{ ... }: { resource.vault_gcp_secret_roleset.binary_cache_deployer = { backend = "\${vault_gcp_secret_backend.gcp.path}"; roleset = "binary-cache-deployer"; project = "lukegb-nix"; secret_type = "access_token"; token_scopes = [ "https://www.googleapis.com/auth/devstorage.read_write" ]; binding = [{ resource = "buckets/lukegb-nix-cache"; roles = ["roles/storage.objectAdmin"]; }]; }; my.servers.cofractal-ams01.appPolicies.gitlab-runner = '' path "''${vault_gcp_secret_roleset.binary_cache_deployer.backend}/roleset/''${vault_gcp_secret_roleset.binary_cache_deployer.roleset}/token" { capabilities = ["read"] } ''; my.servers.clouvider-lon01.appPolicies.gitlab-runner = '' path "''${vault_gcp_secret_roleset.binary_cache_deployer.backend}/roleset/''${vault_gcp_secret_roleset.binary_cache_deployer.roleset}/token" { capabilities = ["read"] } ''; }