apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  name: authserver
  annotations:
    cnrm.cloud.google.com/project-id: ${gcp_project_id}
spec:
  displayName: authserver
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: es-auth-proxy-secret-accessor
  annotations:
    cnrm.cloud.google.com/project-id: ${foreman_gcp_project_id}
spec:
  member: serviceAccount:ext-sec-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1
    kind: SecretManagerSecret
    external: projects/${foreman_gcp_project_id}/secrets/edge-auth-proxy-session-secret
  role: roles/secretmanager.secretAccessor