77: One tool to proxy them all

Introduction

Jordan Zimmerman and Pablo Arteaga introduce us to a new Trino subproject and its use cases with AWS S3 and other storage systems, metastores, and query engines - aws-proxy.

Video

• Introduction with Manfred (0.0s)
• Trino release and ecosystem updates (58.0s)
• Trino contributor call recap (195.0s)
• Interview: Jordan and Pablo (296.0s)
• Guest Introductions and Pablo's background (314.0s)
• Jordan's background and the Airlift framework (379.0s)
• Introduction to AWS Proxy (711.0s)
• Origin story and the Starburst/Dell use case (825.0s)
• Bloomberg use case and governance (958.0s)
• Technical challenge: AWS Signature Protocol (SIGv4) (1177.0s)
• AWS Proxy as an extensible toolkit (1346.0s)
• Diagram: Spark/Starburst proxy architecture (1690.0s)
• Diagram: Bloomberg Iceberg/OPA architecture (1955.0s)
• Solving Iceberg catalog redirection (2313.0s)
• Roadmap and future features (2782.0s)
• Community and how to contribute (2978.0s)
• Closing remarks and next broadcast (3146.0s)

Host

• Manfred Moser, Sr. Principal DevRel Engineer at Chainguard, open source hacker at simpligility

Guest

• Jordan Zimmerman, Senior Staff Engineer at Starburst
• Pablo Arteaga, Software Engineer at Bloomberg

Releases and news

Trino 478 is in the final staging of getting to release. We will talk about the details in the next episode.

Other releases and news

• August contributor call recap and recording is available.
• New video tutorials for working on Trino and other open source projects Manfred mentors is live now and looking for sponsors. Details about the tasks are available in the contribution tracker project.

Introducing Jordan and Pablo

Manfred chats with Pablo and Jordan about their involvement in the Trino community. We end up chatting a bunch about the Airlift framework that is a foundation for Trino since Jordan has been involved in that project for a long time. Pablo has been involved in Trino itself and worked on the OPA plugin and the Trino Gateway, among other things.

aws-proxy

The AWS Proxy is an open-source Java toolkit and library, not a standalone application, designed to act as a transparent proxy for AWS Simple Storage Service (S3) compatible object storage protocols.

It was created by developers from Starburst, Bloomberg and other organizations in the Trino community to address the need for enhanced governance and security with tools like Apache Spark that lack security controls. It also supports direct data access to S3 or S3-compatible systems, like MinIO or Dell ECS.

Key functionality and use cases

• Security and governance layer: The primary goal is to prevent client applications from bypassing governance systems by accessing S3 directly. It ensures all data access is channeled through the proxy, where custom business logic can be applied.
• Signature handling: It handles the complex AWS Signature Version 4 (SIGv4) protocol used for authenticating requests, which was the most challenging part of its development.
• Emulated credentials: Clients are configured to use fake, worthless credentials that are only recognized by the proxy. The proxy then validates the user’s identity and request against security policies (like OPA), signs the request with the real, secure AWS keys (kept safe behind the firewall), and forwards it to the real S3 store.
• Extensibility: It’s built on the Airlift framework and uses a simple Service Provider Interface (SPI) plugin mechanism. This allows users to add custom logic authorization, object storage abstraction from buckets to tables, redirection, and other use cases.

In essence, it takes standard S3 requests from data tools and mediates them, applying security, control, and abstraction before forwarding them to the actual data lake storage.

Resources

• Presentation
• aws-proxy
• Jordan’s record-builder open source project

Rounding out

• Looking for guests and topics for Trino Community Broadcast 78
• 26 November 2025 - Trino Contributor Call