I've enabled Workload Identity on our GKE cluster. Now I'm deploying an app to GKE which uses WI to authenticate to another Google service. I've already used Deployment Manager to create an IAM Service Account with the right access to the Google Service. I've also deployed the application with its own GKE service account to the cluster.
Finally, I need to bind the two different types of service accounts together. This allows the Kubernetes service account to act as the Google service account, thus allowing the pod to access cloud services.
The documentation uses the gcloud CLI tool to add the policy-binding like this:
gcloud iam service-accounts add-iam-policy-binding \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:PROJECT_ID.svc.id.goog[K8S_NAMESPACE/KSA_NAME]" \
GSA_NAME@PROJECT_ID.iam.gserviceaccount.com
Of course, I'd like to do it via GCP Deployment Manager (infra-as-code and all that) but I can't figure out the correct DM syntax!?
I normally do role binding via the gcp-types/cloudresourcemanager-v1:virtual.projects.iamMemberBinding type, like in the code example, but I can't figure out how to replicate the above gcloud command and can't find any public examples. Who can help, please?
Previously actions would be used I think but since they're deprecated I'd rather not use them for new code. The iamMemberBinding seems to be the recommended way.
