apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  name: flux-source-controller
  annotations:
    description: Used by Flux source controller
spec:
  resourceID: flux-${cluster_hash}
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPartialPolicy
metadata:
  name: flux-source-controller-storage-access
  annotations:
    description: |
      Grants storage permissions for reading from GCS to Flux source controller
spec:
  bindings:
  - members:
    - member: serviceAccount:flux-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
    role: projects/${gcp_project_id}/roles/fluxread
  resourceRef:
    apiVersion: storage.cnrm.cloud.google.com/v1beta1
    kind: StorageBucket
    external: ${gcp_project_id}