Cloud Integration·Portfolio / 2026·繁體中文

Stitching scattered clouds into pipelines that run themselves.

Five real-world cloud integration cases. From bootstrapping a company-level Organization, to running production B2B systems across five clouds, to OAuth-driven cross-platform automation, API-powered application stacks, and Service Account Impersonation for multi-tenant identity isolation. Every architecture below is shipped and running.

Client identities are abstracted into scenario categories. Platform names are kept to convey the integration scope. Technical details unfold case by case in consultations.

N° 01
Company-Level Cloud Architecture

Cloud Identity & Organization Bootstrap organization

Building a company-level cloud organization and identity layer to enable multi-client resource isolation.

When a one-person consultancy serves multiple clients, mixing all cloud resources under a single project leads to IAM sprawl, accidental deletions, and audit blind spots. Bootstrapped a company-level Organization with a 4-tier folder hierarchy (personal / clients / archive / sandbox) so every client's cloud resources inherit IAM policies once at the folder level. New client onboarding time drops from hours to minutes.

4 tiers
Folder Hierarchy
Personal / Clients / Archive / Sandbox
50
Cloud Identity Seats
Free Edition, smooth upgrade path
Inherited
IAM Set Once
New client projects inherit org policy
0
Accidental Deletions
Pre-delete dependency check SOP enforced
Platforms / Stack
GCP Cloud IdentityGCP OrganizationIAMResource Manager
Before
  • All cloud resources scattered under personal account, no company-level structure
  • Setting up IAM for new clients meant clicking through the same screens every time
  • Old projects piled up because no one knew what was still in use
  • Audits couldn't answer 'which resources belong to which client'
  • OAuth clients and Service Accounts spread everywhere, rotation infeasible
After
  • Company-level Organization activated, all resources under unified management
  • 4-tier folder structure isolates clients, IAM inherits at folder level
  • New client projects automatically inherit org policy when placed in folder
  • Service Account Dependency Check SOP enforced before any project deletion
  • Cloud Identity Free with 50 seats, smooth path to paid edition
N° 02
Production Multi-Cloud System

Five-Cloud B2B Replenishment System production

Stitching five cloud services together into a stable production pipeline.

Upgrading a traditional food wholesaler from phone-based ordering to LINE-native self-service requires more than one cloud vendor. Customer-facing UI runs on LINE LIFF (deployed to Vercel), API on Supabase Edge Functions, automation on n8n (exposed via Cloudflare Tunnel from local Docker), order sync to Google Sheets, push notifications via LINE Cloud. An outbox pattern plus scheduled cron ensures any cloud-side hiccup is automatically recovered.

5 clouds
Concurrent Integration
Vercel / Supabase / n8n / GCP / Cloudflare
Stable
Daily Order Volume
Outbox-pattern cross-cloud retry
< 80 min
Incident MTTR Cap
Three-layer redundancy: webhook + 10min + hourly cron
0
Lost Customer Orders
Backend failures auto-recovered by retry queue
Platforms / Stack
VercelSupabase Edge Functionsn8n on DockerCloudflare TunnelGoogle Sheets APILINE Cloud
Before
  • Single-host n8n with no failover, one outage took the whole pipeline down
  • Failed webhooks silently dropped orders without business owner awareness
  • Local Docker services had no way to receive cloud API calls
  • Failed Google Sheets writes meant orders were lost forever
  • No traceable retry log when incidents occurred
After
  • Five-cloud architecture with fallback at every layer
  • Outbox pattern routes every order through a tracked retry queue
  • Cloudflare Tunnel safely exposes local services to the cloud
  • Three-layer cron schedule, any tier failing is caught by the other two
  • Error Workflow auto-alerts via LINE and rewrites orders into the retry queue
N° 03
OAuth-Driven Cross-Cloud Automation

SEO Automation Pipeline automation

Three cloud platforms, one Python script, 30 seconds to replace a 30-minute manual process.

Adding a domain to Google Search Console with full verification, DNS validation, propagation polling, and redirect setup typically takes 30+ minutes of manual clicking across five UIs. A single Python script chains GCP Search Console API, edge-platform DNS API, and managed-platform redirect config. OAuth refresh tokens live in the OS Keychain, and the entire pipeline finishes in 30 seconds.

60×
Speed Improvement
From 30 minutes manual to 30 seconds automated
3 platforms
Chained API Calls
GCP / Edge DNS / Managed Hosting
Keychain
Zero Secret Leakage
Refresh tokens stored in OS keyring
Reusable
Client Deployments
Same script runs for every client website
Platforms / Stack
GCP Search Console APIGCP Site Verification APIOAuth 2.0Cloudflare DNS APIVercel APImacOS Keychain
Before
  • Every new domain required clicking through 5 GSC screens manually
  • TXT records had to be pasted into DNS console by hand, easy to mistype
  • No way to know if DNS propagated, just guess and retry the verification button
  • Redirect rules had to be configured separately on DNS and hosting platform
  • Re-running the process for new client sites meant doing everything from scratch
After
  • A single Python script owns the entire pipeline end to end
  • OAuth refresh token stored in Keychain, AI agents can act on user's behalf
  • DNS polling auto-detects propagation completion before continuing
  • 30 seconds to complete verification + redirect config in one shot
  • Same script applies to every client domain in the future
N° 04
API + OAuth Application Stack

Automated Inbox Classification System inbox

Compressing 4,500+ chaotic emails into 5 focused work zones, saving 30 minutes of inbox triage daily.

70% of a typical consultant's inbox is newsletter, SaaS notification, and banking noise. Cold outreach and production alerts get buried in the flood. Designed an enterprise-grade classification system on top of Gmail API + OAuth 2.0 with four idempotent Python scripts covering label creation, filter rules, sender scanning, and historical email backfill, all safe to re-run.

4,500+
Original Inbox Chaos
70% newsletter / notification noise
11 rules
Filter Classifications
Client alerts / cold outreach / billing / recruiter
5,144
Emails Backfilled
Idempotent script with zero side effects
30 min
Daily Time Saved
Important messages float automatically to top
Platforms / Stack
GCP Gmail APIOAuth 2.0macOS KeychainPython idempotent scriptsGmail Multiple Inboxes
Before
  • 4,500+ emails mixed together, 30 minutes daily just scanning
  • Important cold outreach and production alerts buried in noise
  • Newsletters and SaaS notifications mixed in the same timeline as client emails
  • Manual sorting required daily repetitive labor
  • API keys hard-coded in scripts, high git leak risk
After
  • 11 filter rules auto-classify into 7 semantic labels
  • 5 Multiple Inboxes panes surface high-priority messages instantly
  • 4 Python scripts safe to re-run N times with zero side effects
  • OAuth scope minimization, only essential permissions granted
  • Refresh token stored in Keychain, secrets never enter git history
N° 05
Multi-Client Identity Isolation

Service Account Impersonation Architecture identity

Personal accounts borrow short-lived tokens to operate client resources, eliminating long-lived SA key sprawl.

The naive way for a consultant to automate work across multiple clients is downloading Service Account JSON keys and storing them locally. One leak compromises everything permanently. Adopted Service Account Impersonation: the personal account uses the IAM Token Creator role to mint short-lived access tokens, every API call is audit-logged, and tokens auto-expire. Clients only need to grant the SA email read access to their Sheets, no public sharing required.

5 clients
Active Deployments
Multi-client shared architecture
0
Long-Lived Keys
Short tokens auto-expire
Audited
Per-Call Logging
Full trail in Cloud Audit Logs
Revocable
Permission Pull
IAM role removal takes effect immediately
Platforms / Stack
GCP IAMService Account ImpersonationIAM Token CreatorCloud Audit LogsGoogle Sheets API
Before
  • Service Account JSON keys downloaded locally, scattered across multiple machines
  • Any leaked key meant permanent compromise, rotation impractical
  • Sharing client Sheets with SA email effectively semi-publicized them
  • Operation logs scattered across each client's Workspace, hard to audit
  • End of engagement left unclear which keys were still active
After
  • Personal account impersonates SA to mint 1-hour short-lived tokens
  • Tokens auto-expire, no manual rotation needed
  • Every API call captured in Cloud Audit Logs, fully traceable
  • Revoking IAM Token Creator role pulls all permissions instantly
  • Architecture deployed across 5 client Sheets automation cases
Capability Summary

Cross-platform AI applications and task flow integration

Cloud Platforms
  • GCP (Cloud Identity / Organization / IAM / Cloud Run / Workspace APIs)
  • Cloudflare (Tunnel / DNS API / Workers / R2)
  • Vercel (Next.js deployment / Cron / Edge Functions)
  • Supabase (PostgreSQL / Edge Functions / RLS / Auth)
  • LINE Cloud (Messaging API / LIFF)
Integration Patterns
  • OAuth 2.0 with secure refresh token storage
  • Service Account Impersonation for multi-tenant identity isolation
  • Outbox pattern for cross-cloud event recovery
  • Webhook + scheduled cron dual redundancy
  • Idempotent script design with chained API calls
Book a Consultation繁體中文版Back to Cases