IAMPolicyMember.spec.member should be able to be a reference to an IAMServiceAccount

[dmacthedestroyer]

Instead of the member field being a regex-enforced string, we should also be able to reference an IAMServiceAccount CRD, similar in fashion to the Specifying resource references documentation.

This would be especially helpful because it would remove the need to provide the Google Project ID whenever the service account is created within the same project as the cluster. For us, this would mean one less template parameter being passed around through configs in order to render the Helm template.

An example:
currently, from the repo's example:

spec:
  # replace ${PROJECT_ID?} with your project name
  member: serviceAccount:iampolicymember-dep-pubsub@${PROJECT_ID?}.iam.gserviceaccount.com

proposed:

spec:
  member: 
    iamServiceAccountRef: 
      name: iampolicymember-dep-pubsub

[maqiuyujoyce]

Hi @dmacthedestroyer, thank you for your feedback. We've also received the same request from another customer. We are currently looking into this feature. Will let you know when we have any updates.

[morgante]

@maqiuyujoyce Any update here? This is currently cumbersome and painful.

[jcanseco]

Hi @morgante, our plan is to support it as part of our CRD version bumps sometime later this year.

[jcanseco]

Hi all, it is now possible in KCC v1.34.0 to reference an IAMServiceAccount as the member in an IAMPolicyMember using the spec.memberFrom.serviceAccountRef field. We will be updating the docs for IAMPolicyMember in a bit to include descriptions and sample usage of the new spec.memberFrom field.

Closing this issue now. Feel free to follow-up with comments if you have any further questions.