IAM in Cloud de Confiance versus Google Cloud

Identity and Access Management (IAM) is a tool to manage fine-grained authorization for Cloud de Confiance by S3NS. It lets you control who can do what on which resources. This page describes the differences between the Cloud de Confiance and Google Cloud versions of IAM.

For more detailed information about IAM, see the IAM overview and the rest of the IAM documentation.

Key differences

There are some differences between the Cloud de Confiance version of IAM and the Google Cloud version. Some notable differences include the following:

  • Only Workforce Identity Federation and Workload Identity Federation identities can be used as principal identifiers.
  • Policy Intelligence capabilities are unavailable.
  • Principal access boundary (PAB) policies are unavailable.
  • Privileged Access Manager (PAM) is unavailable.

A more detailed list of differences is provided in the rest of this section. If you are already familiar with Google Cloud, we recommend that you review these differences carefully, particularly before designing an application to run on Cloud de Confiance. We also recommend reviewing the general differences between Cloud de Confiance and Google Cloud.

If you would like to use a particular IAM feature that isn't currently available in Cloud de Confiance, contact Cloud de Confiance support. To be notified when new features roll out in Cloud de Confiance, subscribe to the release notes. Unless otherwise specified, features that are in preview are not available in Cloud de Confiance.

Integrations

Organization Policy Service

Organization Policy gives you centralized, programmatic control over your organization's resources. In Cloud de Confiance, predefined organization policies are provided and can be used; however, you can't do the following:

  • You can't create and use your own custom constraints.
  • You can't use managed constraints.

Security and access control

Identity federation Only Workforce Identity Federation and Workload Identity Federation identities can be used as principal identifiers when creating policies in Cloud de Confiance.
Principal access boundary policies Principal access boundary policies let you define the resources that principals can access. These policies are unavailable in Cloud de Confiance.
Privileged Access Manager You can use Privileged Access Manager to control just-in-time temporary privilege elevation for select principals, and to view audit logs afterwards to find out who had access to what and when. This feature is unavailable in Cloud de Confiance.

Workflows and tools

Gemini assistance in the IAM role picker

The IAM role picker lets you ask Gemini which roles to grant to your principals. In Cloud de Confiance, role suggestions from Gemini are unavailable.

Permission error messages

In the Cloud de Confiance console, permission error messages provide basic remediation guidance. They don't provide the option to resolve permission errors directly from the error message.

Insights and observability

Policy Intelligence

Policy Intelligence tools help you understand and manage your policies to proactively improve your security configuration. Policy Intelligence tools are unavailable in Cloud de Confiance. As a result, the following features are unavailable:

  • Activity Analyzer
  • Policy Analyzer
  • Policy Simulator
  • Policy Troubleshooter
  • Role recommendations
  • Service account insights

The following information might also affect how you use and design for IAM in Cloud de Confiance by S3NS. These guides include general information about working in Cloud de Confiance, including documentation, security and access control, billing, tooling, and service usage.

For details about other services and features in Cloud de Confiance and their differences from their Google Cloud counterparts, see the product list.