apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMServiceAccount
metadata:
  name: ea-pubsub-sa
spec:
  description: "Emergency Access Service Account"
  resourceID: ea-pubsub-sa
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicy
metadata:
  name: ea-pubsub-sa-workload-identity
spec:
  bindings:
  - members:
    - serviceAccount:${gcp_project_id}.svc.id.goog[emergencyaccess/ea-pubsub-sa]
    role: roles/iam.workloadIdentityUser
  resourceRef:
    name: ea-pubsub-sa
    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMServiceAccount