Your service account will need the following permissions:
cloudkms.cryptoKeyVersions.get
cloudkms.cryptoKeyVersions.viewPublicKey
cloudkms.cryptoKeyVersions.useToSign