apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: postgrest-workload-identity-user spec: member: serviceAccount:${gcp_project_id}.svc.id.goog[postgrest/postgrest] resourceRef: name: postgrest apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount role: roles/iam.workloadIdentityUser --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: postgrest-alloydb-client spec: member: serviceAccount:postgrest-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com resourceRef: apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1 kind: Project external: projects/${gcp_project_id} role: roles/alloydb.client --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: name: postgrest spec: resourceID: postgrest-${cluster_hash} --- apiVersion: compute.cnrm.cloud.google.com/v1beta1 kind: ComputeAddress metadata: name: postgrest annotations: dns.edge.ncr.com/dns-project-id: ${gcp_project_id} dns.edge.ncr.com/managed-zone: infra/dev-infra dns.edge.ncr.com/name: sovereign.${domain}. spec: location: global resourceID: postgrest-ip