[candiddevmike]

In AWS, everything is in one place and uses a fairly expressive policy syntax. For GCP, you have " global IAM" in one place, contextual IAM in another (VPC-SC), per-resource IAM under the resource (GCS buckets), roles in another spot that require using the most sluggish docs website in the world to decode, and user/group management in an entirely separate app (cloud identity/workspace).

How is GCP much better? FWIW I use/evangelize GCP everyday. Their IAM setup is just very naive and seems like it has had things bolted on as an afterthought. AWS is much more well designed and future proof.

[trallnag]

It's not as clean in AWS as you make it out to be. Service control policies, resources policies in services like S3 and SNS...

[arccy]

GCP's resource based hierarchy means it's much easier to locate where a permission comes from, it's either global, or attached to the resource in question. Most people probably shouldn't ever need to know about VPC-SC.

AWS IAM is a ball of mud, attach any policy at any one of the possible attachment points, good luck figuring out where you managed to gain permission to do X. And the constant emails for "ACTION REQUIRED: we changed some managed IAM permission and your workflows will break", whether you actually use that role, they can't even tell, so all you can do is complain to your emotional support TAM in the weekly call.

AWS's IAM conditions are also annoying dynamically typed, sure it's more powerful, but imo that's just more string to hang yourself with. the use of "*" in so many rules is just a recipe for disaster.