Providing Client Access to VAST Catalog CLI

  • Updated on Jan 30, 2026
  • Published on Jan 28, 2026
  • 2 minute(s) read
Prev Next

The VAST Catalog CLI enables users on the cluster's client network to query VAST Catalog.

To provide access to VAST Catalog CLI:

Provide a VAST Catalog CLI Host IP

VAST Catalog CLI's client configuration requires a host IP on the cluster.

Provide users with one of the following as a host IP:

  • One or more VIPs from a VIP pool.Managing Virtual IP Pools

  • An external management IP of the cluster's VMS CNode. To identify the VMS CNode from the VAST Web UI, browse to the CNodes tab of the Infrastructure page, and look for the CNode that has Yes in the VMS column. Take the IP from the Management IP column.

Grant User Access and Permission to Query VAST Catalog

In order to be able to query VAST Catalog from the VAST Catalog CLI or from another client, such as Trino, users need an S3 access key pair and permission to perform the TabularQueryData action on the relevant data set. You can grant permission to query all data on the cluster or restrict permission to a given path.  Permission is granted through an identity policy.

For example, to grant query permission and an S3 access key pair to a user with uid 513, you could do the following:

  1. Create an identity policy to provide query access to all data on the cluster:

    vcli: admin> identitypolicy create --name data_query --policy '{
                 "Version": "2012-10-17",
                 "Id": "S3PolicyId1",
                 "Statement": [
                 {
                     "Sid": "AllowTabularQueryData",
                     "Effect": "Allow",
                     "Action": "s3:TabularQueryData",
                     "Resource":"arn:aws:s3:::vast-big-catalog-bucket"
                  }]
               }'

  2. Retrieve the ID of the policy:

    vcli: admin> identitypolicy list
+----+-------------+-----------+--------+----------------------------------------------------------------------------------------------------------------+
| ID | Name        | Users     | Groups | Policy                                                                                                         |
+----+-------------+-----------+--------+----------------------------------------------------------------------------------------------------------------+
| 11 | data_query  | ['auser'] | []     | {"Version": "2012-10-17", "Statement": [{"Effect": "Allow", "Action": "s3:TabularQueryData", "Resource":"*"}]} |
+----+-------------+-----------+--------+----------------------------------------------------------------------------------------------------------------+

  3. Attach the policy to the user:

    vcli: admin> user query --uid 513 --s3-policies-ids 11

  4. Generate an S3 access key pair for the user, valid for the default tenant:

    vcli: admin> user generate-key --uid 513
{'access_key': '*************',
 'secret_key': '*************************'}

For more information, see the following sections:

Provide VAST Catalog CLI Installation Instructions

A quick start guide is provided here:  VAST Catalog CLI Quick Start Guide

Related articles