1apiVersion: iam.cnrm.cloud.google.com/v1beta1 # bind service account to GKE workload identity SA 2kind: IAMPolicyMember 3metadata: 4 name: ${cluster_uuid}-bff-sa-workload-id 5spec: 6 member: serviceAccount:${gcp_project_id}.svc.id.goog[edge-backend/bff-sa] 7 resourceRef: 8 name: bff-sa 9 namespace: edge-backend 10 apiVersion: iam.cnrm.cloud.google.com/v1beta1 11 kind: IAMServiceAccount 12 role: roles/iam.workloadIdentityUser