Currently doing this myself (not with buckets, but API Gateway and Cloudfunctions) .. I’m doing the following steps • Create Service Account • Associate Service Account with API Gateway config and create the API Gateway • Create Cloud Function • Create Cloud Function IAM Policy, binding the Service Account I created in step 1 with

roles/cloudfunctions.invoker