What are the actual set of permissions required for a service account used to authenticate the Cloud SQL proxy? The documentation says that the proxy needs the Project Editor role, but I find it hard to believe that a simple proxy could require such a broad permission scope.
Also, does a dedicated service account need to be created or can the Compute Engine default service account just be used to provide this authentication?