apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  name: ctlfish
spec:
  displayName: ctlfish pub sub service account
  resourceID: ctlfish-${cluster_hash}
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: ctlfish
spec:
  member: serviceAccount:ctlfish-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: pubsub.cnrm.cloud.google.com/v1beta1
    kind: PubSubTopic
    external: projects/${foreman_gcp_project_id}/topics/ctlfish-pubsub
  role: roles/pubsub.publisher