I agree. This is the one thing I find easier on GCP than AWS, taking total control over a GCP environment I'm about to enter is much faster and less confusing. It's irritating that I need old accounts to do exports but usually I can reset credentials on some old ones and find one with MFA I can bypass.
But it's still a rather nasty environment to handle, as is all the big clowns. There's lock-in, confusing products, lots of general weirdness. Unless the corporation I'm taking control over has exercised discipline and restraint and stuck to a rig with simple EC2 instances every project makes me hate them more.
As far as I can tell the way to go if you enjoy this kind of operating environment is to buy on-prem OpenShift. The guys I've met that run that seem to think it's the lesser evil.
Basically as if you had S3 bucket policies for everything.
Though I'm sure you'll find someone saying the exact opposite is more useful