Currently doing this myself (not with buckets, but API Gateway and Cloudfunctions) .. I’m doing the following steps
• Create Service Account
• Associate Service Account with API Gateway config and create the API Gateway
• Create Cloud Function
• Create Cloud Function IAM Policy, binding the Service Account I created in step 1 with
roles/cloudfunctions.invoker