Client Access to the VAST Catalog

  • Updated on Feb 3, 2026
  • Published on Jan 28, 2026
  • 2 minute(s) read
Prev Next

You can access the VAST Catalog using a number of client applications:

The following are required for the client to access the Catalog:

  • A host IP address on the cluster

  • An Identity Policy providing access to the Catalog

  • A user associated with the Identity Policy

  • S3 access keys for the user

Providing a Host IP to Access the VAST Catalog

Use one of the following as a host IP for the client:

  • One or more VIPs from a VAST Cluster VIP pool.Managing Virtual IP Pools

  • An external management IP of the cluster's VMS CNode. To identify the VMS CNode from the VAST Web UI, browse to the CNodes tab of the Infrastructure page, and look for the CNode that has Yes in the VMS column. Take the IP from the Management IP column.

Granting User Access and Permission to Query the VAST Catalog

In order to be able to query VAST Catalog from the VAST Catalog CLI or another client, such as Trino, users need an S3 access key pair and permission to perform the TabularQueryData action on the relevant data set. You can grant permission to query all data on the cluster or restrict permission to a given path.  Permission is granted through an identity policy.

For example, to grant query permission and an S3 access key pair to a user with uid 513, you could do the following:

  1. Create an identity policy to provide query access to the VAST Catalog:

    vcli: admin> identitypolicy create --name data_query --policy '{
                 "Version": "2012-10-17",
                 "Id": "S3PolicyId1",
                 "Statement": [
                 {
                     "Sid": "AllowTabularQueryData",
                     "Effect": "Allow",
                     "Action": "s3:TabularQueryData",
                     "Resource":["arn:aws:s3:::vast-big-catalog-bucket/*","arn:aws:s3:::vast-big-catalog-bucket"]
                  }]
               }'

  2. Retrieve the ID of the policy:

    vcli: admin> identitypolicy list
+----+-------------+-----------+--------+----------------------------------------------------------------------------------------------------------------+
| ID | Name        | Users     | Groups | Policy                                                                                                         |
+----+-------------+-----------+--------+----------------------------------------------------------------------------------------------------------------+
| 11 | data_query  | ['auser'] | []     | {"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Action": "s3:TabularQueryData", "Resource":"*"}]} |
+----+-------------+-----------+--------+----------------------------------------------------------------------------------------------------------------+

  3. Attach the policy to the user:

    vcli: admin> user query --uid 513 --identity-policies-ids 11

  4. Generate an S3 access key pair for the user, valid for the default tenant:

    vcli: admin> user generate-key --uid 513
{'access_key': '*************',
 'secret_key': '*************************'}

For more information, see the following sections:

Related articles