Disclosure: I work in GCP engineering, thoughts are my own and not Google's, etc.
My impression is that Anthos is probably not what you need if your use case is deployment of a managed product into customer GCP projects (or AWS accounts).
Instead, copy the P4SA architecture that GCP uses for managing its own services in your project. Create one service account per customer, and have the customer grant that service account whatever permissions your control plane needs to manage the resources deployed into the customer project.
You can package those permissions into a Role for easier use.
You can see how this works by looking at Google's existing P4SA permissions in one of your cloud projects. They show up in your cloud IAM console if you remove the filter for "Google-Managed Grants".
the goal was really to stand up stuff via Config Sync / Config Controller, then hook it into Private Service Connect endpoints which are exposed to the customer's cloud. as far as I know, that's how Elastic and similar companies do it (at least from the developer's angle, we get a provisioned GCP project and/or PSC endpoint).
you're right that we don't need Service Mesh, perhaps most of the Anthos suite, but Config Management from Git is pretty slick (if it only worked as advertised).
anyway this is good guidance and i will see if i can wiggle out of anthos, but that was our intent/understanding in trying it.
My impression is that Anthos is probably not what you need if your use case is deployment of a managed product into customer GCP projects (or AWS accounts).
Instead, copy the P4SA architecture that GCP uses for managing its own services in your project. Create one service account per customer, and have the customer grant that service account whatever permissions your control plane needs to manage the resources deployed into the customer project.
You can package those permissions into a Role for easier use.
You can see how this works by looking at Google's existing P4SA permissions in one of your cloud projects. They show up in your cloud IAM console if you remove the filter for "Google-Managed Grants".