Which predefined roles should be assigned to a service account to provide least privilege access for reading data from Cloud SQL for SQL Server and updating a table in Cloud Spanner?