Additional IAM roles for Google service accounts

[tronghn]

Some applications use GCP products that require additional roles that grants their Google service account (their identity) access to itself (as a resource), e.g. roles/iam.serviceAccountTokenCreator.

naiserator creates an IAMPolicy that sets up bindings for workload identity.
This IAM policy is thus authoriative for the service account. External modifications are overridden by Config Connector.

A possible solution would be to allow applications to opt in for such additional roles and have naiserator assign these via the IAMPolicy resource.

See also https://nav-it.slack.com/archives/C050DP53VPH/p1716977528649729

[kimtore]

Did anyone else bump into this issue?

[tronghn]

Not as far as I've seen. I think #380 would allow the teams to control this themselves, so we could close this as not planned in favor of that issue.

[kimtore]

Would that mean that users will mutate the IAMServiceAccount family of resources that were created by Naiserator?

[tronghn]

No, ideally they'd only make additive changes. I think that requires us to move away from IAMPolicy to IAMPolicyMember instead.

But there's currently no way for them to do this while these resources are managed in another namespace.

[kimtore]

OK, closing this as not planned then, in favor of #380.