Identity used by application code and services/resources.
Google Cloud Service Accounts can have multiple “key” credentials.
Azure AD Service Principals can have multiple “secrets/keys” or certificates.
Azure Managed Identity can be assigned to VMs and other Azure resources similar to how Service Accounts are assigned to Google Cloud instances and can be used from those resources without needing to use keys.
In Azure, role assignment defines which principal (user, group, or service principal), gets specific role (set of allowed actions), starting at which scope in the hierarchy (management group, subscription, resource group, or specific resource) and inherited downward.