In your role as a Google Cloud Engineer, you are tasked with setting up service accounts for an application that operates across several projects within Google Cloud Platform (GCP). Specifically, you need to configure virtual machines (VMs) within a project named web-applications so that they can access BigQuery datasets located in another project called crm-databases. To adhere to Google's recommended best practices for this configuration, what steps should you take to properly grant the needed access to the service account associated with the web-applications project?