I created a service account for devs, so they can use the "gcloud run deploy" command. I've manage to find the correct roles: Artifact Registry Administrator and Cloud Run Admin; but there is a third permission about the storage part which I can't find the right for, "Cloud Build Service Account" or "Storage Admin" cause both give full permissions to all buckets and objects.
You can restrict your service account to only the default Cloud Build bucket (<PROJECT_ID>_cloudbuild) by going to the bucket permissions tab and adding a new principal (your service account) with the Storage Admin role.
However, another thing you must do is to give the service account the storage.buckets.list permission for the whole project, which is why you keep seeing the error.
You can verify this by running gcloud run deploy with --verbosity=debug, to see the internal error message:
"error": {
"code": 403,
"message": "<SERVICE_ACCOUNT> does not have storage.buckets.list access to the Google Cloud project.",
...
To give minimal permissions, you can create a custom role with only the storage.buckets.list permission and assign it to your service account, which is enough to solve the problem as I verified.
Here are the permissions I ended up using for the service account (relevant doc):
Let me know if this was useful.