'iam.serviceAccounts.get',
'serviceusage.services.enable',
'serviceusage.services.list',
'serviceusage.services.use',
'storage.buckets.create',
'storage.buckets.get',
'storage.buckets.delete',
'storage.objects.create',
'storage.objects.delete',
'storage.objects.update',
'storage.objects.get',
'storage.objects.list',
'resourcemanager.projects.get'
Above are the easiest permissions to grant a GCP service account without the Owner role. Access can be granted via GCP’s IAM & Admin console.