• When you access the Container Volumes section in Cloud Native Storage (CNS) using a non-administrator account, you may encounter the error: "Unable to extract requested data. Check vSphere Client logs for details."
• The container volume information remains unavailable despite successful authentication to the vSphere Client.
• This issue prevents technical teams from viewing and monitoring containerized workloads in Kubernetes environments running on vSphere infrastructure.

Seen in:

• vSphere 8.0 Update 3, using the vSphere Client (HTML5) interface to access Cloud Native Storage (CNS) container volumes
• vSphere 7.0 and later releases with Cloud Native Storage enabled • Environments using the CNS feature with Kubernetes clusters deployed through vSphere with Tanzu or other Kubernetes distributions
• Any vSphere edition that includes Storage Policy Based Management (SPBM) functionality - vSphere Standard and above

This issue occurs when a user account lacks the specific privileges required to view container volumes in Cloud Native Storage. The vSphere Client requires two critical permissions to be assigned at the vCenter Server root level:

1. "Cns.Searchable" - This privilege enables the user to search and discover Cloud Native Storage objects in the inventory.
2. "StorageProfile.View" - This privilege allows viewing Storage Policy information, which is required for container volume display.

When these permissions are missing, the vSphere Client cannot retrieve the necessary data to populate the Container Volumes view. The error message appears because the permission check fails during the data extraction process.

Option 1: Use the Built-in CNS-SUPERVISOR-SEARCH-AND-SPBM Role

1. Log in to the vSphere Client using an administrator account.
2. Navigate to Menu > Administration > Access Control > Permissions.
3. Right-click on the vCenter Server object at the root of the inventory and select Add Permission.
4. Click Add to select the user or group that needs access to container volumes.
5. From the Role dropdown, select CNS-SUPERVISOR-SEARCH-AND-SPBM.
6. Configure access scope based on your requirements:
   • For full access to all objects: Select the Propagate to children checkbox.
   • For limited access to specific objects only: Clear the Propagate to children checkbox, then continue with step 8.
7. If you selected full access (Propagate to children), click OK and skip to step 10.
8. For limited access, after applying the permission at the vCenter level, add permissions to specific child objects:
   • Navigate to each specific object (cluster, host, or folder) that requires access
   • Right-click and select Add Permission
   • Select the same user or group
   • Assign an appropriate role with the specific access levels needed for that object
   • Set Propagate to children as needed for each child object
9. Click OK to apply each permission.
10. Have the user sign out and sign back in to the vSphere Client.
11. Verify access by navigating to Monitor > Cloud Native Storage > Container Volumes.

Option 2: Add Required Privileges to an Existing Custom Role

1. Log in to the vSphere Client using an administrator account.
2. Navigate to Menu > Administration > Access Control > Roles.
3. Select the existing role you want to modify and click Edit.
4. In the Edit Role dialog, add the following privileges based on your vSphere version:
   • For vSphere 7.0: Expand Profile-driven Storage and select View
   • For vSphere 8.0: Expand VM Storage Policies and select View VM storage policies
   • Additionally, expand CNS and select Searchable (for both versions)
5. Click Save to update the role.
6. To apply this updated role, follow the same steps described in Option 1 (steps 6-11) to assign permissions at the vCenter Server level with appropriate propagation settings.
7. Have the user sign out and sign back in to the vSphere Client.

References

• For more information about Cloud Native Storage privileges, see VMware Cloud Native Storage Roles and Privileges
• For details on configuring roles and permissions in vSphere, see vSphere Security documentation

Related Knowledge Base Articles

• For troubleshooting similar error messages in vSAN, see vSAN iSCSI Target Service - Unable to extract requested data. Check vSphere Client logs for details.

Notes on vSphere 8.x Storage Policy Permission Improvements

In vSphere 8.0 and later, VMware introduced more granular storage policy permissions:

• vSphere 8.0 allows you to separate the ability to view, apply, and modify storage policies with three distinct privileges:
  1. "VM Storage Policies > View VM storage policies" - Allows users to see storage policies
  2. "VM Storage Policies > Apply VM storage policies" - Allows users to assign existing policies to VMs
  3. "VM Storage Policies > Update VM storage policies" - Allows users to create or modify policies

For Cloud Native Storage access specifically, users only need the "View VM storage policies" privilege.

Verification Process

After applying permission changes, users must sign out and sign back in to the vSphere Client for the changes to take effect. No service restarts are required.