apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: issuer-${cluster_hash}-workload-id
  annotations:
    description: |
      Binds the K8s SA used by edge-issuer to the GCP IAM
      service account defined in the base.
spec:
  member: serviceAccount:${gcp_project_id}.svc.id.goog[edge-issuer/edge-issuer]
  resourceRef:
    name: issuer-${cluster_hash}
    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMServiceAccount
  role: roles/iam.workloadIdentityUser