Background:
We are developing a multi-tenant application in Google Cloud Platform (GCP). Identity Platform setup with multi-tenancy is working great for end-users which are authenticated by Google Cloud API Gateway, using firebase.
All requests to "tenant aware" endpoints must have a TENANT_ID header present and the value must match with the authenticated user's firebase.tenant claim. So this is where the backend application (on Cloud Run) identifies for which tenant the user is operating on behalf of and can access data only for that tenant.
The problem:
But now we would like to grant our customers' backend applications access to our system and data on befalt of that tenant, so that they can integrate our system into theirs in a smooth way. Our customers can then fetch their data stored in our system and use it and display it in their own applications.
Since our customers' applications does not really represent actual users, but the tenant itself, we cannot use (I think) Identity Platform's multi-tenancy mechanisms.
We could create service accounts, one for each customer, but that would generate a lot of service accounts and the API Gateway configuration must then include a security description for each of these customer service accounts. Also, how can such a service account be bound to a specific tenant and how do we authenticate and authorise the tenant service account?
What should we do in this situation?
