apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: wireguardctl-workload-id-binding
  namespace: vpn
spec:
  member: serviceAccount:${gcp_project_id}.svc.id.goog[vpn/wireguardctl]
  resourceRef:
    name: wireguardctl-gcp-sa
    apiVersion: iam.cnrm.cloud.google.com/v1beta1
    kind: IAMServiceAccount
  role: roles/iam.workloadIdentityUser
---
apiVersion: iam.cnrm.cloud.google.com/v1beta1
kind: IAMPolicyMember
metadata:
  name: wireguardctl-secret-admin-binding
  namespace: vpn
spec:
  member: serviceAccount:wireguardctl-gcp-sa@${gcp_project_id}.iam.gserviceaccount.com
  resourceRef:
    apiVersion: resourcemanager.cnrm.cloud.google.com/v1beta1
    kind: Project
    external: projects/${gcp_project_id}
  role: roles/secretmanager.admin