Interesting. It seems that Google IAM is very similar to AWS IAM yet very different in one aspect. In AWS, you can define exactly what subset of APIs/resources are accessible to a role, which is very flexible, but also can be very confusing. It seems Google has taken the approach of pre-defining sensible roles.
This is very recent though, and not considered Generally Available yet across the platform (meaning fully hardened, supported, and backed by an SLA).
Take another look!
Disclosure: I work on Compute Engine.