I want to create a Google Cloud Kubernetes cluster programmatically in a GitLab CI script .gitlab-ci.yml in order to do e2e testing against it. Therefore I

• created a separate project project-e2e (in order to separate the billing)
• enabled Kubernetes Engine API
• created a service account gitlab-ci@project-e2e.iam.gserviceaccount.com with a key in JSON format which I'm providing through CI variables and using as shown below
• made the service account App Engine Admin, Compute Admin, Kubernetes Engine Admin, Kubernetes Engine Cluster Admin, Editor, Service Account User and Owner following permission-role mappings described at https://cloud.google.com/kubernetes-engine/docs/reference/api-permissions and https://cloud.google.com/compute/docs/access/iam

The script however fails due to missing permissions of the created service account which should be covered by the assigned roles by as far as I understand (the output contains the commands the stage in the CI script consists of):

$ echo "$GOOGLE_KEY" > key.json
$ gcloud config set project project-e2e
Updated property [core/project].
$ gcloud auth activate-service-account --key-file key.json --project project-e2e
Activated service account credentials for: [gitlab-ci@project-e2e.iam.gserviceaccount.com]
$ gcloud config set compute/zone us-central1-a
Updated property [compute/zone].
$ kubectl config get-contexts
CURRENT   NAME   CLUSTER   AUTHINFO   NAMESPACE
$ gcloud container clusters create project-e2e-$CI_COMMIT_SHORT_SHA --project project-e2e --service-account=gitlab-ci@project-e2e.iam.gserviceaccount.com
WARNING: In June 2019, node auto-upgrade will be enabled by default for newly created clusters and node pools. To disable it, use the `--no-enable-autoupgrade` flag.
WARNING: Starting in 1.12, new clusters will have basic authentication disabled by default. Basic authentication can be enabled (or disabled) manually using the `--[no-]enable-basic-auth` flag.
WARNING: Starting in 1.12, new clusters will not have a client certificate issued. You can manually enable (or disable) the issuance of the client certificate using the `--[no-]issue-client-certificate` flag.
WARNING: Currently VPC-native is not the default mode during cluster creation. In the future, this will become the default mode and can be disabled using `--no-enable-ip-alias` flag. Use `--[no-]enable-ip-alias` flag to suppress this warning.
WARNING: Starting in 1.12, default node pools in new clusters will have their legacy Compute Engine instance metadata endpoints disabled by default. To create a cluster with legacy instance metadata endpoints disabled in the default node pool, run `clusters create` with the flag `--metadata disable-legacy-endpoints=true`.
WARNING: Your Pod address range (`--cluster-ipv4-cidr`) can accommodate at most 1008 node(s). 
This will enable the autorepair feature for nodes. Please see https://cloud.google.com/kubernetes-engine/docs/node-auto-repair for more information on node autorepairs.
ERROR: (gcloud.container.clusters.create) ResponseError: code=403, message=Required "container.clusters.create" permission(s) for "projects/project-e2e". See https://cloud.google.com/kubernetes-engine/docs/troubleshooting#gke_service_account_deleted for more info.

I tried

• omitting --service-account=gitlab-ci@project-e2e.iam.gserviceaccount.com which has no effect
• finding answers in https://cloud.google.com/kubernetes-engine/docs/troubleshooting#gke_service_account_deleted which seems unrelated
• adding and omitting --no-enable-legacy-authorization which has no effect