Where is the Calling  Application?

Before we get to the details about programmatic identities in GCP vs. AWS, it is good to first ask the question - where will my app run? There are two options - WITHIN the cloud environment - or EXTERNAL to the cloud environment.

The AWS Approach - Running Applications OUTSIDE the EC2 environment

If your app is running outside the AWS environment, you would still need to define an IAM user within your AWS account. This user has the ability to generate access keys. What you would do is generate such keys and use these keys to access AWS APIs from an external system.

The AWS Approach - Running Applications INSIDE the EC2 environment

If your apps are natively running on AWS infrastructure (EC2, Lambda..etc),  you need to define, not an IAM user, but an IAM Role. A role is similar to a user - but think ' short term user '. The role is an identity that is meant to be assumed by other identities - for a short period of time.

The GCP Approach - Running Applications OUTSIDE or WITHIN the Compute Engine environment

Google's approach is a little simpler, IMHO. The SAME approach works for both - external access and native apps access.

GCP defines a special programmatic identity called a Service Account. This SA can belong to an application (external to Compute Engine) or to a Compute Instance running within GCP.

As part of your Service Account, you can create key pairs (access key pairs). You can generate multiple key pairs. These keys are then used to authenticate against google, much like any other public private key access (e.g. SSH keys for linux instances).

Now, there is still a slight difference between those apps that run on GCP and those that run outside.

  • Though they both use Service accounts as programmatic identities, for apps running natively on Compute Engine, there  are BUILT IN Service accounts.
  • For external applications, you would typically DEFINE your custom service account and dress it up with the appropriate permissions (roles) it needs to perform it's tasks.

Summary

This topic isn't quite treated with the respect it deserves - either on official cloud docs or the cloud blogosphere. Considering that almost ALL tasks that interact with AWS or GCP require API calls using the programmatic identities described above.

Thoughts? Comments?