As you did not mention it in your post: maybe you just forgot to activate the service account?
gcloud auth activate-service-account [ACCOUNT] --key-file=KEY_FILE
also, make sure that you have correct permissions to impersonate the SA you want to use.