1apiVersion: iam.cnrm.cloud.google.com/v1beta1
2kind: IAMServiceAccount
3metadata:
4 name: chariot2
5spec:
6 displayName: chariot2
7 resourceID: chariot2-${cluster_hash}
8---
9apiVersion: iam.cnrm.cloud.google.com/v1beta1
10kind: IAMPolicyMember
11metadata:
12 name: chariot2-banners-storage
13spec:
14 member: serviceAccount:chariot2-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
15 resourceRef:
16 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
17 kind: Folder
18 external: ${tenants_gcp_folder_id}
19 role: roles/storage.objectAdmin
20---
21apiVersion: iam.cnrm.cloud.google.com/v1beta1
22kind: IAMPolicyMember
23metadata:
24 name: chariot2-foreman-storage
25spec:
26 member: serviceAccount:chariot2-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
27 resourceRef:
28 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
29 kind: Project
30 external: ${gcp_project_id}
31 role: roles/storage.objectAdmin
32---
33apiVersion: iam.cnrm.cloud.google.com/v1beta1
34kind: IAMPolicyMember
35metadata:
36 name: chariot-rides-deadletter-publisher-policy
37spec:
38 member: serviceAccount:service-${gcp_project_number}@gcp-sa-pubsub.iam.gserviceaccount.com
39 resourceRef:
40 name: chariot-rides-deadletter
41 apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
42 kind: PubSubTopic
43 role: roles/pubsub.publisher
44---
45apiVersion: iam.cnrm.cloud.google.com/v1beta1
46kind: IAMPolicyMember
47metadata:
48 name: chariot-sub-deadletter-subscriber-policy
49spec:
50 member: serviceAccount:service-${gcp_project_number}@gcp-sa-pubsub.iam.gserviceaccount.com
51 resourceRef:
52 name: chariot-sub
53 apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
54 kind: PubSubSubscription
55 role: roles/pubsub.subscriber
56---
57apiVersion: iam.cnrm.cloud.google.com/v1beta1
58kind: IAMPolicyMember
59metadata:
60 name: chariot2-foreman-pubsubsub
61spec:
62 member: serviceAccount:chariot2-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
63 resourceRef:
64 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
65 kind: Project
66 external: ${gcp_project_id}
67 role: roles/pubsub.subscriber
68---
69apiVersion: iam.cnrm.cloud.google.com/v1beta1
70kind: IAMPolicyMember
71metadata:
72 name: chariot2-foreman-pubsubview
73spec:
74 member: serviceAccount:chariot2-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
75 resourceRef:
76 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
77 kind: Project
78 external: ${gcp_project_id}
79 role: roles/pubsub.viewer
80---
81apiVersion: iam.cnrm.cloud.google.com/v1beta1
82kind: IAMPolicyMember
83metadata:
84 name: chariot2-foreman-pubsubpub
85spec:
86 member: serviceAccount:chariot2-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
87 resourceRef:
88 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
89 kind: Project
90 external: ${gcp_project_id}
91 role: roles/pubsub.publisher
92---
93apiVersion: iam.cnrm.cloud.google.com/v1beta1
94kind: IAMPolicyMember
95metadata:
96 name: chariot2-edge-agent-tenants-pubsubpub
97spec:
98 member: serviceAccount:chariot2-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
99 resourceRef:
100 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
101 kind: Folder
102 external: ${tenants_gcp_folder_id}
103 role: roles/pubsub.publisher
104---
105apiVersion: iam.cnrm.cloud.google.com/v1beta1
106kind: IAMPolicyMember
107metadata:
108 name: chariot2-edge-agent-tenants-pubsubview
109spec:
110 member: serviceAccount:chariot2-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
111 resourceRef:
112 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
113 kind: Folder
114 external: ${tenants_gcp_folder_id}
115 role: roles/pubsub.viewer
View as plain text