Google Cloud IAM for AWS users
GCP group product manager
Many businesses want to use multiple cloud providers as part of their IT strategy. This allows them to leverage unique services from different cloud vendors and protect app availability in disaster and recovery scenarios. However, running across multiple providers requires more sophisticated planning and management, for example, managing the different Identity and Access Management (IAM) policies from their providers. Setting the right IAM policies is key to securing your resources and data on the different platforms.
If you have experience with Amazon Web Services (AWS) IAM, we recently published a guide on how to think about IAM policies on Google Cloud Platform (GCP). The two platforms offer different frameworks for resources and policies. It’s important to understand these concepts during planning, as it may not be possible to translate directly from a feature in one service to a feature in the other.
One key concept in Google Cloud IAM is policy inheritance. GCP resources can be organized into hierarchies with projects, folders and organizations. Policies are inherited down the hierarchy. For example, if you're granted the “log viewer” role in an organization, you'll automatically be able to read logs in projects and resources created under that organization. When using GCP IAM, you'll want to leverage this capability by planning the hierarchies you create to map to your company and team structures. This will allow for simpler policy management.
AWS policies used to be managed at the granularity of individual resources. Recently with the addition of AWS Organization, you can start to apply the same hierarchical model to AWS resources as well. A remaining difference is the concept of a GCP Project, which is a resource encapsulation that creates a trust boundary for a team, an app or a development environment.
Another difference with AWS is how GCP uses IAM roles to provide groups of permissions that map to meaningful aspects of people’s job functions. These roles allow you to grant the same access to different resources without having to list all the permissions every time, which makes your policies simpler to read and understand. GCP provides many pre-defined roles and will soon support custom roles.
The guide discusses these concepts in detail, and also compares GCP and AWS IAM capabilities in other areas, such as identity management and automation. We hope it helps you manage policies and permissions across multiple providers.