Zynga, a world chief in interactive leisure operates a portfolio of cell recreation studios together with Socialpoint, the creators of Dragon Metropolis and Monster Legends. Zynga’s analytics platform processes telemetry and income knowledge throughout studios utilizing Amazon Redshift as its central knowledge warehouse.
As Zynga expanded its analytics structure to incorporate particular person studios with their very own compute environments, the staff confronted a problem: how one can preserve centralized knowledge governance whereas granting studios impartial question capability. Their current method to permission administration launched lag and required customized infrastructure if scaled to a number of warehouses.
On this submit, we stroll by way of how Zynga adopted Amazon Redshift federated permissions and AWS IAM Identification Heart to implement constant, tiered knowledge entry throughout provisioned and serverless Amazon Redshift environments with out constructing customized synchronization pipelines.
The problem
Zynga wanted to onboard Socialpoint’s present Amazon Redshift workloads and make Zynga’s central knowledge accessible to them. Zynga’s current manufacturing cluster would home the Socialpoint uncooked knowledge, however the compute would come from one other warehouse arrange as a shopper. On the identical time, Zynga’s knowledge entry management insurance policies would have to be enforced throughout all warehouses. Zynga makes use of a tiered entry management coverage which might have to be synced throughout all shoppers with no permission lag or handbook grant synchronization.
Through the migration, Socialpoint’s particular extract, rework, and cargo (ETL) processes can be included in Zynga’s central ETLs and their knowledge ingestion pipeline would get replaced by Zynga’s newest era of knowledge ingestion infrastructure. As a result of the migration course of occurs in levels, Amazon Redshift sizing would additionally regularly want to extend.
The staff evaluated two alternate options earlier than arriving at an answer:
Guide grants on shopper clusters launched a delay between when permissions had been up to date on the producer and once they took impact on the buyer. This method would additionally require an exterior job that synced permissions and can be unlikely to scale effectively past 2–3 shoppers.
Resolution overview
Zynga applied an answer utilizing three AWS companies working collectively:
Amazon Redshift federated permissions enabled cross-cluster queries with out specific knowledge shares. Permissions granted on the producer cluster propagate instantly to shopper workgroups by way of AWS Glue Knowledge Catalog registration.
AWS IAM Identification Heart gives unified authentication by way of federation with Okta. When customers register, their Okta group memberships are provisioned by way of a System for Cross-domain Identification Administration (SCIM) and mechanically map to Amazon Redshift roles, eradicating the necessity for exterior synchronization jobs.
Amazon Redshift Serverless gives the compute layer for Socialpoint, scaling to zero when idle and avoiding the necessity to pre-size a provisioned cluster in the course of the migration interval.
The structure makes use of a dual-grant method the place each permission is granted to each an IAM Identification Heart group (for customers) and a federated IAM position (for service accounts). This provides each authentication paths the identical entry.
The way it works
Authentication with IAM Identification Heart
Zynga’s current Okta listing syncs to IAM Identification Heart, which is related to the Amazon Redshift Serverless workgroup. When a person authenticates, Amazon Redshift mechanically creates a person mapped to their e-mail tackle and assigns them to roles primarily based on their Okta group membership.
For instance, an analyst within the Gamma Tier group indicators in and is mechanically assigned the AWSIDC:position.sso.gamma position in Amazon Redshift. No handbook position task or synchronization job is required.
Service accounts, used for programmatic entry, authenticate otherwise. Both utilizing their IAM position and calling the get-credentials API, or by utilizing the brand new federated permissions characteristic. Every service account assumes a federated IAM position, which creates a corresponding federated person in Amazon Redshift (for instance, IAMR:role_iam_gamma).
Determine 1 – Identification layer
The twin-grant method
To make sure that each customers and repair accounts can entry the identical knowledge, each learn permission is granted to each the IAM Identification Heart group and the federated IAM position in a single assertion:
GRANT SELECT ON schema.desk TO
'IAMR:role_iam_gamma',
ROLE 'AWSIDC:position.sso.gamma';
Transitioning the producer cluster
The shared provisioned cluster already had energetic customers with native grants. To keep away from disruption, Zynga applied a tri-grant method on the producer in the course of the transition interval. Present saved procedures had been modified to grant permissions to 3 targets: the legacy native position, the IAM Identification Heart group, and the federated IAM position.
GRANT SELECT ON schema.desk TO
ROLE role_rs_gamma,
ROLE 'AWSIDC:position.sso.gamma','IAMR:role_iam_gamma';
This method maintains backward compatibility for current customers on the producer whereas enabling speedy entry from the brand new serverless workgroup. The long-term plan consists of migration of all producer customers to IAM Identification Heart and retire the legacy native grants.
Saved procedures for constant governance
Somewhat than requiring customers to assemble dual-grant statements manually, Zynga created saved procedures that encapsulate the grant logic:
grant_read accepts a desk title and entry tier, then points the suitable dual-grant for each the IAM Identification Heart group and the federated IAM position.
grant_write grants knowledge definition language (DDL) and knowledge manipulation language (DML) permissions to the suitable team-based position.
This gives a constant interface for permission administration no matter which cluster or workgroup that the person is on.
Determine 2 – Knowledge and compute layer
Outcomes
The migration delivered measurable enhancements:
Fast permission propagation – Grants on the producer cluster took impact on the buyer workgroup immediately, changing a course of that beforehand required handbook intervention and launched lag.
Zero further infrastructure price – Federated permissions, federated queries, and IAM Identification Heart added no incremental prices to the structure.
Eliminated customized synchronization – The staff eliminated the necessity for Lake Formation configurations, exterior AWS Lambda capabilities, and Airflow workflows for permission administration.
Scalable sample – The identical structure will be prolonged to further studio workgroups with out duplicating permission administration logic.
Classes discovered
Zynga adopted federated permissions shortly after the characteristic launched in US West Oregon (us-west-2) in January 2026. The staff shared a number of observations from their early adoption:
Run a proof of idea first. The staff validated the total permission mannequin in a check atmosphere earlier than deploying to manufacturing, together with testing that current knowledge shares to different clusters weren’t disrupted.
Plan for the dual-grant requirement. As a result of IAM Identification Heart customers and federated IAM roles are distinct id varieties, each learn permission requires two grants. Encapsulating this in saved procedures prevents errors and reduces cognitive overhead.
Begin with serverless for brand new workloads. With Amazon Redshift Serverless, the staff can keep away from sizing choices in the course of the migration interval. If utilization patterns later justify it, they’ll migrate to a provisioned cluster from a serverless snapshot with minimal downtime.
Interact with AWS. As an early adopter of a brand new characteristic, Zynga maintained common contact with the Amazon Redshift staff by way of their AWS Technical Account Supervisor to report points and request enhancements.
Conclusion
Zynga’s adoption of Amazon Redshift federated permissions demonstrates how organizations with multi-cluster Amazon Redshift architectures can implement centralized knowledge governance with out constructing customized synchronization infrastructure. By combining federated permissions with IAM Identification Heart and Amazon Redshift Serverless, the staff established a sample that scales to further studios whereas sustaining constant entry controls and decreasing operational overhead.
To be taught extra concerning the companies used on this submit, see the next sources:
