You are deploying a serverless application on Cloud Run that needs to publish messages to a specific Pub/Sub topic. To ensure the application follows the principle of least privilege, what role should you assign to the service account associated with the Cloud Run instance?