Zynga, a prominent player in interactive entertainment, manages a diverse portfolio of mobile game studios, including Socialpoint, known for titles like Dragon City and Monster Legends. To support its analytics platform, Zynga relies on Amazon Redshift as its primary data warehouse, processing telemetry and revenue data across its studios.
As Zynga's analytics architecture evolved to accommodate individual studios with distinct compute environments, the organization encountered a significant challenge. The need was to maintain centralized data governance while allowing studios to operate independently with their query capacities. The previous permission management system was proving inadequate, leading to delays and necessitating custom infrastructure for scaling across multiple warehouses.
Adopting Federated Permissions
Zynga turned to Amazon Redshift federated permissions and AWS IAM Identity Center to establish a robust framework for consistent, tiered data access across both provisioned and serverless Redshift environments. This approach eliminated the need for custom synchronization pipelines.
To facilitate the integration of Socialpoint's Amazon Redshift workloads, Zynga's existing production cluster would house Socialpoint's raw data, while compute resources would be drawn from a separate warehouse designated as a consumer. The challenge was to enforce Zynga's data access control policies uniformly across all warehouses without experiencing permission lag or requiring manual synchronization.
Implementation Strategy
During the migration, Socialpoint's existing extract, transform, and load (ETL) processes were incorporated into Zynga's central ETLs, replacing their previous data ingestion pipeline with Zynga's advanced infrastructure. The migration was planned in stages, necessitating a gradual increase in Amazon Redshift sizing.
To address the permission management challenge, Zynga employed a dual-grant strategy, where permissions are assigned to both an IAM Identity Center group (for users) and a federated IAM role (for service accounts). This ensures that both authentication pathways receive the same access rights.
Streamlined User Management
Zynga's existing Okta directory is synchronized with IAM Identity Center, which connects to the Amazon Redshift Serverless workgroup. When users authenticate, Amazon Redshift automatically creates a user linked to their email and assigns roles based on their Okta group memberships. For instance, an analyst in the Gamma Tier group is automatically assigned the AWSIDC:role.sso.gamma role in Amazon Redshift without any manual intervention.
Service accounts authenticate differently, either through their IAM role and the get-credentials API or by utilizing the new federated permissions feature. Each service account assumes a federated IAM role, which corresponds to a federated user in Amazon Redshift.
Maintaining Compatibility
To ensure seamless access during the transition, Zynga implemented a tri-grant approach on the producer cluster, modifying existing stored procedures to grant permissions to three targets: the legacy local role, the IAM Identity Center group, and the federated IAM role. This strategy maintained backward compatibility for current users while enabling immediate access for the new serverless workgroup.
Results and Observations
Following the adoption of federated permissions shortly after its launch in January 2026, Zynga reported significant improvements. The integration of federated permissions with IAM Identity Center and Amazon Redshift Serverless created a scalable pattern that upholds consistent access controls while minimizing operational overhead.
This implementation illustrates how organizations with multi-cluster Amazon Redshift architectures can enforce centralized data governance effectively without the complexities of custom synchronization infrastructure.
