account2 := Account{Number: "account-has-one-replace"}

	if err := DB.Model(&user2).Association("Account").Replace(&account2); err != nil {
		t.Fatalf("Error happened when append Account, got %v", err)
	}

	if account2.ID == 0 {
		t.Fatalf("account2's ID should be created")
	}

	user.Account = account2
	CheckUser(t, user2, user)

	AssertAssociationCount(t, user2, "Account", 1, "AfterReplace")

	// Delete

	if !regexp.MustCompile("SELECT .* FROM .users. left join pets.*join accounts.*").MatchString(stmt.SQL.String()) {

            paths: ["/info*"]
        - operation:
            methods: ["POST"]
            paths: ["/data"]
      when:
        - key: request.auth.claims[iss]
          values: ["https://accounts.google.com"]
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
  name: meshwide-httpbin
  namespace: istio-system # valid: it applies to whole mesh
spec:
  {}
---

issue: []

docs: []

releaseNotes:
- |
  **Added** values to the Istio Gateway Helm charts for configuring annotations on the ServiceAccount.  Can be used to enable [IAM Roles for Service Accounts](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) on AWS EKS.

upgradeNotes: []

		if cidr == "" {
			return []string{}
		}

		return strings.Split(cidr, ",")
	}()

	CATrustedNodeAccounts = func() sets.Set[types.NamespacedName] {
		accounts := env.Register(
			"CA_TRUSTED_NODE_ACCOUNTS",
			"",
			"If set, the list of service accounts that are allowed to use node authentication for CSRs. "+
				"Node authentication allows an identity to create CSRs on behalf of other identities, but only if there is a pod "+

Previously, site replication required the root credentials of peer sites to be identical. This is no longer necessary because STS tokens are now signed with the site replicator service account credentials, thus allowing flexibility in the independent management of root accounts across sites and the ability to disable root accounts eventually.

area: security

releaseNotes:
- |
  **Added** support for client side Envoy secure naming config when trust domain alias is used.
  Fix the multi cluster service discovery client SAN generation: takes all endpoints' service accounts

The python script (sa-jwt.py) provided here allows the user to generate a JWT signed
by a Google service account.

## Before you start

- Run the following command to install python dependences.

    ```
    pip install google-auth
    ```

- Create a service account or use an existing service account, and download the service account private key.

		// For STS policy map, we need to merge the new cache with the existing
		// cache because the periodic IAM reload is partial. The periodic load
		// here is to account for STS policy mapping changes that should apply
		// for service accounts derived from such STS accounts (i.e. LDAP STS
		// accounts).
		newCache.iamSTSPolicyMap.Range(func(k string, v MappedPolicy) bool {
			cache.iamSTSPolicyMap.Store(k, v)
			return true
		})

See the License for the specific language governing permissions and
limitations under the License.
*/

// Package serviceaccount provides implementations
// to manage service accounts and service account tokens