I tried just about every other fix in this thread and nothing worked :(

In the end, it was a bucket region issue in my case. My bucket was dual-region. Creating a new one on single region and having the service-<PROJECT_ID>@gcp-sa-discoveryengine.iam.gserviceaccount.com service account with:

• Discovery Engine Service Agent

• Storage Admin

Perms inherited on IAM level (across all GCS) worked finally!