Identities and Accesses should be granted to users/processes based on the Principle of Least Privilege.
This means that access should be granted with only bare-minimum permissions in order for the subject to carry out the interaction with the cloud legitimately. Additional permissions can be granted as and when the needs and requirements evolve.