Currently deployments use service accounts with project-level `storage.admin` permissions, meaning a compromised Wordpress site has the potential to delete all storage bucket contents across both projects.

These permissions need to be reduced to per-bucket roles rather than project roles, see https://cloud.google.com/storage/docs/access-control/iam#project-level_roles_vs_bucket-level_roles

GCS buckets affected:

• planet4-nro-stateless
• planet4-nro-db-backup
• planet4-nro-images-backup

Tasks:

• apply per-bucket `roles/storage.admin` permissions for each listed bucket, for each service account - https://cloud.google.com/storage/docs/access-control/iam-roles
• remove global `storage.admin` role from IAM service account - https://console.cloud.google.com/iam-admin/iam?organizationId=644593243610&project=planet4-production
• Confirm service account can no longer affect files outside it's own buckets