Your organization needs to allow public web applications to upload files to a Cloud Storage...

For external applications (outside of Google Cloud) to access resources securely, Workload Identity Federation (WIF) is the modern standard.3 It avoids the use of permanent service account keys and relies on external identity providers (OIDC or SAML) to exchange short-lived Google Cloud tokens.

According to Google Cloud Documentation (Workload Identity Federation):

"You can use Workload Identity Federation to grant on-premises or multi-cloud workloads access to Google Cloud resources without using a service account key. This reduces the risk associated with long-lived service account keys and simplifies the implementation of security best practices."

Key points:

It allows external identities (from AWS, Azure, or OIDC/SAML providers) to assume a Google IAM role.

The access is short-lived and scoped to specifically what the application needs (e.g., storage.objects.create).

Why other options are incorrect:

A is incorrect: Long-lived service account keys are a security liability.

B is incorrect: While a proxy works, it adds architectural complexity and overhead compared to direct federation.

C is incorrect: IP-based ACLs are weak because IPs can be spoofed or changed, and Cloud Storage ACLs do not provide robust identity-based security for public-facing apps.