Refactor service account usage for GCP to follow best practices

Hello 👋

I am trying to deploy a hybrid environment in GCP using GET.

During the preparation it asks me to create a service account on GCP:

Proceed to create an account with a descriptive name like gitlab-qa and give it the IAM roles of Compute Admin, Kubernetes Engine Admin, Storage Admin and Service Account User. (source)

From what I understand the service-account requested above (and its permissions) is necessary for me to be able to create all the resources correctly on my GCP project.

I should also be able to skip this step and use my own user application credentials if I have the same permissions. Am I thinking right?

Later, when I am running Ansible to perform the configuration, the documentation instructs me to pass the same service-account-key to the GitLab workloads:

gcp_service_account_host_file` GCP only - Local path to the Service Account file. This is the same one created in Setup Provider Authentication - Service Account. The Toolkit uses this to configure GitLab's Object Storage access.

But I think that the GitLab workloads don't need the Compute Admin, Kubernetes Engine Admin, Storage Admin and Service Account User permissions, right?

I was also wondering if in a scenario where RCE is possible, if this key would be accessible for download.

I was wondering if it would make sense to create a dedicated service account in terraform for this just with the necessary permissions. What do you think?