Currently, when a collaborator uploads data, we generate a service-account on a per dataset level, which makes it hard to track through system logs which collaborator uploads data (and harder to revoke).
We should instead use one account for a collaborator, and add them to managed groups - even if this means we need to add more managed groups with varied permissions. It's fine for this collaborator's SA to be manually created.
A secondary task should involve generating a new service-account JSON for each collaborator, revoking all existing service-account JSONs, and then removing accounts like the -shared-SA and main-upload accounts.
Currently, when a collaborator uploads data, we generate a service-account on a per dataset level, which makes it hard to track through system logs which collaborator uploads data (and harder to revoke).
We should instead use one account for a collaborator, and add them to managed groups - even if this means we need to add more managed groups with varied permissions. It's fine for this collaborator's SA to be manually created.
A secondary task should involve generating a new service-account JSON for each collaborator, revoking all existing service-account JSONs, and then removing accounts like the
-shared-SAandmain-uploadaccounts.