Working with GCP Secrets engine - Trying to limit scope to a particular instance and question on related roles

I’m quite new to both Vault and GCP and working with their APIs. When I create a service account, I’m granting it project wide role access. And, if I understand correctly, I could create conditions for those roles to limit it to a particular resource with a particular name structure.

I’m not seeing any way on the Cloud SQL side (in the Console) to limit a particular instance to a particular service account, for use with Cloud SQL Proxy. Should I create a roleset to point to cloudsqladmin API or perhaps the instances self-link? So far, I’ve been using cloudresourcemanager, which seems to make generic SA accounts, not particular to a resource. So, still wrapping my head around specifying resources for a particular API, similar to the docs where they use this as a resource when creating the roleset:"

Should I be able to specify something similar for Cloud SQL instances, to limit which instance the GSA is able to access, and are the roles I specify unique to the cloud sql admin API, or would I just use the same roles as if I were using cloudresourcemanager API?

Can the GCP Secrets engine rotate keys/tokens for an existing GSA?

Thank you!