> You can access data from your users' Google Cloud projects by creating a service account to represent your service, and then having your customers grant that service account appropriate access to their cloud data using IAM policies. Note that you might want to create a service account per customer if you need to avoid confused deputy problems.
If you look at most SaaS services, they rarely use a service account per customer.
IMO it's no different than any part of your own services where you need to handle multiple customers.
Creating multiple service accounts is just overhead.
The text you quoted explains why you wouldn’t want to create a single service account for all customers. It’s a security decision, which yes adds overhead.
I'll note that the overhead is only on the provider side; from the customer's perspective it's all the same. In contrast, OpenID Connect puts overhead onto the customer (in addition to the provider) which I find unfortunate since I want to provide a good experience.
> You can access data from your users' Google Cloud projects by creating a service account to represent your service, and then having your customers grant that service account appropriate access to their cloud data using IAM policies. Note that you might want to create a service account per customer if you need to avoid confused deputy problems.
If you look at most SaaS services, they rarely use a service account per customer. IMO it's no different than any part of your own services where you need to handle multiple customers. Creating multiple service accounts is just overhead.