1apiVersion: iam.cnrm.cloud.google.com/v1beta1 # bind service account to GKE workload identity SA
2kind: IAMPolicyMember
3metadata:
4 name: grafana-sa-workload-id
5spec:
6 member: serviceAccount:${gcp_project_id}.svc.id.goog[grafana/grafana-sa]
7 resourceRef:
8 apiVersion: iam.cnrm.cloud.google.com/v1beta1
9 kind: IAMServiceAccount
10 external: projects/${gcp_project_id}/serviceAccounts/grafana-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
11 role: roles/iam.workloadIdentityUser
View as plain text