I am creating a service account in gcp via pulumi that would use workload identity (gke pods) and access a bucket. I have created a service account, role with bucket objects get/list etc and added binding, code is here https://gist.github.com/seeker815/4b8df54ee2a41bccb5ec84547582b13b
while the worload identity works, bucket access isn’t set so I am trying to do something like
gsutil iam ch serviceAccount:<sa-name>:<bucketrole> gs://<bucket-name>
to give access for the sa to the bucket. How do I do that in pulumi,
I was looking at it from SA point of view, adding a binding on the bucket is simpler way rather than patch the service account. All good for now.