import * as gcp from "@pulumi/gcp";
import * as pulumi from "@pulumi/pulumi";
/** GKE workload identity configuration. */
export interface WorkloadIdentityConfiguration {
    /**
     * Options to use when creating the resources. This should have at
     * least `{ dependsOn: [cluster] }`, as the workload identity IAM
     * policy cannot be created until the cluster with that identity
     * exists.
     */
    options: pulumi.CustomResourceOptions;
    /** GCP project ID to create resources */
    projectId: string;
    /** GCP IAM roles to bind to service account */
    projectRoles: string[];
    /** Kubernetes service account name */
    workload: string;
    /** Kubernetes service account namespace */
    workloadNamespace: string;
    /** Set to true to import, rather than create, the resources. */
    import?: boolean;
    /**
     * GCP project ID of workload. If not provided, [[projectId]] is
     * used.
     */
    workloadProject?: string;
}
/**
 * Create a GCP service account for workload identity, bind the
 * provided roles to the GCP service account, and then link the GCP
 * service account to the Kubernetes workload, i.e., service account.
 */
export declare function workloadIdentity(wi: WorkloadIdentityConfiguration): gcp.serviceaccount.Account;
//# sourceMappingURL=workloadIdentity.d.ts.map