You are deploying a containerized application to a Google Kubernetes Engine (GKE) cluster. The application needs to access Google Cloud Storage to read and write files. To follow the principle of least privilege, what role should you assign to the service account associated with the application’s instance?