apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: name: bannerctl spec: displayName: bannerctl resourceID: bannerctl-${cluster_hash} --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: bannerctl-foreman-secretaccessor spec: member: serviceAccount:bannerctl-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project external: projects/${gcp_project_id} role: roles/secretmanager.secretAccessor --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: bannerctl-foreman-secretviewer spec: member: serviceAccount:bannerctl-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project external: projects/${gcp_project_id} role: roles/secretmanager.viewer --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: bannerctl-banners-secretadmin spec: member: serviceAccount:bannerctl-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder external: ${tenants_gcp_folder_id} role: roles/secretmanager.admin --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: bannerctl-metrics-scopes-admin-banners annotations: description: Provides ability to manage metrics scopes for banner projects. spec: member: serviceAccount:bannerctl-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Folder external: ${tenants_gcp_folder_id} role: roles/monitoring.metricsScopesAdmin --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: bannerctl-metrics-scopes-admin-foreman annotations: description: Provides ability to set up monitored projects for Foreman. spec: member: serviceAccount:bannerctl-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project external: ${gcp_project_id} role: roles/monitoring.metricsScopesAdmin --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: bannerctl-encryption-infra-admin spec: member: serviceAccount:bannerctl-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project external: projects/${gcp_project_id} role: roles/cloudkms.admin --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: bannerctl-encryption-infra-operator spec: member: serviceAccount:bannerctl-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project external: projects/${gcp_project_id} role: roles/cloudkms.cryptoOperator --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: bannerctl-foreman-admin spec: member: serviceAccount:bannerctl-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project external: projects/${gcp_project_id} role: roles/secretmanager.admin