Client Access to the VAST Catalog

  • Updated on Jan 31, 2026
  • Published on Jan 27, 2026
  • 2 minute(s) read
Prev Next

You can access the VAST Catalog using a number of client applications:

  • The VAST Catalog CLIVAST Database CLI Quick Start Guide

  • Third-party query engines connected to the VAST Database, such as Trino and SparkInstalling and Configuring the VAST Connector for Trino

  • The VAST DB SDK

The following are required for the client to access the Catalog:

  • A host IP address on the cluster

  • An Identity Policy providing access to the Catalog

  • A user associated with the Identity Policy

  • S3 access keys for the user

Providing a Host IP to Access the VAST Catalog

Use one of the virtual IPs from a VAST Cluster virtual IP pool to access the VAST Catalog.Managing Virtual IP Pools

Granting User Access and Permission to Query the VAST Catalog

In order to be able to query VAST Catalog from the VAST Catalog CLI or another client, such as Trino, users need an S3 access key pair, and permission to perform the TabularQueryData action on the relevant data set. You can grant permission to query all data for the tenant on the cluster, or restrict permission to a given path.  Permission is granted through an identity policy.

Cluster administrators can query catalog data for all tenants.

For example, to grant query permission and an S3 access key pair to a user with UID 513, you could do the following:

  1. Create an identity policy to provide query access to the VAST Catalog:

    vcli: admin> identitypolicy create --name data_query --tenant-id 2 --policy '{
                 "Version": "2012-10-17",
                 "Id": "S3PolicyId1",
                 "Statement": [
                 {
                     "Sid": "AllowTabularQueryData",
                     "Effect": "Allow",
                     "Action": "s3:TabularQueryData",
                     "Resource":["arn:aws:s3:::vast-big-catalog-bucket/*","arn:aws:s3:::vast-big-catalog-bucket"]
                  }]
               }'

  2. Retrieve the ID of the policy:

    vcli: admin> identitypolicy list
+----+-------------+-----------+--------+----------------------------------------------------------------------------------------------------------------+
| ID | Name        | Users     | Groups | Policy                                                                                                         |
+----+-------------+-----------+--------+----------------------------------------------------------------------------------------------------------------+
| 11 | data_query  | ['auser'] | []     | {"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Action": "s3:TabularQueryData", "Resource":"*"}]} |
+----+-------------+-----------+--------+----------------------------------------------------------------------------------------------------------------+

  3. Attach the policy to the user:

    vcli: admin> user query --uid 513 --identity-policies-ids 11

  4. Generate an S3 access key pair for the user, valid for the default tenant:

    vcli: admin> user generate-key --uid 513
{'access_key': '*************',
 'secret_key': '*************************'}

For more information, see the following sections:

Related articles