The way they describe tying SSH keys to IAM roles very closely matches the SSH key management that GCE had when it launched back in 2012.