Hi there!

I'm running GCP Cloud function

gcloud functions deploy <func-name> \
--gen2 \
--runtime=nodejs20 \
--region=europe-west10 \
--entry-point=<func-name> \
--trigger-http \
--no-allow-unauthenticated

I also have API Gateway 

gitpod /workspace/core (feature/adding-crud-api) $ gcloud api-gateway apis describe <API_DI> --project=$PROJECT_ID
createTime: '2024-06-19T18:57:41.448868827Z'
displayName: <API_DI>
managedService: <API_DI>-0haf6f78r2luy.apigateway.budget-bot-421609.cloud.goog
name: projects/budget-bot-421609/locations/global/apis/<API_DI>
state: ACTIVE
updateTime: '2024-06-19T18:59:18.287841345Z'
gitpod /workspace/core (feature/adding-crud-api) $ gcloud api-gateway api-configs describe <CONFIG_ID> --project=$PROJECT_ID --api=<API_DI>
createTime: '2024-06-19T18:59:30.466213171Z'
displayName: <CONFIG_ID>
gatewayServiceAccount: projects/-/serviceAccounts/<service-account-name>@<PROJECT_ID>.iam.gserviceaccount.com
name: projects/371397289510/locations/global/apis/<API_DI>/configs/<CONFIG_ID>
serviceConfigId: <CONFIG_ID>-0ib4jmqay5ozc
state: ACTIVE
updateTime: '2024-06-19T19:01:39.420687820Z'
gitpod /workspace/core (feature/adding-crud-api) $ 

Here are my Service account roles:

gitpod /workspace/core (feature/adding-crud-api) $ gcloud projects get-iam-policy $PROJECT_ID  \
--flatten="bindings[].members" \
--format='table(bindings.role)' \
--filter="bindings.members:<service-account-name>@<PROJECT_ID>.iam.gserviceaccount.com"
ROLE
roles/cloudfunctions.admin
roles/cloudfunctions.invoker
roles/firebase.admin
roles/iam.serviceAccountUser
roles/logging.admin
roles/owner
roles/run.admin
roles/run.invoker
roles/secretmanager.admin
roles/storage.admin

It's a test service accountand suposed for other activities, but it has required roles:

• roles/cloudfunctions.invoker
• roles/run.invoker

But when I make a call I have 

All guides and articles are saying, that it is an IAM issue, but my service account has all required roles in the world, and it still doesn't work

Could you please help me?