IAM Roles - GCP vs AWS

An engineer is trying to figure out how cloud computing works

Play this article

Both GCP and AWS incorporate the concept of the IAM Role; however, they define the term differently. Let's delve into their respective definitions.

GCP definition

A role is a collection of permissions. Permissions determine what operations are allowed on a resource. When you grant a role to a principal, you grant all the permissions that the role contains.

An allow policy with two role bindings. The role bindings
associate specific members with specific roles.

It means that Roles do not know about principals (aka end users, service accounts, etc)

To assign (or bind) one or multiple principals to individual roles, we need to use allow policy

AWS definition

An IAM role is an IAM identity that you can create in your account that has specific permissions. An IAM role is similar to an IAM user, in that it is an AWS identity with permission policies that determine what the identity can and cannot do in AWS. However, instead of being uniquely associated with one person, a role is intended to be assumable by anyone who needs it

In AWS, on the other way around, IAM roles similar to IAM identity. However, there is a concept that is similar to GCP's role:

IAM policies define permissions for an action regardless of the method that you use to perform the operation.

And we can manage access in AWS by creating policies and attaching them to IAM identities

To conclude, for newcomers transitioning between GCP and AWS, it is important to tread carefully due to the potential confusion that may arise from variances in IAM role concepts.