It seems like you've assigned a comprehensive set of roles to your service accounts. However, the error message "The caller does not have permission" still suggests that there might be a missing permission or role.

Here are a few additional things to consider:

1. Project IAM Admin Role: Ensure that the service account has the resourcemanager.projectIamAdmin role. This role provides permissions to administer IAM policies on the project, which might be necessary if your operation involves changing IAM policies.

2. Shared VPC Admin Role: If you're using a shared VPC, the service account might need the compute.xpnAdmin role on the host project. This role provides permissions to administer shared VPCs.

3. Service Account User Role: Ensure that the service account has the iam.serviceAccountUser role. This role allows the service account to act as itself, which might be necessary for certain operations.

4. Service Account Key Admin Role: If your operation involves creating or managing service account keys, the service account might need the iam.serviceAccountKeyAdmin role.

5. Check for Conflicting IAM Policies: If you have an organization-level IAM policy that's more restrictive than your project-level policy, the organization-level policy might be preventing your operation. Check your organization-level IAM policy to ensure it's not conflicting with your project-level policy.

6. Check for Service Account Disablement: Ensure that the service account you're using hasn't been disabled. If a service account is disabled, it can't be used to authenticate or authorize operations.

If you've checked all of these and you're still getting the error, it might be helpful to get more information about the exact operation that's failing. The error message should include a tracking number that you can use to look up more details about the error in the Google Cloud Console's Activity page.