@User Hi Jackie, I have a few more questions for you before I embark on the great Upgrading of the google configuration. My boss asked this set of questions and I was hoping to have a dialogue with you before I scoped work out for the upgrade. Our company has many projcts that we'd like to keep mutually exclusive for the sake of customer privacy. Have you any quickish/obvious/metaflow centric ideas/solutions to the following authn/authz problems? 1. How do I ensure user A who can only access project Foo, cannot see anything user B submitted to project Bar a. Both in metaflow UI and via metaflow api client 2. How do I ensure no single user can explode cloud bill 3. How do I grant direct access to kubernetes (

gcloud container clusters get-credentials

) without allowing user A to SSH into pod running work in project Bar and e.g. run

gsutil -m cp -r <gs://project-bar/*>

<gs://project-foo/>

4. How do we tie all actions that touch sensitive data back to IAM identities managed in terraform