apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  name: syncedobjectctl
spec:
  displayName: syncedobjectctl
  resourceID: soctl-${cluster_hash}
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: syncedobjectctl-pubsub-publisher
  labels:
    platform.edge.ncr.com/component: edge-backend
spec:
  member: serviceAccount:soctl-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: ${foreman_gcp_project_id}
  role: roles/pubsub.publisher
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: syncedobjectctl-pubsub-subscriber
spec:
  member: serviceAccount:soctl-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: ${foreman_gcp_project_id}
  role: roles/pubsub.subscriber