1apiVersion: iam.cnrm.cloud.google.com/v1beta1 2kind: IAMPolicyMember 3metadata: 4 name: plank-workload-id 5 annotations: 6 description: | 7 Binds the K8s SA used by plank to the GCP IAM service account defined in the base. 8spec: 9 member: serviceAccount:${gcp_project_id}.svc.id.goog[plank/plank] 10 resourceRef: 11 name: plank 12 apiVersion: iam.cnrm.cloud.google.com/v1beta1 13 kind: IAMServiceAccount 14 role: roles/iam.workloadIdentityUser