Read as
Last updated: April 29, 2026
Why this module exists. Every Indian SaaS that adopted GCP after 2022 inherited an IAM model fundamentally different from AWS. The pieces look similar — IAM, service accounts, roles — but the wiring is different and the attack paths are different.
Why this module exists. Every Indian SaaS that adopted GCP after 2022 inherited an IAM model fundamentally different from AWS. The pieces look similar — IAM, service accounts, roles — but the wiring is different and the attack paths are different. If you bring AWS muscle memory to GCP, you’ll either over-permission everything or miss the GCP-specific privilege-escalation paths.
How GCP IAM differs from AWS IAM
| AWS | GCP | |
|---|---|---|
| Identity primitive | IAM user, IAM role | Google account, service account |
| Permission model | Identity-based + resource-based policies | IAM policy bound to a resource (project/folder/org) |
| Cross-account / cross-project access | Trust policies + assume-role | Direct grants — add a member to a project’s IAM |
| Inheritance | None at the account level | Org → Folder → Project → Resource (top inherits down) |
| Workload identity | IAM role for service / IRSA | Workload Identity / WIF — federated tokens |
Want this for your team?
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.
Book team training call
Replies in 4 working hrs · India-only · Senior consultants