1apiVersion: iam.cnrm.cloud.google.com/v1beta1 2kind: IAMPolicyMember 3metadata: 4 name: ctlfish-workload-id 5 annotations: 6 description: | 7 Binds the K8s SA used by ctlfish to the GCP IAM 8 service account defined in the base. 9spec: 10 member: serviceAccount:${gcp_project_id}.svc.id.goog[ctlfish/ctlfish] 11 resourceRef: 12 name: ctlfish 13 apiVersion: iam.cnrm.cloud.google.com/v1beta1 14 kind: IAMServiceAccount 15 role: roles/iam.workloadIdentityUser