apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: external-secrets-workload-id annotations: description: | Binds the K8s SA used by the external-secrets controller to the GCP IAM service account defined in the base. spec: member: serviceAccount:${gcp_project_id}.svc.id.goog[external-secrets/external-secrets] resourceRef: name: external-secrets apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount role: roles/iam.workloadIdentityUser