You are setting up service accounts for an application that operates across various projects within Google Cloud. Specifically, virtual machines (VMs) in the "web-applications" project require access to BigQuery datasets located in the "crm-databases-proj" project. In order to adhere to Google-recommended best practices for granting access, how should you configure the service account in the "web-applications" project to achieve this?