When we first launched on GCP, there was no question that it was the way to go (frankly, because of BigQuery). Working with AWS, when we launched, was going to cost us significantly more up-front, before we had even brought on our first customer.
Fast forward 5 years... AWS has closed the gap in every way that matters. I still, frankly, trust Google's Security more than Amazon's, but I don't encourage folks to use GCP the way that I used to.
Just the opposite. In 2021, no questions asked, it's either AWS for general compute, or something more targeted if your business doesn't need it.
Until you get to the point where your bill is larger than a dozen engineering salaries, you won't get any respect from these people.
> I still, frankly, trust Google's Security more than Amazon's
If you have the time, could you expand on this? While I'm not directly involved in security at AWS, I'd be down to forward your thoughts to people who do.
I used to work at Google on Cloud, and am now an AWS customer. Have used both clouds extensively.
My comments are mostly backed up by my experience at startups and are not colored by my experience at Google (too different a beast).
GCP is great for teams that are also using GSuite because you can set permissions at the level of a Google Group and have them propagate to individual members. You can, of course, also create groups in AWS but they don't have the same semantics of Google Groups and don't cover the wide range of use cases that Google Groups does.
The AWS scopes -> policies -> roles -> resources chain of abstractions is less natural conceptually than GCP's GSuite accounts + service accounts with attached scopes per project.
Also the fact that each managed service (GCE, GKE, Cloud Builder) has its own service account that you can attach scopes to is really nice. GCP service accounts just feel more discoverable than AWS IAM roles - I think it's because the number of AWS pre-built roles is so overwhelming.
I think all of these replies so far capture my thinking. However, I think the simplicity of the GCP IAM model is what I will miss most going back to AWS.
I’m sure they exist, but over the last dozen or so years I’ve worked with public cloud offerings across 5 or 6 industries and domains, I haven’t found a use case that can’t be easily implemented in the simpler GCP model.
Gone deep on IAM in AWS, attempted a similar thing on GCP later for another project, was very surprised how weak GCP IAM was.
Top of mind things I found weak/weird:
- Basically can’t do least privilege, only want a role to read messages from one pubsub queue? Nope not possible
- IAM policies seem bolted on, legacy roles seem much better fit in the ecosystem, but they suck obvs.
- different gcp resources have somewhere between very coarse grain to just acceptable iam operations. Might just be GCS that lets you do proper least privileges policies like you would do in AWS.
I was very surprised how bad it was, AWS IAM is some black magic shit that is deeply impressive and often taken for granted, even GCP can’t replicate.
One thing that GCP is far better at is account setup. Having everything nested under a single gsuite organization with folders and projects and IAM flowing through is incredibly easy to work with and makes permissions simpler to understand. AWS has a long ways to go in this regard.
I came from an AWS background to my current company's GCP setup and was very confused at how IAM worked on GCP for a long time. Now that I know the system, though, I agree with you. It really makes a ton of sense and works really well.
The biggest problem I have with GCP is that something will say "you need the foo.bar.baz permission", and when I go to the IAM page to give that to myself... there is nothing in the search results for "foo", "bar", or "baz". Instead, I have to guess the "friendly name" for the permission.
I can totally relate. The amount of times I've spent scouring the docs for the "machine name" to put into TerraForm, or vice versa, to do through the UI...
I disagree. Once you learn IAM and able to segregate users into groups each with its own layer of security, then it is good enough.
Often the UI, and docs make it seem like everything is all over the place but AWS feels like lego with some pieces tucked away. That is where I think AWS can be improved upon with a better documentation UI and discoverability.
I do have to commend Google on Flutter + Firebase + Firebase Functions. I think if Amplify focused on serving Flutter users more it could pull me away from Google altogether.
Unfortunately, Google has done a fantastic job with making Flutter integrate with Firebase through Android Studio and there really is no product from AWS that matches its developer friendliness and low learning curve. This makes it very easy to switch.
I guess it is somewhat of a threat because the Firebase Cloud Functions also offer something of a counter to AWS Lambda as much as I love using it with API Gateway.
IAM shouldn't be a thing to learn. It's account management, default and easy to access options should be sane enough for most people to use. At big companies, sure someone has it as a dedicated part of their job description. But if you're in the majority of smaller companies, ones maybe that's just doing e-commerce and tech isn't their core skill set, account settings should be near invisible and still be trustworthy. It's not the Slacks of the world that have an issue with this, but the long tail of the world we now live in that software has eaten and companies are just scrambling to exist in it. Flutter integration is not in the list of concerns of this long tail.
And telling them to "just learn it" isn't the customer focused mindset, it's the engineering one.
I created all of the IAM roles that our 100+ person company uses. It was and is important from a security standpoint that we do not just blindly give too many permissions to employees. I had to do some research to understand what the bare minimum was and it wasn't too difficult to do.
Custom roles created through Terraform helped a lot.
It absolutely is required beyond small 3 person startups. Google is great to get started but when you are dealing with a dozen or more developers, especially at large organizations IAM offers that granular control and overview.
Yes its a bit of a pain having to add policies sometimes when you are first getting started but once it's up and running you can rest easy.
Learning it isn't that much more time consuming or difficult, its just a bit of effort that is all (we are talking a few hours at most).
What exactly are you disagreeing with? Segregating users into groups is possible with either platform.
The discussion is about GCP having much better functionality around it where projects and permissions are naturally integrated with gsuite organizations and users. This is objectively true. AWS has an archaic project system with a dozen different attempts at uniting it all but nothing comes close to GCP's smooth and easy manageability.
Thoughtful features like supporting UEFI Secure Boot with vTPM attestation. This allows building setups where even a full GCP account compromise can be mitigated.
Integration with our org GSuite (this alone is a massive plus).
> I still, frankly, trust Google's Security more than Amazon's, but I don't encourage folks to use GCP the way that I used to.
I trust virtually anyone's security over Google's. I've never had issues with AWS. I've consistently run into serious Google security failures. Google has airtight security for its own data, but not for its customers.
Examples range from Chromebook and Android security update policies (tons of expired machines on the public internet, in the case of Android, usually without people knowing), to pay-for-security on GSuite, to really difficult-to-audit Google Drive security (there's no convenient way to track and audit what was shared with whom or where data went), to just a ton of other things.
I've never seen Amazon be callous with my data. I've seen Google do things that even nineties "we don't need security" Microsoft wouldn't have imagined....
The only people I know who really trust Google security worked for or are close to people who worked at Google. There's a reality-distortion field based on how much Google invests in its own security that people fail to notice very basic failures, like millions of expired Android devices, or a lack of audit logs if someone physically accesses your machine to rifle through your gmail....
When we first launched on GCP, there was no question that it was the way to go (frankly, because of BigQuery). Working with AWS, when we launched, was going to cost us significantly more up-front, before we had even brought on our first customer.
Fast forward 5 years... AWS has closed the gap in every way that matters. I still, frankly, trust Google's Security more than Amazon's, but I don't encourage folks to use GCP the way that I used to.
Just the opposite. In 2021, no questions asked, it's either AWS for general compute, or something more targeted if your business doesn't need it.
Until you get to the point where your bill is larger than a dozen engineering salaries, you won't get any respect from these people.