apiVersion: iam.cnrm.cloud.google.com/v1beta1 # bind service account to GKE workload identity SA
kind: IAMPolicyMember
metadata:
  name: ${cluster_uuid}-auth-proxy-sa-workload-id
  namespace: auth-proxy
spec:
  member: serviceAccount:${gcp_project_id}.svc.id.goog[auth-proxy/auth-proxy-sa]
  resourceRef:
    name: authproxy
    namespace: auth-proxy
    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMServiceAccount
  role: roles/iam.workloadIdentityUser