apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  name: argo-server
  annotations:
    cnrm.cloud.google.com/project-id: ${gcp_project_id}
spec:
  displayName: General purpose Argo Server service account
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: argo-server-workload-identity-user
  annotations:
    description: |
      Binds the K8s SA used by argo-server to the GCP IAM
      service account.
spec:
  member: serviceAccount:${gcp_project_id}.svc.id.goog[argo/argo-server]
  resourceRef:
    name: argo-server
    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMServiceAccount
  role: roles/iam.workloadIdentityUser