All I want to do is connect to a Cloud SQL Instance

You have two pre-defined roles that you can use for this purpose.

  1. roles/cloudsql.editor - seems to be a fairly permissive  role
  2. roles/client.connector - seems to be less permissive
  3. You need either of these two roles to be able to actually even connect to a cloud sql instance.

However, depending on HOW you are connecting to the cloud sql instance,  you get to choose which one of these roles works for you.

Only if you are coming in from app engine - or via the cloud sql proxy - can you use the client.connector role (the less permissive role). For all other use cases, you are stuck with the cloudsql.editor role - a fairly highly permissive role.

Also, note that using the proxy requires you to spin up a compute instance VM.