Tenant Admin users can access their tenant’s VAST REST API and Prometheus metrics securely using API tokens. API tokens eliminate the need to pass a username and password for every request and are officially supported beginning with VAST 5.3.
All API calls authenticated via tenant API tokens are automatically scoped to that tenant’s data - even if a tenant_id query parameter is specified.
Prerequisites
Assuming that the following tenant and tenant admin user are already defined in the cluster:
Tenant name:
tenant-ATenant Admin user:
tenantA-user1
Other assumptions:
VMS address:
vast-server-exampleInstalled and configured
vastpy-cli(see vastpy GitHub README for installation and setup instructions - references below).
Set environment variables
export VMS_ADDRESS="vast-server-example"
export VMS_TENANT_NAME="tenant-A"
export VMS_USER="tenantA-user1"
export VMS_PASSWORD='******'Create an API Token (Tenant Admin)
Run the following command:
vastpy-cli post /apitokensExample output:
property | value
---------+------------------------------------------+
id | s7FgCdjF
token | s7FgCdjF.PT3QPRpL6HhOy5hq6kH8cV8NkpWhVlJqUse the API Token in REST API calls
All REST API endpoints support API token authentication (replace <TOKEN> with the value from the step above).
Example test access with API Token – list tenant views:
TOKEN="s7FgCdjF.PT3QPRpL6HhOy5hq6kH8cV8NkpWhVlJq"
curl -sk -H "Authorization: Token $TOKEN" \
"https://vast-server-example/api/latest/views/?fields=path,alias,protocols,tenant_id,tenant_name,id&page=1&page_size=100" | jqExpected output:
[
{
"id": 143,
"tenant_name": "tenant-A",
"alias": "dataset-view",
"protocols": ["NFS"],
"path": "/datasets"
}
]Access Prometheus Metrics with Tenant API Token
Prometheus metrics can also be retrieved using the same API token. Tenant tokens automatically scope the output to that tenant’s data.
Example:
curl -sk -H "Authorization: Token $TOKEN" \
"https://vast-server-example/api/prometheusmetrics/views"Sample output:
# HELP vast_view_physical_capacity View Physical Capacity
# TYPE vast_view_physical_capacity gauge
vast_view_physical_capacity{cluster="ProdCluster",tenant_name="tenant-A",path="/datasets"} 1.2e+12Note: The tenant_id query parameter is ignored for tenant tokens since access is already restricted to the authenticated tenant.
Prometheus Setup (Tenant-Scoped Scraping)
Tenant Admins can retrieve Prometheus metrics using their tenant-level username/password along with the required X-Tenant-Name header. All returned metrics are automatically scoped to that tenant.
Once a Tenant Admin can retrieve metrics via the REST API, the same credentials can be used for Prometheus.
VAST exposes Prometheus metrics under:
/api/prometheusmetrics/<category>(per-area scrapes)/api/prometheusmetrics/all(full metric set in one scrape)
Common categories include:
/api/prometheusmetrics/views/api/prometheusmetrics/users/api/prometheusmetrics/quotas/api/prometheusmetrics/devices/api/prometheusmetrics/user_connections/api/prometheusmetrics/(cluster protocol + system metrics)
Step 1 – Prometheus Configuration
prometheus.yml:
global:
scrape_interval: 1m
scrape_configs:
- job_name: 'vast-tenantA'
scheme: https
scrape_interval: 120s
scrape_timeout: 90s
metrics_path: '/api/prometheusmetrics/all'
static_configs:
- targets: ['vast-server-example:443']
http_headers:
X-Tenant-Name:
values:
- "tenant-A"
basic_auth:
username: 'tenantA-user1'
password: '******'
tls_config:
insecure_skip_verify: true # only for self-signed certificatesStep 2 – Restart Prometheus
pkill prometheus || true
prometheus --config.file=prometheus.yml &Step 3 – Verify the Target
Open:
http://localhost:9090/targetsYou should see:
This confirms that:
Tenant Admin authentication is working
Metrics are correctly scoped to tenant-A
Step 4 – Query Metrics in Prometheus
Example PromQL queries:
vast_view_logical_capacity{tenant_name="tenant-A"}rate(vast_view_metrics_ViewMetrics_read_bw_sum{tenant_name="tenant-A"}[5m])sum by (path) (
rate(vast_view_metrics_ViewMetrics_write_bw_sum{tenant_name="tenant-A"}[5m])
)Grafana Setup for Tenant Metrics
Grafana is used only to visualize metrics that Prometheus has already scraped.
Grafana never connects directly to VAST and requires no tenant headers or authentication - tenant scoping is handled entirely by Prometheus.
Before configuring Grafana, ensure it is installed and running: Follow Grafana’s official installation instructions: 🔗 https://grafana.com/docs/grafana/latest/setup-grafana/installation/
Once Grafana is running, open:
http://localhost:3000Default credentials:
- user: admin
- password: admin (you will be forced to change it on first login)
1. Add Prometheus as a Data Source
Grafana connects only to your local Prometheus, not to VAST.
In Grafana:
Go to Home → Connections → Data Sources
Click Add data source
Select Prometheus
Configure:
Setting | Value |
|---|---|
URL |
|
Auth | None |
Custom Headers | Leave empty |
Other settings | Defaults |
Click Save & Test
(You should see: "Data source is working")
2. Import VAST Dashboards
VAST provides official, prebuilt Grafana dashboards:
🔗 https://github.com/vast-data/vast-grafana-dashboards/tree/main/dashboards/5.3.0
As a Tenant Admin, you can import and view the following dashboards:
Alarms
Events
Data Protection
Identity Policies
Views & Quotas
User Query
Top Actors – Users
Top Actors – Views
(Cluster-wide dashboards such as “Top Actors – Tenants” require Unlimited Super Admin access.)
To import a dashboard:
In Grafana:
Go to Dashboards → New → Import
Upload any
.jsonfile from the VAST dashboard repository
(e.g.,Top Actors - Views.json,Views & Quotas.json, etc.)Select your Prometheus data source
Click Import
References and Documentation
Managing VMS API Tokens — Managing VMS API Tokens (VAST Support)
CLI command reference — apitoken create (VAST CLI Reference)
vastpy SDK & examples — vastpy GitHub README