I have some devices, and each will be handled to the customers. I need each device to have read-access to some Google Cloud storage buckets. I would like each of device (or at least each customer) to have a different service account so I can track/revoke accesses if I need to.
I am not sure what is the best way to achieve this easily. I could create a service account for each device, allow each service account on each bucket, but this seems tedious. I though of two solutions :
- Create each device account with the Storage Object Viewer role limited to a tag, which will be set on each buckets. However, I didn't found how to set a tag on a bucket and use it to limit the role.
Allow each device account to impersonate another service account "bucket reader" that will be allowed to read on each bucket. However I will have to allow each account to impersonate the "bucket reader" service account.Service account impersonation do not allow for long-lived token.
What is the best solution and how to do it? Is there another way I didn't think of?
bucketname/prefix
can be accessed.