Offer an easy and secure way to add additional service accounts for bucket access

[nkemnitz]

Sometimes we need to access service accounts and buckets not managed by us. Back in SEAMLeSS days, we would add these as secret to the cluster and mount them in the deployment so that CloudFiles/CloudVolume would pick the correct credentials for each bucket.

Now that this is hardcoded, things are a bit more difficult. Or maybe there is another, even better way?

[supersergiy]

Now the access is managed through the account used for gcloud auth application-default login. Instead of adding additional service accounts, we should just give the users access to those buckets.

[nkemnitz]

In this particular case, the destination bucket was not one of ours and write access only tolerated using the provided service account.
gcloud auth application-default login --impersonate-service-account SERVICE_ACCT_EMAIL might work, though... at least as long as I don't need to access a third bucket in the same zutils task with yet another service account.

[supersergiy]

Is this because the client communicated access to us by giving a service account? Could we change the protocol to be such that they have to grant our users permission to the bucket instead?