Try StarTree Cloud: 30-day free trial
Connect Trino to StarTree Cloud

Connect Trino to StarTree Cloud

To connect Trino to StarTree Cloud, do the following:

  1. Convert your API token to the [username]:[password] format.

  2. Choose one of the following ways to install Trino:

Convert your API token to [username]:[password] format

To connect Trino to StarTree Cloud, you must convert your API token to a [username]:[password] format.

For basic tokens


You can use (opens in a new tab) to decode your token from the base64 format to the following string:


The username and password are separated by a colon within the decoded string.

username = 4cefb8480f8f4a7886a5c9da1056a7b5

password = yYGUYlWPUiNNN46nFZcOo3aTOqICP2aAk1qxT5B8AJQ=

As an alternative to the method above, you can use the following bash command to infer the username and password from the API token:

PINOT_USERNAME=`echo ${PINOT_API} | base64 --decode | awk -F ':' '{print $1}'`
PINOT_PASSWORD=`echo ${PINOT_API} | base64 --decode | awk -F ':' '{print $2}'`

The output is


For bearer tokens

To convert your bearer token, drop the st- prefix, and then use the 16 alphanumeric string before the hyphen as your username and the following 32 alphanumeric string as your password.

For example, if your bearer token is st-XkQBXKr652MV1VF9-5gkhGWNaGAdA1NU5yrHXRSPKMCcNRlRg, use the following as your username and password:

username = XkQBXKr652MV1VF9 password = 5gkhGWNaGAdA1NU5yrHXRSPKMCcNRlRg

Trino Pinot Proxy

In a StarTree deployment, Pinot components are hosted within a Kubernetes cluster. Pinot server endpoints are not exposed outside the Kubernetes cluster in this setup. While this is fine for most use cases, it creates a problem for external services like Trino.

Pinot Proxy is our solution to enable Trino connection into the Pinot cluster when inside the Kubernetes cluster. Without Pinot Proxy, we will have to create dedicated Kubernetes routes for each single Pinot Server host, and such a solution is not scalable for Kubernetes.

High-Level Architecture

At a very high level, Pinot Proxy behaves similarly to a reverse proxy like Nginx. It proxies RPC requests into Pinot clusters inside Kubernetes.

A special feature of Pinot Proxy is that it can forward Trino gRPC requests to specific Pinot Servers rather than routing them by load balancers.

This diagram illustrates how it communicates with Trino Pinot drivers.


We have detailed slides (opens in a new tab) explaining the technical aspect of this design and why we need a Pinot proxy.

What does it mean for Pinot Clients

The main benefit is that with Pinot Proxy, Trino can finally run queries in streaming mode when connecting to Pinot inside a Kubernetes cluster.

For more information on Pinot connectors, view Apache Pinot Connector (opens in a new tab) documentation.

Connection Settings for Trino

Note: Trino has to be version 400 or higher to properly connect to Pinot in Kubernetes.

The Trino connection URLs must be modified to point to Pinot Proxy host names to connect via Pinot Proxy. Suppose your pinot cluster is named pug, the environment name is prod, and StarTree cloud domain is Below are the configs needed in configuration in Trino:

# Pinot controller URI, in the format of <scheme>://<hostname>:<port>, scheme is required.
# Replace the with the link to your pinot cluster

# Pinot Server gRPC port, Trino default is 8090, StarTree Cloud default is 8096

# Enable Pinot Rest Proxy

# Pinot Rest Proxy gRPC URI, in the format of <hostname>:<port>
# Replace the with the link to your pinot cluster
# For the clusters without TLS enabled, the port number will be 80

Extra settings for clusters with TLS enabled

If the cluster has TLS enabled, we will need the extra properties in the configuration file.

Follow the doc to generate a API token and Credential for your Pinot Auth Token and get the Username/Password out from it.

# Extra Pinot gRPC configs
# Enable gRPC TLS

# Authentication configs