apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  name: ea-authservice-sa
spec:
  description: "Emergency Access Auth Service Engine Service Account"
  resourceID: ea-authservice-sa
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
  name: ea-authservice-sa-workload-identity
spec:
  bindings:
  - members:
    - serviceAccount:${gcp_project_id}.svc.id.goog[emergencyaccess/ea-authservice-sa]
    role: roles/iam.workloadIdentityUser
  resourceRef:
    name: ea-authservice-sa
    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMServiceAccount