Google Cloud Storage - What is the best way to let a customer upload data to their own bucket?

We would like to let a customer upload their docs to a bucket they have exclusive access to. We have considered:

1. A service account: we send them the json file and we set up their bucket so that that service account can access it.
2. A signed url with write auths: more complex to set-up, customers would hit an endpoint, get a signed url each time, and they can use it to POST
3. A custom account: could we create a legit google cloud account for them with super-narrow permissions?

We don't know what's the recommended go-to solution for that problem.

We have started implementing a service account, but we fear privilege escalation

Typically, they would be uploading data to the bucket using one of the available SDKs

Posting this as a community wiki so that others can benefit from it.
<hr>
As mentioned by @John Hanley:

> If they are using the SDK, you can add their email address to the bucket's IAM and they can authenticate using gcloud auth application-default login. Review how Google Cloud ADC works
<hr>
Reference:

• Gcloud Auth Application-Default Login
• Set up Application Default Credentials

Everything that you store in Cloud Storage must be contained in a bucket. You can use buckets to organize your data and control access to your data.
Learn more how to work with storage buckets in GCP https://googlecloudtutorials.com/google-cloud-storage-free/.

Once storage bucket is ready data objects and files can be uploaded.
Object can be accessed and modified using Authenticated URL.