Hacker News new | ask | show | jobs
by reilly3000 1322 days ago
Everything in GCP is built atop the Google Auth system and tied to a GSuite domain. It’s Org->Folder->Project hierarchy is very similar to AWS Orgs. However, it’s far easier from there. IAM is tied to your gsuite email, and service accounts are also email addresses. One never needs to login with different creds to access another project. You just use your Google login or activate a service account. Projects are a really flexible abstraction. My company has one for every stage for every team plus specialized projects for net/VPC, GCR, logs, etc, hundreds in total. We’re about halfway through the F500 list. Projects are a nice abstraction and getting the setup OP described is a lot more idiomatic to GCP.
3 comments
throwawaaarrgh 1322 days ago
There is a lot you cannot do, or are forced to do in specific ways. A shit-ton of GCP features require project-level access, and often it's impossible to make permissions more fine-grained. For other things, you have to modify or apply a policy at the Org level. It's really broken. You basically have to abandon GCP features if you want strong isolation guarantees for most of their features. AWS is not even close to as braindead with their design.
link
movedx 1322 days ago
> One never needs to login with different creds to access another project. You just use your Google login or activate a service account.

It's the same in AWS with AWS SSO/IAM Center. You only login once, and you can access every other account (project) you're allowed to access.

link
kevincox 1321 days ago
But you need to keep going back to the SSO console to switch accounts because only one can be active at once. With GCP you can have multiple tabs open with different accounts.

The best part is that the account is in the URL so you can just link to specific resources in different accounts. So many of our runbooks for GCP are like "click this link" whereas for AWS it is "make sure you are looked into {specific-account} then click this link". The latter is much more error prone and can break your workflow if you were doing something in a different account previously.

link
benatkin 1321 days ago
This* is a feature, not a bug for me – I use separate profiles in Chrome or Container Tabs in Firefox!

Edit: I realized you are talking about switching accounts twitter style. I don't mess with that - I use a separate Chrome profile. Also you are arguing for GCP, I thought you were arguing against it.

* Having separate accounts, not being able to have separate accounts - I know it's possible with AWS as AWS doesn't force you to use a single account.

link
rcrowley 1322 days ago
All rings true, to me.
link