I've been asked to lock each chrome device to a small subset of users (end user plus a couple of admins), and currently this appears to require creating 1 OU per device and manual entry of the allowed accounts in the sign-in restrictions attribute for that device. THIS DOES NOT SCALE.
Access to this attribute is not currently exposed in the API.
device management->Chrome management->Device settings->(OU PATH)->sign-in restrictions
No way to automate updating this via the SDK, or am I missing something?
Or is there an easier way to do this without having to touch every single chromebook and/or chromebook entry?
You are correct in your understanding that Chrome settings like this cannot be modified by the Directory API (or any other within the Admin SDK) - there's no Chrome Admin Settings API.
For your use case, you need to have a static group of people allowed to sign in to all devices and then have the specific devices restricted also to their one assigned person. There's really no way to do this beyond the manual process you've detailed.
The automation you could do would be to create the OUs and move the devices into their respective OUs (Directory API for both of these things). Then, at the top OU, set the specific people that always need access. Finally, go into each OU and add the one person assigned to that device.
If this is something you have to have, I'd also suggest putting in a Feature Request to Google via a case with their Support team. The alternative would be to reevaluate why you need to restrict the devices in such a way.