Which role for a member for R2-only access?

I created a private R2 bucket and I want to add a member to my organization’s Cloudflare account so that he can upload files to the bucket. I would like to grant him whichever role would allow him to do this while conferring an absolute minimum of other privileges. He should never be altering DNS, Cloudflare pages configuration, or really anything else.

Which role maps best onto this requirement? I see no mention of R2 or object storage in any of the listed roles for new members, nor do I find this in the documentation for R2.

I just heard from Cloudflare support that there is no role for this function, and that the user will have to be a domain admin.