apiVersion: iam.cnrm.cloud.google.com/v1beta1 # bind service account to GKE workload identity SA kind: IAMPolicyMember metadata: name: ${cluster_uuid}-auth-proxy-sa-workload-id namespace: auth-proxy spec: member: serviceAccount:${gcp_project_id}.svc.id.goog[auth-proxy/auth-proxy-sa] resourceRef: name: authproxy namespace: auth-proxy apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount role: roles/iam.workloadIdentityUser