For an api-key, one can define which APIs can be accessed with that api-key, but for service accounts, you seemingly can't. I thought maybe I could create a new role that only allows access to the vision API, but there is no permission for that.
How do you decide which APIs (e.g. vision API) a service account can call?