apiVersion: iam.cnrm.cloud.google.com/v1beta1 # bind service account to GKE workload identity SA
kind: IAMPolicyMember
metadata:
  name: otel-collector-sa-workload-id
spec:
  member: serviceAccount:${gcp_project_id}.svc.id.goog[otel/opentelemetry-targetallocator-sa]
  resourceRef:
    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMServiceAccount
    external: projects/${gcp_project_id}/serviceAccounts/o11y-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  role: roles/iam.workloadIdentityUser