CONCEPT Cited by 1 source
Identity umbrella¶
An identity umbrella is a composite identity provisioned for a logical unit (e.g., a project) that spans multiple identity domains, enabling workloads to authenticate and authorize across different systems with a single logical owner.
Canonical example¶
At Netflix, each Data Project is provisioned with:
- A Netflix application identity — used for internal authorization checks (table ACLs, Netflix resource policies).
- An optional AWS IAM role — used for AWS-specific compute (e.g., Spark on Amazon EMR).
The IAM role can be exchanged for the Netflix identity in a cryptographically secure way, meaning a single workflow execution can be checked against table ACLs in the Secure Data Warehouse, authorization policies for Netflix resources, and IAM policies for AWS — all in one run (Source: sources/2026-06-19-netflix-data-projects-managing-data-assets-at-netflix-scale).
Design considerations¶
- Single logical owner, multiple credential types — avoids maintaining separate permission sets per identity domain.
- Cryptographic exchange — the cross-domain bridge must be secure; token exchange rather than shared secrets.
- Assumability — privileged members can assume the project identity for testing, running commands exactly as the scheduled workload would.