Unfortunately, we don't have write-only ACLs.
2) Getting a token for a service account which is NOT able to list all buckets in the project (what I tried was create a couple of buckets with a "private" ACL and requested a read only token by a service account which was not a project owner - all of the buckets were visible)
This should be doable. Create two projects - one (A) which owns the buckets, and the other (B) is the accessor. Create a service account under B (ServiceAcctB). Now, have an Owner in A add ServiceAcctB to ACLs of the buckets in B with either WRITE or FULL_CONTROL permission (depending on what permissions the service account needs).
ServiceAcctB will be able to list the contents of every bucket, but will not be able to list all the buckets (only owners of A can list the buckets).
3) Being able to use a custom user store and get OAuth tokens for GCS for those users
Not sure what you mean here, so my answer may not be what you're looking for. Your users will have to have Google Accounts. If you have a Google Apps account, you could create email addresses for them and mint tokens for each user using a service account (see the
Signed JWT documentation). However, you'd be paying a fee for every user you add under Apps.
Finally, while Signed URLs are experimental, they've been pretty stable and we do intend to continue to support them. We don't have any current plans to make backwards-incompatible changes to them either, and if we do need to, we generally give a heads-up via gs-announce in advance.
Regards,
Navneet