Managing Permissions for Accessing VAST Tabular Databases

  • Updated on Jan 30, 2026
  • Published on Jan 28, 2026
  • 5 minute(s) read
Prev Next

Overview

This topic explains how to manage permissions to access VAST databases in S3 views on VAST clusters, and how to manage S3 permissions to manage a VAST database using a VAST identity policy.

A number of examples are included, which you can adapt to the specific requirements of your database, to ensure that permissions are set according to the principle of least privilege.

Prerequisites

  • A VAST DB bucket (database) and schemas.

  • An S3 user with an access key and secret key generated on VAST Cluster

Managing Access to VAST S3 Databases using View Policies

In order to view VAST Databases in S3 buckets on VAST Clusters, you must ensure that the users  or groups accessing the database are included in the View Policy for the bucket, with ListBuckets permission.

To do this, follow the steps in Creating View Policies step 6 (for S3-enabled Views), to add the Bucket listing permission to users or groups. Creating View Policies

Managing VAST S3 Tabular Databases using Identity Policies

Common Actions for Database Usage

The following actions are common database actions for which to grant permissions in identity policies:

Tabular Action

Description

TabularCreateSchema

Create a schema in the database. A schema is a container of tables

TabularCreateTable

Create a table in the database

TabularCreateView

Create a database view in the database

TabularAddColumns

Add columns to a table

TabularAlterSchema

Rename or move a schema in the database

TabularAlterTable

Rename or move a table between schemas

TabularAlterColumn

Modify column name or properties

TabularAlterView

Modify a database view properties

TabularDropSchema

Drop a schema from the database

TabularDropView

Drop a database view from the database

TabularDropTable

Drop a table from the database

TabularDropColumns

Drop a column from table

TabularListSchemas

List a schemas below specified path

TabularListTables

List tables below specified schema path

TabularListColumns

List columns in a table

TabularListViews

List the database views in the database

TabularGetTableStats

Get table statistics which currently include number of rows and used bytes

TabularBeginTransaction

Start a transaction

TabularCommitTransaction

Commit a transaction

TabularRollbackTransaction

Rollback a transaction

TabularQueryData

SELECT like but returns pages of columns

TabularInsertRows

Insert data to a table

TabularImportData

Import data from parquet files (that were previously uploaded) to existing table

TabularUpdateRows

Update rows in a table

TabularDeleteRows

Delete rows from a table

TabularGetTransaction

Check if transaction id exists and mark as in progress

TabularCreateProjection

Create a projection table for existing table with sorted and unsorted keys from source table

TabularDropProjection

Drop a projection table

TabularAlterProjection

Rename or modify properties of a projection table

TabularGetProjectionStats

Get projection table statistics, currently includes number of rows and used bytes

TabularListProjections

List projections tables for a specified table

TabularListProjectionColumns

List projection table columns

Steps for Defining Database Permissions

  1. Create the VAST database.

  2. Create a VAST Cluster user and generate an access key and secret key for the user.

  3. Create an identity policy.

  4. Assign the identity policy to the new user.

    The user can now perform VAST database operations.

Identity Policy Examples for Database Permissions

Example 1: Provide full access to a specific bucket / database

In the VAST DB, providing permissions to a database, involves providing access to bucket level operations and to object level operations, in order to achieve a full access to a specific database.

In the Identity Policy, the Resource element of the statement has the form:

"Resource": ["vastdb-bucket/*"] - grants permissions for all object level operations

"Resource": ["vastdb-bucket"] - grants permissions for a bucket level operations (such as list schemas)

A combination of these two statements as part of the same policy, collectively grant permissions to both the bucket itself and its objects:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": " Read Only All Tabular resources Under Specific Schema ",
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource":  ["my_bucket, my_bucket/*"]
    }
     ]
}

Example 2: Vast DB Read-Only

This example shows Read-Only permissions (list and query) on a schema:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": " Read Only All Tabular resources Under Specific Schema ",
      "Effect": "Allow",
      "Action": "s3:TabularList*",
      "Resource":  ["my_bucket/my_schema/*"]
    },
    {
      "Sid": " Allow Query Data ",
      "Effect": "Allow",
      "Action": "s3:TabularQueryData*",
      "Resource":  ["my_bucket/my_schema/*"]
    }
     ]
}

Example 3: Full access for all Tabular operations and buckets, at bucket level only

This example shows full access for all resources

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Read_Write_All_DB",
            "Effect": "Allow",
            "Action": "s3:Tabular*",
            "Resource":  ["*"]
        }

    ]
}

Example 4: VAST DB modify schema

This example grants full access to a schema in the database.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Read_Write_All_DB",
            "Effect": "Allow",
            "Action": "s3:Tabular*",
            "Resource":  ["my_bucket/my_schema/*"]
        }

    ]
}

Example 5: VAST DB + S3 Read/Write, full bucket-level access to all buckets

This example shows full bucket-level access to all bucket resources.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Read_Write_All",
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource":  ["*"]
        }

    ]
}

Example 6: List tables and columns of a specific database table

This example shows access to list tables and columns for a specific table in a schema.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:TabularListTables",
      "Resource": "my_bucket/my_schema/my_table"
    },
    {
      "Effect": "Allow",
      "Action": "s3:TabularListColumns",
      "Resource": "my_bucket/my_schema/my_table"
    }
  ]
}

Example 7: Delete table rows

This example shows permissions to delete rows in a specific database table.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow_Query",
            "Effect": "Allow",
            "Action": "s3:TabularQueryData",
            "Resource":  ["my_bucket/my_schema/my_table"]
        },
        {            
            "Sid": "Allow_Delete_Row",
            "Effect": "Allow",
            "Action": "s3:TabularDeleteRows",
            "Resource":  ["my_bucket/my_schema/my_table"]
        },
        {           "Sid": "Allow_List_Columns",
            "Effect": "Allow",
            "Action": "s3:TabularListColumns",
            "Resource":  ["my_bucket/my_schema/my_table"]
        }
    ]
}
Related articles