Hacker News new | past | comments | ask | show | jobs | submit login

Having previously used AWS, I would also say that GCP IAM is much better.

Yes, it's a lot less flexible than AWS IAM, but complicated IAM policies with conditions and stuff can be really hard to reason about.

Disclosure: my thoughts are my own.




The best way to use AWS IAM policies is to not use them at all.

AWS allows to use multiple accounts easily, and accounts are (by default) completely isolated from each other. That's actually how services work internally at AWS, it's not uncommon for a service to have hundreds of AWS accounts (one for each region multipled by the number of environments).

It's not so easy with GCP.


That is insane. AWS has more complicated policies, GCP literally lacks ability to even have easy security posture in many cases.


That's quite the claim, can you provide an example?

GCP is permissive out of the box and things like the Compute Engine service account having the basic Editor role by default is a bit of a footgun, but they're trivially turned off.


I'm afraid it's something I need to agree with.

So many areas where resource-based conditions just do not work with particular GCP product offerings and you're forced to give out much broader access than you should be giving out. It's half-arsed and prevents you implementing PoLP.

AWS has a steeper learning curve here, but I've never been unable to constrain down e.g. access to an SNS topic in the way I want to.


Feel like AWS is the opposite. It’s often a pain to go as granular as you can go.


In GCP there are many tier-1 services where that is not even possible. It's also definitely gotten way easier to do this using IaC etc.


I second that. AWS is insanely granular.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: