All identity and access management services enable admins to do the same basic thing: configure access controls that define who can do what to which resources in the cloud.
Yet, when diving into the details of each service, it's clear that different cloud IAM services work in various ways. IAM terminologies, concepts and practices vary among each major cloud provider.
This doesn't mean some cloud IAM services are better than others. Feature-wise, they're equivalent in almost all respects. But it does mean that admins must master a broader set of concepts and terms if they want to manage IAM across multiple clouds.
This article breaks down how IAM services compare among AWS, Azure and Google Cloud. We look at how each IAM framework structures resources, how it manages permissions, how it's priced and more.
What is identity and access management?
Cloud IAM is a type of service for managing access to cloud resources. Admins can use a cloud IAM framework to configure access policies that define which actions a given set of users or groups can perform for specific cloud resources.
For example, admins could grant one user permission to view, create and delete VM instances on a cloud service such as Amazon EC2. They could also create a separate policy that allows different users only to view VM instances.
Without IAM services, all users who have access to a cloud environment are able to perform any supported action on any resource. This isn't desirable in most cases, so businesses use cloud IAM frameworks to configure access policies based on the needs of individual users and groups.
Compare IAM services: AWS vs. Azure vs. Google Cloud
Although all cloud providers offer IAM services, each provider's service works in a somewhat different way. Following are the key differences among IAM frameworks on AWS, Azure and Google Cloud.
Concepts and terminology
All the major cloud providers' IAM services support a hierarchy-based approach to user management. This enables admins to assign permissions to every user within the organization, to subsets of users or to individual users.
However, the terminology the providers use to refer to resources within this hierarchy varies. For AWS, the highest level of hierarchy is called the Account. Azure calls it the Organization; in Google Cloud, it's known as the Project. All these terms refer to the same type of resource -- the broadest set of users to which IAM policies can apply.
In other cases, the same term has a somewhat different meaning in different cloud IAM systems. For example, in Google Cloud, Principal can refer to end users who have Google accounts; nonhuman users, such as applications; or even Google Groups. Principals can be anyone with a Google account, even if they don't have user accounts inside Google Cloud. Meanwhile, in AWS, a Principal is an identity that exists within AWS itself, so the Principal concept doesn't extend to outside users.
Resource hierarchy configuration
The cloud providers also differ slightly about how they expect customers to configure resource hierarchies. For example, in AWS and Google Cloud, it's relatively common for the same business to configure multiple Accounts or Projects. In contrast, Azure is designed with the assumption that most businesses configure just one Organization -- although it's possible to create multiple tenants within that Organization to segment different sets of users and IAM policies.
The differences in resource hierarchy concepts and terminology largely reflect differences in the broader ecosystem in which each cloud provider operates. Azure assumes that each customer configures only one Organization because its IAM model is based on concepts that originated with Microsoft Active Directory (AD), which is an IAM system initially designed for on-premises end-user computing environments.
Likewise, Google Cloud takes a more flexible approach to defining Principals because Google offers other products and services it wants to integrate with its cloud platform. This is not a priority for Amazon, whose digital offerings outside of AWS are much more limited. AWS does support the use of Amazon.com accounts as the root user for AWS accounts, but AWS IAM generally doesn't integrate tightly with Amazon's e-commerce services.
Pricing and service limits
All the major cloud IAM services are generally free of cost. But quotas apply to how many users or sets of permissions each service supports for a given Account, Project or Organization.
For example, AWS supports up to 1,000 roles per Account. Customers can request additional roles, up to a maximum limit of 5,000 per Account. Customers don't get additional charges for changing the quota, but AWS must approve changes before they take effect.
By comparison, Azure supports 4,000 roles per subscription. Customers cannot request an extension.
Another important difference is that Azure's IAM service, called Entra ID -- formerly known as Azure AD -- has paid versions available. But the core IAM offering is free, and even large organizations are likely to find that the free version meets their needs. On AWS and Google Cloud, IAM services are totally free of cost in all cases.
Features and functionality
The cloud IAM services from AWS, Azure and Google Cloud have no major distinctions in functionality, but they do differ slightly.
For example, Azure doesn't support extendable IAM quotas, but AWS and Google Cloud do. Another example is that the maximum allowable size of IAM policies varies. On AWS, policies can't exceed 6,144 characters, while Google Cloud limits them to a 64 KB file size and Azure imposes no restrictions.
Each framework also manages permissions for nonhuman users -- sometimes called noninteractive users -- somewhat differently. AWS IAM treats human and nonhuman users in the same basic way, allowing each to be managed under the same account. With Google Cloud and Azure, however, admins must define separate principals or service groups for nonhuman users.
Which cloud IAM service is best for you?
It's incorrect to say that any one cloud offers a better IAM service than its competitors. The IAM services available from all major clouds are reliable, feature-rich options that enable admins to configure highly nuanced access control policies.
Plus, businesses probably shouldn't select a cloud based on its IAM framework. They should look at features and pricing for the types of cloud services they want to use. These factors play a much more important role in determining how much value they can obtain from the cloud.
The differences between each cloud's IAM services can mean that, at least sometimes, one option is a better fit than others for certain types of organizations based on their structure and the technology they use. In general terms, it's reasonable to conclude the following for each cloud provider:
- AWS IAM works well for businesses whose users and resources are confined entirely to AWS.
- Azure IAM is a good option for businesses accustomed to Microsoft AD and that want to extend their AD-based user and identity management practices into the cloud.
- Google Cloud IAM is ideal for organizations that also use other Google services, such as Google Workspace, and want the ability to integrate users of those services into their cloud IAM strategy.
Any major cloud IAM framework can support virtually any use case a business might have, despite some differences within the details of how each framework operates.
Chris Tozzi has worked as a journalist and Linux systems administrator. He is particularly interested in open source, Agile infrastructure and networking. He is senior editor of content and DevOps analyst at Fixate IO.