Following is the list of permissions (existing service account) required for supporting GCP Cloud SQL:

• cloudsql.instances.list

• cloudsql.instances.get

• cloudsql.instances.connect

Prerequisite for using an existing VPC:

• An inbound rule allowing TCP traffic on port 5432

• The VPC must have Private Service Access enabled. Refer to the GCP Documentation for configuration details.
  Configure Private Service Access

Additionally, the user account must have the Compute Network Admin role and Secret Manager Secret Accessor role.