When migrating to GCP from AWS some features are front-and-center – like projects & folders. The IAM design differences are a bit less obvious until they bite you.

In order to practice POLP (Principle of Least Privilege) on GCP , the hiearchy of IAM permissions will need to be transformed.

Whereas AWS IAM focuses on configuration mapping principles to resources & roles, GCP offers a more prominent inheritance model of Org → Folders → Projects → Resources. Moreover, many resources like service-accounts, buckets can themselves have direct IAM bindings , leading to “hidden” IAM bindings for the unininitiated.

I work from about 7 different machines, including 3 laptops, ipad, chromebook and a PC desktop. Usually this means keeping credentials, config, build dependencies and IDEs in sync across all 3–and the iPad & Chromebook just can’t run my dev environment

I considered a few options to enable seamless work across devices

Solution

1. Launch Cloud9 Environment on AWS
2. Install VS Code + SSH Remote Extension
3. Install tmux

With this setup, you get the highest-fidelity experience when you can (with VS code), plus an adequate experience on iPad & Chromebook (cloud9 web ide). With tmux you get seamless handoff across all devices.

GCP resources are organized into projects – all resource IDs and IAM principles are grouped under a project ID. This means that by default roles assigned to a principle (e.g. a user or service account) are scoped only to project resources. This can be tricky if say your images are in one project’s storage bucket and your app is running in another

If you want to provide a service principle in one project access to resources in another , the approach is not obvious, nor is it well documented.