I am creating a service account in gcp via pulumi that would use workload identity (gke pods) and access a bucket. I have created a service account, role with bucket objects get/list etc and added binding, code is here https://gist.github.com/seeker815/4b8df54ee2a41bccb5ec84547582b13b while the worload identity works, bucket access isn’t set so I am trying to do something like

gsutil iam ch serviceAccount:<sa-name>:<bucketrole> gs://<bucket-name>

to give access for the sa to the bucket. How do I do that in pulumi,