PATTERN Cited by 1 source

Project-scoped identity for workloads

Problem

Scheduled workloads (ETL pipelines, data movement jobs, ML training) require an identity for authorization. The naive approach — running as the authoring engineer's identity (on-behalf-of / OBO pattern) — is fragile: when the person changes teams or leaves, the workflow breaks. Fixing it requires swapping in a colleague's identity, which surfaces cascading missing grants ("permissions whack-a-mole").

Solution

Replace user-tied OBO credentials with a durable, team-owned, synthetic identity scoped to a logical project:

1. Provision a non-human application identity for the project.
2. Configure the workflow orchestrator as a Trusted Workload Manager authorized to mint tokens against this identity.
3. The orchestrator validates the caller's project-level access before executing any workflow under the project identity.

Consequences

• Positive: Workflows survive personnel changes; identity is auditable at the project level; secrets are scoped to project policies.
• Negative: Migration of existing user-tied workflows requires careful permission setup before identity swap; requires governance over project identity proliferation.

Canonical implementation

Netflix's systems/netflix-data-projects with systems/netflix-maestro as the Trusted Workload Manager (Source: sources/2026-06-19-netflix-data-projects-managing-data-assets-at-netflix-scale).

Seen in

• sources/2026-06-19-netflix-data-projects-managing-data-assets-at-netflix-scale