I suggest double-checking the permissions for your target project.

roles/cloudsql.editor (or roles/cloudsql.admin): Confirm this role is assigned to your service account in the target project (preprod_id). This role is crucial for creating new Cloud SQL instances.

If you are sure this is done correctly, review whether you have VPC access controls and grant necessary access within the perimeter.

You can review the permissions of a project:

gcloud projects get-iam-policy $preprod_id --flatten="bindings[].members"
--format='table(bindings.role:sort=1, bindings.members)'