apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMServiceAccount metadata: name: authserver annotations: cnrm.cloud.google.com/project-id: ${gcp_project_id} spec: displayName: authserver --- apiVersion: iam.cnrm.cloud.google.com/v1beta1 kind: IAMPolicyMember metadata: name: es-auth-proxy-secret-accessor annotations: cnrm.cloud.google.com/project-id: ${foreman_gcp_project_id} spec: member: serviceAccount:ext-sec-${cluster_hash}@${gcp_project_id}.iam.gserviceaccount.com resourceRef: apiVersion: secretmanager.cnrm.cloud.google.com/v1beta1 kind: SecretManagerSecret external: projects/${foreman_gcp_project_id}/secrets/edge-auth-proxy-session-secret role: roles/secretmanager.secretAccessor