Create and assign a custom role with the cloudsql.instances.connect permission to the custom service account. Adjust the Cloud SQL Auth Proxy start command to specify your instance connection name.

Grant the custom service account the roles/cloudsql.client role. Adjust the Cloud SQL Auth Proxy start command to use the --unix-socket CLI option.

Grant the custom service account the roles/cloudsql.editor role.

Grant the custom service account the roles/cloudsql.viewer role. Adjust the Cloud SQL Auth Proxy start command to specify your instance connection name.