Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: Is GCP harder to use than AWS?
35 points by hopefullywrong on March 3, 2022 | hide | past | favorite | 27 comments
I’m a dev with 10 years of experience, I’ve mostly used aws services in the past so I kind of understand their authentication models pretty well. I feel like they did the customer centric thing and really dumbed them down. They’re just pretty straightforward to use.

Permissions in GCP seem like a mess, I’m trying to use python to get credentials and there is a whole python library for authentication and getting credentials (google-auth).

There’s also not a uniform page for every service where I can go understand authentication/permissions.

They do have a ton of docs, but it’s kind like a document dump.

Sorry for the rant! I want to know if it’s just me and whether I’m missing something!



I feel the opposite. Everything I've used in GCP, I've understood and appreciated the design decisions behind. Most things I've used in AWS, I've wondered why they shipped it that way. Examples:

* High-availability HSM KMS: trivial in GCP, super difficult in AWS.

* Object storage (GCS/S3): multi-region is trivial in GCP, somewhat harder in AWS. Archival is so much simpler in GCS than S3 Glacier.

* IAM: makes sense to me in GCP and is consistent across products, AWS policy editor has poor usability and feels inconsistent between products.

* Having per-region pages in the AWS console is a pain, easy to lose stuff. GCP is one global interface.

* Cloud functions/Lambda: CF Just Work with native dependencies. Lambda is painful in that regard.

GCP's auth lib is confusing though, I agree with you there. We stopped using it and all of their client libs a few years ago and wrote our own. However, that they force you to use service accounts is an excellent security decision.


How about: Security groups Creating load balancers Creating and managing access to cloudsql vs rds Gcp internal request limits Gcp documentation is not task oriented. (How do I “X”) Getting effective support is impossible.

That looks like at least six important things that are significantly harder on GCP.

Don’t get me wrong, I like GCP. I just hate that they are failing in ways I think are so clear and simple to fix if they’d change their thinking. Oh also, critical components being alpha/beta and unsupported, but no alternative existing. (I’m think of the kubernetes monitoring thing who’s name I forget)

One thing I HAVE liked is cloudshell, being able to spawn an authenticated shell into any resource without having to figure out access from my location.


iam authenticated access to a cloudsql instance is exactly what I’m trying to do right now… and it’s not surprising why people give up and hard code credentials…


I'd echo others and say this boils down to familiarity more than anything else.

Identity and authentication is honestly the one area where the popular cloud platforms differ the most. I used to work for AWS and currently work for Azure, and the switch from IAM to AAD caused more cognitive dissonance than any other difference between the platforms' respective offerings.


Having worked with both and gotten used to the difference, is azure AD more complex than the solutions from the other vendors?


I would say yes, Azure AD is more complex, but in a good way.

AWS IAM is interesting in that IAM resources are provisioned within a subscription. You can use IAM as an identity solution, giving everyone a user account and password, but you don't have to. Internally at AWS, we never used IAM users, but instead had an enterprise AD deployment that we used to log in to our computers and internal systems. One of those internal systems kept a list of AWS subscriptions and IAM roles you had access to, and would trade your AD credentials for temporary AWS credentials scoped to a role. It was pretty slick, but it's not inherent to IAM, so you typically need a third party service to do this for you. (At the job I had in between AWS and Microsoft, we used CloudTamer, and before that, we just had to keep track of 20 different username/password pairs.)

AAD on the other hand is a full blown identity platform that incidentally can also be used to log in to Azure. That means it integrates nicely with on-prem AD deployments and, more importantly, lets users log in once and navigate the subscriptions to which their account has been granted access. So it's actually simpler to use if you just need to be able to log in to multiple subscriptions, but you can run into cases where you need to operate on AAD resources in ways that aren't supported through Azure APIs. This primarily comes up if you need to grant a non-Azure permission as part of an Azure deployment. E.g., if you want to give a managed identity permission to read AAD metadata like service principal IDs, you can't do it from within ARM.


It seems like IAM users are really only useful for very small companies or for off-platform access. Anything more than a handful of users and it's probably best offloading your auth to some other federated platform

AD is extremely built out and well established so I guess no surprise Azure leans on it heavily. AD/Kerberos authentication is pretty slick, too


> Permissions in GCP seem like a mess, I’m trying to use python to get credentials and there is a whole python library for authentication and getting credentials (google-auth).

I feel you, but I gotta agree with the other commenters that it's really just about time and experience. Anyone long-experienced on one public cloud will really struggle switching clouds. Your experience is low but your expectations are high. You're not just poking into a dashboard trying to spin up a single VM, you want to do all the stuff you're used to doing on AWS.

While IAM does feel easy once you know it, as someone who's run hackathons and bootcamps I can say it's not easy for everyone to just pick up. It's as complicated as it needs to be, but yeah it can be a steep learning curve.


I use an overly simplistic way to compare how I see GCP vs AWS: MacOS vs PC.

AWS is great, has many options, is ubiquitous across verticals and is everywhere, but it lacks polish in many ways. GCP offers similar tools to that of AWS but, in many ways, feels more polished and offers tools that are integrated across the ecosystem by those who don't want to have to mess with the underpinnings of the infrastructure, roll their own, or have to buy third party services if they do not want to.

That all said, IAM on both absolutely suck. I should NOT need to read the documentation or study the systems like I do to get it up and running. Both providers seriously need to up their game here and offer sane and secure defaults that just work. The last time I dealt with AWS I wanted to pull out my hair (and this could be due to my heavy investment in GCP) and while GCP is frustrating with IAM, it wasn't nearly as arcane as I felt AWS was.

YMMV.


I think so. The system for authenticating to GCP is an order of magnitude more complex than that for AWS.

I think Google has a culture of "we hire the best and brightest so we can afford to squander 70% of their IQ with unnecessarily complexity" which contrasts to, say, Facebook wanting new hires being able to commit a change and get it into production on the first day.


Well said... All this total IQ at Google is much, much less then sum of parts...


I have used both. GCP is designed to cover all the edge conditions on security. AWS can do that but it is much easier to shoot yourself in the foot with AWS security. That is why you get all the stories about people leaving their S3 buckets open.


my experience is the opposite. there's a lot of really insecure defaults in gcp, some of which are really hard to override - gcp makes it easier when the default service account that every is ridiculously overpermissioned, and for the longest time you couldnt change the service account in cloudfunctions or app engine, i forget which.

The reason you hear about s3 buckets and not gcs buckets is because usage of s3 is way higher and way older.


I'm certified architect in both AWS and GCP and I prefer AWS. But it's possible it's because I learned it first.

GCP is easier to start with for me, but becomes annoying because it's missing things that I can do in aws.

For example, cloud run can't run docker containers that doesn't listen to a port. Just run it once and shut down like Fargate does in AWS.

They want people to use kubernetes which is more complex and has features a lot of people don't need ever. Fargate is simple and just works.

So I prefer AWS for reasons like that but I think GCP is easier to understand.


Having used GKE and EKS, I will say GKE is much simpler. Kubernetes is a powerful platform but you're right--it does have a lot of complexity and overhead.

ECS and Fargate are pretty solid if you want to run fairly simple containers but it's still a bit annoying they don't have all the cross-service integrations that Lambda does (SNS/SQS invokation, Kafka, etc)


> For example, cloud run can't run docker containers that doesn't listen to a port. Just run it once and shut down like Fargate does in AWS.

I believe the Cloud Run team is working on it and it is in a private beta.


As a developer, I find GCP much easier to use than AWS.


As someone who works on an MLOps platform that allows you to use your own clusters, I have to check multiple cloud providers for testing.

GCP is wonderful compared to AWS. It took me a week to sign up for AWS, including writing an issue and a phone call. It took other colleagues some hacky ways to start to use it, even at the sign-up phase.

Doing something on GCP is pretty straightforward. Creating VMs, Kubernetes clusters, etc. I've had non technical people do it successfully on their own. Live. While observed and under pressure.

AWS? Good lord. That's what I will say about it as I'd rather say good things about a good service than bad things about another.


> 10 years of experience, I’ve mostly used aws services in the past so I kind of understand their authentication models pretty well.

I think it's mostly this. IAM in AWS isn't exactly a walk in the park, especially when you start getting into granting only explicitly needed permissions. There aren't great systems for doing that (that I know). Lots of stuff that half works and you sort of have to know how to glue the rest together yourself.

I think GCP's permissions are essentially the same way but GCP is also less popular. So you have even less tooling and documentation.


I find GCP to be easier to use, but that's just me. If you're already productive with AWS I don't think there's much point in trying to get ramped up on Google's PaaS


In general, it seems like GCP has higher level abstractions but documentation isn't as good as AWS. AWS gives you fairly "primitive" infrastructure APIs whereas GCP gives you more high-level, abstracted APIs that do more under the hood.

Personally, I've found AWS SDKs to be easier to work with (especially auth), although I've used them more so there's probably some bias.

GCP relies heavily on Oauth but it can be a bit clunky for human access (basically requiring browser auth)


For me GCP is way easier than Amazon. I feel like home there.

Just remember to create a project (or put that one in a folder) for anything that must be billed together or when you have several projects that must inherit permissions or restrictions.

Remember that some resources are global (like projects), and others are regional.

Authorization can be a bit tricky, though: they are deprecating old authorization roles (adminitrator, viewer, etc..) to make it more granular. Sometimes is good.


Almost all of my professional work has been on AWS - that is simply what companies that I have worked for use.

For my own use, I massively prefer GCP, with an admittedly small monthly spend.

I worked at Google as a contractor and really loved their environment for internal developers and using GCP has a little of that “flavor.”


I find the project-based permission model a lot easier to work with than the ARN based permission model. ARN is more granular so probably more secure if you get it exactly right, but also more going on so easier to miss something.


Yeah. It’s also harder to speak to a human, exponentially so


Not really. Just different.


Yes




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: