS S3 | X-User |
| Google Cloud Storage | X-User |
| Azure Blob Storage | scid |