feat: Enable bufstream to use workload identity for auth

main.tf

@@ -28,6 +28,7 @@ locals {
   create_network = var.network == null
   k8s_sa_map = {
     app         = "wandb-app"
+    bufstream   = "wandb-bufstream"
     parquet     = "wandb-parquet"
     flat_runs   = "wandb-flat-run-fields-updater"
     weave       = "wandb-weave"
@@ -326,6 +327,15 @@ module "wandb" {
         ]
       }
 
+      bufstream = {
+        serviceAccount = var.create_workload_identity ? {
+          name        = local.k8s_sa_map.bufstream
+          annotations = { "iam.gke.io/gcp-service-account" = module.service_accounts.sa_account_role }
+          } : {
+          name        = ""
+          annotations = {}
+        }
+      }
       ingress = {
         create       = var.public_access # external ingress for public connection
         nameOverride = var.namespace