apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMCustomRole
metadata:
  name: fluxread
  namespace: flux-system
  annotations:
    cnrm.cloud.google.com/deletion-policy: abandon
    description: |
      Provides only the required permissions for reading manifests from GCS buckets
      using Flux.
spec:
  permissions:
  - storage.objects.list
  - storage.buckets.get
  - storage.objects.get
  title: fluxread