Best practices for roles and role bindings

[christhegrand]

What are the best practices for adding roles and role bindings within Argo? Here is my problem:

I am trying to add a role and role binding to a managed Prometheus resource in a GKE cluster so it can read some auth information from an existing secret. I need to add these files:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: prometheus-basic-auth-secret-read
rules:
  - resources:
    - secrets
    apiGroups: [""]
    verbs: ["get", "list", "watch"]
    resourceNames: ["prometheus-basic-auth"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: gmp-system:collector:prometheus-basic-auth-secret-read
  namespace: default
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: prometheus-basic-auth-secret-read
subjects:
  - kind: ServiceAccount
    name: collector
    namespace: gmp-system

But when Argo tries to apply these files, I get this error:

one or more synchronization tasks completed unsuccessfully, reason: error running rbacReconcile: error running kubectl auth reconcile: rolebindings.rbac.authorization.k8s.io "gmp-system:collector:prometheus-basic-auth-secret-read" is forbidden: user "argocd@foobar.iam.gserviceaccount.com" (groups=["system:authenticated"]) is attempting to grant RBAC permissions not currently held: {APIGroups:[""], Resources:["secrets"], ResourceNames:["prometheus-basic-auth"], Verbs:["get" "list" "watch"]}

Our Argo service account doesn't have permissions to grant these RBAC permissions to the resource. I could fix this by giving the Argo service account those permissions, but that feels wrong to me. In addition, that role file would have to be manually kubectl applied outside of Argo itself, when I'm trying to keep all of this within Argo.

What is the right thing to do here? How do I have Argo add new roles and role bindings to a resource in my cluster without also having to give the Argo service account the same permissions?