1apiVersion: iam.cnrm.cloud.google.com/v1beta1
2kind: IAMPolicyMember
3metadata:
4 name: wireguardctl-workload-id-binding
5 namespace: vpn
6spec:
7 member: serviceAccount:${gcp_project_id}.svc.id.goog[vpn/wireguardctl]
8 resourceRef:
9 name: wireguardctl-gcp-sa
10 apiVersion: iam.cnrm.cloud.google.com/v1beta1
11 kind: IAMServiceAccount
12 role: roles/iam.workloadIdentityUser
13---
14apiVersion: iam.cnrm.cloud.google.com/v1beta1
15kind: IAMPolicyMember
16metadata:
17 name: wireguardctl-secret-admin-binding
18 namespace: vpn
19spec:
20 member: serviceAccount:wireguardctl-gcp-sa@${gcp_project_id}.iam.gserviceaccount.com
21 resourceRef:
22 apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
23 kind: Project
24 external: projects/${gcp_project_id}
25 role: roles/secretmanager.admin
View as plain text