Following is the list of identified permissions (existing service account) required for supporting GCP Cloud SQL:
cloudsql.instances.list
cloudsql.instances.get
cloudsql.instances.connect
Prerequisite for using an existing VPC:
An inbound rule allowing TCP traffic on port 5432
The VPC must have Private Service Access enabled. Refer to the GCP Documentation for configuration details.
Configure Private Service Access
Additionally, the user account must have the Compute Network Admin role and secretmanager.secretAccessor role.