When deploying an application on a Compute Engine instance that communicates with Cloud SQL using Cloud SQL Proxy, what is the Google-recommended best practice for assigning the minimum required access to the service account associated with the instance?