Add binding.

terraform/modules/workload_identity_account/workload_identity_account.tf

@@ -27,3 +27,18 @@ resource "google_service_account" "service_account" {
   account_id   = "wi-${var.k8s_namespace}-${var.k8s_service_account}"
   display_name = "Workload identity account for GKE [${var.k8s_namespace}/${var.k8s_service_account}]"
 }
+
+data "google_iam_policy" "policy" {
+  binding {
+    role = "roles/iam.workloadIdentityUser"
+
+    members = [
+      "serviceAccount:${var.project}.svc.id.goog[${var.k8s_namespace}/${var.k8s_service_account}]",
+    ]
+  }
+}
+
+resource "google_service_account_iam_policy" "policy_binding" {
+  service_account_id = google_service_account.service_account.name
+  policy_data        = data.google_iam_policy.policy.policy_data
+}