I've had a high degree of satisfaction with AWS but I have done very little with their other APIs. My impression is that Google Cloud is in a class by itself having a difficult API to work with but that's because the authentication process is like the intro to the old Get Smart TV show
https://www.youtube.com/watch?v=ankXUaWqQgM
it seems like LWA is like that for you and maybe that is a big pain point for everything else you are doing. auth is like that because it is so central: if it doesn't work you can't get anything done but boy you are in trouble if somebody can bypass it. I have been reworking an auth system in the last month and it is slow going because the risk is so high.
My impression is that IAM is in and of itself a good system, but that it has grown a lot over the years and now has a ton of legacy scenarios that it has to support.
Add in that it seems to be up to the specific service to implement the newer stuff, and you arrive at having three or more different ways to permission resources, none of which are supported everywhere.
In other words - it's old enough to be crufty.