1apiVersion: iam.cnrm.cloud.google.com/v1beta1
2kind: IAMServiceAccount
3metadata:
4 name: bannerctl
5spec:
6 displayName: bannerctl
7 resourceID: bannerctl-${cluster_hash}
8---
9apiVersion: iam.cnrm.cloud.google.com/v1beta1
10kind: IAMPolicyMember
11metadata:
12 name: bannerctl-foreman-secretaccessor
13spec:
14 member: serviceAccount:bannerctl-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
15 resourceRef:
16 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
17 kind: Project
18 external: projects/${gcp_project_id}
19 role: roles/secretmanager.secretAccessor
20---
21apiVersion: iam.cnrm.cloud.google.com/v1beta1
22kind: IAMPolicyMember
23metadata:
24 name: bannerctl-foreman-secretviewer
25spec:
26 member: serviceAccount:bannerctl-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
27 resourceRef:
28 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
29 kind: Project
30 external: projects/${gcp_project_id}
31 role: roles/secretmanager.viewer
32---
33apiVersion: iam.cnrm.cloud.google.com/v1beta1
34kind: IAMPolicyMember
35metadata:
36 name: bannerctl-banners-secretadmin
37spec:
38 member: serviceAccount:bannerctl-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
39 resourceRef:
40 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
41 kind: Folder
42 external: ${tenants_gcp_folder_id}
43 role: roles/secretmanager.admin
44---
45apiVersion: iam.cnrm.cloud.google.com/v1beta1
46kind: IAMPolicyMember
47metadata:
48 name: bannerctl-metrics-scopes-admin-banners
49 annotations:
50 description: Provides ability to manage metrics scopes for banner projects.
51spec:
52 member: serviceAccount:bannerctl-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
53 resourceRef:
54 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
55 kind: Folder
56 external: ${tenants_gcp_folder_id}
57 role: roles/monitoring.metricsScopesAdmin
58---
59apiVersion: iam.cnrm.cloud.google.com/v1beta1
60kind: IAMPolicyMember
61metadata:
62 name: bannerctl-metrics-scopes-admin-foreman
63 annotations:
64 description: Provides ability to set up monitored projects for Foreman.
65spec:
66 member: serviceAccount:bannerctl-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
67 resourceRef:
68 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
69 kind: Project
70 external: ${gcp_project_id}
71 role: roles/monitoring.metricsScopesAdmin
72---
73apiVersion: iam.cnrm.cloud.google.com/v1beta1
74kind: IAMPolicyMember
75metadata:
76 name: bannerctl-encryption-infra-admin
77spec:
78 member: serviceAccount:bannerctl-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
79 resourceRef:
80 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
81 kind: Project
82 external: projects/${gcp_project_id}
83 role: roles/cloudkms.admin
84---
85apiVersion: iam.cnrm.cloud.google.com/v1beta1
86kind: IAMPolicyMember
87metadata:
88 name: bannerctl-encryption-infra-operator
89spec:
90 member: serviceAccount:bannerctl-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
91 resourceRef:
92 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
93 kind: Project
94 external: projects/${gcp_project_id}
95 role: roles/cloudkms.cryptoOperator
96---
97apiVersion: iam.cnrm.cloud.google.com/v1beta1
98kind: IAMPolicyMember
99metadata:
100 name: bannerctl-foreman-admin
101spec:
102 member: serviceAccount:bannerctl-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
103 resourceRef:
104 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
105 kind: Project
106 external: projects/${gcp_project_id}
107 role: roles/secretmanager.admin
View as plain text