Currently, GCP PD CSI driver requires a Service Account that has the iam.serviceAccountUser role:

However, that goes agains Google's Security Health Analytics recommendation:

https://cloud.google.com/security-command-center/docs/how-to-remediate-security-health-analytics-findings#over_privileged_service_account_user

Is it possible to remove this role from the driver's requirements? What would it take to do that?

I looked around this repository but couldn't find the reason this role is required, only this comment that references it: #134 (comment)