Permissions in GCP seem like a mess, I’m trying to use python to get credentials and there is a whole python library for authentication and getting credentials (google-auth).
There’s also not a uniform page for every service where I can go understand authentication/permissions.
They do have a ton of docs, but it’s kind like a document dump.
Sorry for the rant! I want to know if it’s just me and whether I’m missing something!
* High-availability HSM KMS: trivial in GCP, super difficult in AWS.
* Object storage (GCS/S3): multi-region is trivial in GCP, somewhat harder in AWS. Archival is so much simpler in GCS than S3 Glacier.
* IAM: makes sense to me in GCP and is consistent across products, AWS policy editor has poor usability and feels inconsistent between products.
* Having per-region pages in the AWS console is a pain, easy to lose stuff. GCP is one global interface.
* Cloud functions/Lambda: CF Just Work with native dependencies. Lambda is painful in that regard.
GCP's auth lib is confusing though, I agree with you there. We stopped using it and all of their client libs a few years ago and wrote our own. However, that they force you to use service accounts is an excellent security decision.
Identity and authentication is honestly the one area where the popular cloud platforms differ the most. I used to work for AWS and currently work for Azure, and the switch from IAM to AAD caused more cognitive dissonance than any other difference between the platforms' respective offerings.
I feel you, but I gotta agree with the other commenters that it's really just about time and experience. Anyone long-experienced on one public cloud will really struggle switching clouds. Your experience is low but your expectations are high. You're not just poking into a dashboard trying to spin up a single VM, you want to do all the stuff you're used to doing on AWS.
While IAM does feel easy once you know it, as someone who's run hackathons and bootcamps I can say it's not easy for everyone to just pick up. It's as complicated as it needs to be, but yeah it can be a steep learning curve.
I think Google has a culture of "we hire the best and brightest so we can afford to squander 70% of their IQ with unnecessarily complexity" which contrasts to, say, Facebook wanting new hires being able to commit a change and get it into production on the first day.
GCP is easier to start with for me, but becomes annoying because it's missing things that I can do in aws.
For example, cloud run can't run docker containers that doesn't listen to a port. Just run it once and shut down like Fargate does in AWS.
They want people to use kubernetes which is more complex and has features a lot of people don't need ever. Fargate is simple and just works.
So I prefer AWS for reasons like that but I think GCP is easier to understand.
GCP is wonderful compared to AWS. It took me a week to sign up for AWS, including writing an issue and a phone call. It took other colleagues some hacky ways to start to use it, even at the sign-up phase.
Doing something on GCP is pretty straightforward. Creating VMs, Kubernetes clusters, etc. I've had non technical people do it successfully on their own. Live. While observed and under pressure.
AWS? Good lord. That's what I will say about it as I'd rather say good things about a good service than bad things about another.
I think it's mostly this. IAM in AWS isn't exactly a walk in the park, especially when you start getting into granting only explicitly needed permissions. There aren't great systems for doing that (that I know). Lots of stuff that half works and you sort of have to know how to glue the rest together yourself.
I think GCP's permissions are essentially the same way but GCP is also less popular. So you have even less tooling and documentation.
Personally, I've found AWS SDKs to be easier to work with (especially auth), although I've used them more so there's probably some bias.
GCP relies heavily on Oauth but it can be a bit clunky for human access (basically requiring browser auth)
Just remember to create a project (or put that one in a folder) for anything that must be billed together or when you have several projects that must inherit permissions or restrictions.
Remember that some resources are global (like projects), and others are regional.
Authorization can be a bit tricky, though: they are deprecating old authorization roles (adminitrator, viewer, etc..) to make it more granular. Sometimes is good.
For my own use, I massively prefer GCP, with an admittedly small monthly spend.
I worked at Google as a contractor and really loved their environment for internal developers and using GCP has a little of that “flavor.”