Add small note on revocation statement in GCP CloudSQL documentation (#23301)

website/content/docs/secrets/databases/mysql-maria.mdx

@@ -176,8 +176,8 @@ the following SQL privileges are needed by the service account's DB user for min
 Additional privileges may be needed depending on the SQL configured on the database roles.
 
 ```sql
--- Enable service account to create roles within DB
-GRANT CREATEROLE ON <database>.<object> TO "test-user"@"%";
+-- Enable service account to create users within DB
+GRANT SELECT, CREATE, CREATE USER ON <database>.<object> TO "test-user"@"%" WITH GRANT OPTION;
 ```
 
 ### Setup
@@ -217,5 +217,27 @@ GRANT CREATEROLE ON <database>.<object> TO "test-user"@"%";
         service_account_json="@my_credentials.json"
     ```
 
-Once the connection has been configured and IAM authentication is complete, the steps to set up a role and generate
-credentials are the same as the ones listed above.
+1.  Configure a new role in Vault but override the default revocation statements
+    so Vault will drop the user instead:
+
+    ```shell-session
+       $ vault write database/roles/my-role \
+           db_name=my-mysql-database \
+           creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON *.* TO '{{name}}'@'%';" \
+           revocation_statements="DROP USER '{{name}}'@'%';" \
+           default_ttl="1h" \
+           max_ttl="24h"
+    ```
+
+1.  When you finish configuring the new role, generate credentials as before:
+
+    ```shell-session
+       $ vault read database/creds/my-role
+       Key                Value
+       ---                -----
+       lease_id           database/creds/my-role/2f6b629f-7ah2-7b19-24b9-ad879a8d4bf2
+       lease_duration     1h
+       lease_renewable    true
+       password           vY-57n3X5UQhxnmGTK7g
+       username           v_vaultuser_my-role_frBYNfYh3Kw3
+    ```