Document exactly what set of permissions is needed for a specific CRD

[muvaf]

What problem are you facing?

Users would like to give the least possible set of permissions to ServiceAccount they use but they end up granting wider roles than necessary. For example CloudSQL Admin role includes making SQL queries but controller never does that.

How could Crossplane help solve your problem?

We can annotate CRDs with the set of permissions controller may ever need, similar to https://github.com/crossplane/provider-aws/issues/514

It seems that permissions are on call granularity in GCP similar to AWS. You can see examples here. So, by analyzing the controller code statically and with some string manipulation, we might be able to generate the list of permissions needed and annotate the final CRD.