fix: update bucket permissions

[rverenich]

closest existing role to fix https://github.com/terraform-google-modules/terraform-google-sql-db/issues/599 and add [storage.objects.delete] permission is roles/storage.objectUser.

https://www.googlecloudcommunity.com/gc/Databases/Export-with-gcloud-sql-export-but-service-role-with-storage/m-p/666282 quotes from answer from google staff: To export data from Cloud SQL to Cloud Storage, the service account should have the roles/storage.legacyBucketWriter role on the bucket. Note: The roles/storage.legacyBucketWriter role is a legacy role and might not be recommended for all use cases. For more granular control, consider using roles like roles/storage.objectCreator or roles/storage.objectAdmin.

[google-cla[bot]]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[g-awmalik]

@rverenich - thanks for the PR. Can you please sign the CLA?

[g-awmalik]

/gcbrun

[rverenich]

signed

[ps-occrp]

In current form this service account does not need to delete any objects from a bucket, why should it get roles/storage.objectUser role? This role allows SA to get, list, update and delete objects in bucket in addition to all of that on managed folders. I think this goes against least privilege principal.

[rverenich]

it fails with

Access denied for service account ...@gcp-sa-cloud-sql.iam.gserviceaccount.com, permissions missing are: [storage.objects.delete]"

permissions missing are: [storage.objects.delete]"

[rverenich]

this workflow started working again without permissions missing are: [storage.objects.delete] . It might be some gcloud internal glitch. This PR may be closed for now