I am using Google Cloud Storage to persist photos uploaded by users of my app. I am using the service account to authenticate the request [1] against GCS. The following steps are executed if a user wants to upload a photo to a GCS's bucket.
- Android client sends request to my server to give him an access token for GCS.
- Server obtains the access token from service account (I am using PK12 key).
- Server sends the access token back to Android client.
- Android client uses the access token to authenticate itself against GCS endpoint and uploads photos to GCS's bucket.
- Photo's metadata are persist into my database.
Since Google Cloud Storage allows to define only "READER", "WRITER", "OWNER" permission to its buckets and objects. I need to give the service account holder a "WRITER" permission on bucket. ("Lets a user list, create, overwrite, and delete objects in a bucket".)
Now the problem is that, the access token could be abused by someone to possibly delete all photos in GCS.
It would be much better if GCS distinguishes between "WRITER", "delete permission".
It would be possible to use the provided OAuth2.0 Authentication [2], but it seems that it can be used only with Google Accounts in GCS.
Could anyone give me an advice how to solve my problem ? Or maybe help me in finding another way how I could upload photos into GCS.
I was thinking of a possibility to create a separate bucket for each user, but then I need to create a service account for each user and I still haven't found any possibility how to do that programmatically (if at all possible).
Thank you for your help!
