Feature: extend S3 security mapping to other services using IAM #26286
Description
From documentation:
Trino supports flexible security mapping for S3, allowing for separate credentials or IAM roles for specific users or S3 locations. The IAM role for a specific query can be selected from a list of allowed roles by providing it as an extra credential.
Part of this functionality, specifically mapping users to IAM roles, could be useful when communicating with other AWS services: Glue, OpenSearch, Iceberg REST Catalog (Glue) etc.
These days it is especially important when using Glue as a metastore in conjunction with Lake Formation. If Trino is used for querying data location registered with LF, we can rely on restricting access to metadata (Glue) rather than restricting access to the data (S3), as Glue will run resolve every request against Lake Formation first. It gives much more flexibility than managing IAM and bucket policies manually. However, it only makes sense if users are mapped to IAM roles, and for now Trino always uses the same role while communicating with Glue.
My proposal is to decouple generic code (not S3-specific) from S3 Security Mapping to a new library. This way integrating Glue and potentially other services with security mapping will be way easier.