apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: name: cctl labels: platform.edge.ncr.com/component: clusterctl spec: displayName: cctl resourceID: cctl-${cluster_hash} --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: cctl-banners-secretadmin labels: platform.edge.ncr.com/component: clusterctl spec: member: serviceAccount:cctl-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project external: ${gcp_project_id} role: roles/secretmanager.admin --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: cctl-gke-admin labels: platform.edge.ncr.com/component: clusterctl spec: member: serviceAccount:cctl-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project external: ${gcp_project_id} role: roles/container.admin --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: okta-creds-cctl-secret-reader labels: platform.edge.ncr.com/component: clusterctl spec: member: serviceAccount:cctl-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com resourceRef: apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1 kind: SecretManagerSecret external: projects/${foreman_gcp_project_id}/secrets/id-okta-creds role: roles/secretmanager.secretAccessor --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: edge-bsl-prod-admin-secret-reader labels: platform.edge.ncr.com/component: clusterctl spec: member: serviceAccount:ext-sec-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com resourceRef: apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1 kind: SecretManagerSecret external: projects/${foreman_gcp_project_id}/secrets/edge-bsl-prod-admin role: roles/secretmanager.secretAccessor