Usecase :

I have a GCP setup with :

• multiple Google Kubernetes Engine clusters
• multiple CloudSQL instances
• multiple GCS buckets

Basically, I'd like to give permissions to users with finer granularity than project-wide (ie user A can only access bucket B, but can access CloudSQL instances C and D)

Possible solutions :

For GCS, this is easy and documented.

However, I couldn't find anything similar for the other two. The CloudSQL documentation even seems to say it is not possible (All permissions are applied to the project. You cannot apply different permissions based on the instance or other lower-level object.)

Workarounds explored :

• I tried creating custom IAM roles. I was hoping that there would be some way to filter on objects the role is applied to, in a fashion similar to what AWS IAM allows with its Resource filter. That's apparently not possible here.
• For GKE, I can give every user the Kubernetes Engine Cluster Viewer role (which basically just allows to list clusters and basic info about them, as well as logging on with gcloud cli tool), and then use the Kubernetes RBAC engine to give very fine-grained permissions. This works fine, but doesn't allow the user to use the Google web interface, which is extremely handy, especially for a beginner on k8s.
• Similarly, for CloudSQL, I can give the Cloud SQL Client role, and manage my users directly through the postgres access control system. This works fine, but my users are able to connect to other instances (they still need an account on these instances, of course). Moreover, operations such as restoring a backup cannot be allowed only on specific instances.

So, have I missed something obvious, or have anybody found some way to work around these limitations ?