Feature Request: Add Imagery from Private GEE Image Asset Collection

[rohansaw]

Sometimes users have their own Image Asset Collections in GEE, which can not be made publicly available. For this, it would be required that only users within a specific ceo project get access to this image asset collection.

Difficulties:

• Requires authentication with GEE trough a different account than the generic CEO service account, since this account does not have access to the required imagery.

Proposals:

• Option A: Allow users to add their own service accounts with restrictive read permissions when adding new Imagery and then use this account when the specific imagery is requested from authorized users within the project.
• Option B: Add OAuth flow, to allow users to link their own GEE account and then the project admin has to grant these users read permissions for the assets within GEE.
• Option C: Project admins (image asset owners) grant read access to the main CEO google service account. CEO would then internally need to manage access to resources to be scoped to the corresponding project members.

Problems:

• GEE Python API has a global scope and is initialized with specific credentials. Security risk for concurrent requests.
• Possible Mitigation 1: Spawn new processes with own gee init context. To avoid overhead for each request this would most likely require an additional instance caching or making the backend be statefull with user sessions.
• Possible Mitigation 2: If using OAuth, transfer this to the frontend to enable storing the users GEE session there and call GEE directly from the frontend to fetch map tiles etc.

I would be happy to contribute this feature and would like to inquire with the maintainers if this is something they see a need for and see the proposed solution as feasible.