The author does a good job showing how AWS got to this point, but I think the majority of their argument is that they don't care for the semantics. Lines like:
>>A consequence of this change was to further remove any coherent meaning for the term “role”
and
>>So what is an IAM role then? Simply put, it’s a principal (i.e. an identity) with no long-lived credentials, that can be impersonated for arbitrary purposes.
Show that this is the main grievance. And to that I say - I hope you never try to mix Azure workloads at the same time as you are working on other cloud providers, as the nomenclature differences will drive you crazy.
I do agree that the GCP model is more sensible (unless you have to 'unlearn' the AWS style first) but my major grievance is the combination and intersection of lots of different permission layers in AWS - you can have SCP's acting as a hard explicit deny at the top level, then your policies attached to roles/users, and then some services (such as S3) can have resource based policies as well. Even the best engineers can forget a setting or two and have to spend time troubleshooting, especially across a lot of accounts.
>>A consequence of this change was to further remove any coherent meaning for the term “role”
and
>>So what is an IAM role then? Simply put, it’s a principal (i.e. an identity) with no long-lived credentials, that can be impersonated for arbitrary purposes.
Show that this is the main grievance. And to that I say - I hope you never try to mix Azure workloads at the same time as you are working on other cloud providers, as the nomenclature differences will drive you crazy.
I do agree that the GCP model is more sensible (unless you have to 'unlearn' the AWS style first) but my major grievance is the combination and intersection of lots of different permission layers in AWS - you can have SCP's acting as a hard explicit deny at the top level, then your policies attached to roles/users, and then some services (such as S3) can have resource based policies as well. Even the best engineers can forget a setting or two and have to spend time troubleshooting, especially across a lot of accounts.