GCP auth doesn't work as expected

Hi all!
I have an HA Vault server with a GCP storage type.
I configured the server service account in google for vault, created service accounts in google for services, and annotated service accounts in Kubernetes.
When I set vault annotations like, vault agent and vault injector pods don’t create:

    vault.hashicorp.com/agent-inject: "true"
    vault.hashicorp.com/agent-inject-status: update
    vault.hashicorp.com/auth-config-service-account: "${K8S_SERVICE_SERVICEACC_NAME}"
    vault.hashicorp.com/auth-config-type: "iam"
    vault.hashicorp.com/auth-type: "gcp"
    vault.hashicorp.com/ca-cert: /run/secrets/kubernetes.io/serviceaccount/ca.crt
    vault.hashicorp.com/log-level: debug
    vault.hashicorp.com/role: "${ROLE_NAME}"
    vault.hashicorp.com/tls-skip-verify: "true"
    vault.hashicorp.com/agent-inject-secret-keys: "kv/path/to/secret"

    vault.hashicorp.com/agent-inject-template-keys: |
      {{ with secret "kv/path/to/secret" }}
      {{ range $k, $v := .Data.data }}export {{ $k }}="{{ $v }}"
      {{ end }}
      {{ end }}

There are my steps to set up the google part:

#Create the vault kms keyring:
gcloud kms keyrings create ${KMS_NAME} \
  --location global \
  --project ${PROJECT_ID}

#Create the vault-init encryption key:
gcloud kms keys create ${KMS_KEY_NAME} \
  --location global \
  --keyring ${KMS_KEYRING_NAME} \
  --purpose encryption \
  --project ${PROJECT_ID}

#Create a GCS bucket:
gsutil mb -p ${PROJECT_ID} gs://${BUCKET_NAME}

#Set versioning
gsutil versioning set on gs://${BUCKET_NAME}

#Create the vault service account:
gcloud iam service-accounts create ${SERVER_SERVICEACC_NAME} \
  --display-name "${SERVER_SERVICEACC_NAME}" \
  --project  ${PROJECT_ID}

#Create json credentials, save it and write to vault
vault auth enable gcp
vault write auth/gcp/config credentials=@/path/to/credentials.json

#Grant access to the vault storage bucket:
gsutil iam ch \
  serviceAccount:${SERVER_SERVICEACC_NAME}@${PROJECT_ID}.iam.gserviceaccount.com:objectAdmin \

gsutil iam ch \
serviceAccount:${SERVER_SERVICEACC_NAME}@${PROJECT_ID}.iam.gserviceaccount.com:legacyBucketReader \

#Grant access to the vault-init KMS encryption key:
gcloud kms keys add-iam-policy-binding \
  --location global \
  --keyring ${KMS_KEYRING_NAME} \
  --member serviceAccount:${SERVER_SERVICEACC_NAME}@${PROJECT_ID}.iam.gserviceaccount.com \
  --role roles/cloudkms.cryptoKeyEncrypterDecrypter \
  --project ${PROJECT_ID}

#Configure gcp policy for vault
gcloud iam roles create VaultAuthRole \
  --title=${TITLE} \
  --stage=GA \
  --description="Role used for the Vault Auth Method" \
  --project "${PROJECT_ID}" \

gcloud projects add-iam-policy-binding "${PROJECT_ID}" \
  --member "serviceAccount:${SERVER_SERVICEACC_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" \
  --role projects/"${PROJECT_ID}"/roles/VaultAuthRole


gcloud projects add-iam-policy-binding "${PROJECT_ID}" \
  --member "serviceAccount:${SERVER_SERVICEACC_NAME}@${PROJECT_ID}.iam.gserviceaccount.com" \
  --role projects/${PROJECT_ID}/roles/VaultAuthRole

vault auth enable gcp

vault write auth/gcp/config credentials=@${SERVER_SERVICEACC_NAME}.json

vault write auth/gcp/role/${ROLE_NAME} \
  type="iam" \
  policies="${POLICY_NAME}" \
  max_jwt_exp="3600" \

vault policy write ${ROLE_NAME} - <<EOH
path "*" {
  capabilities = ["read"]

kubectl run vault -it --rm --restart=Never \
  --serviceaccount my-service-ksa \
  -n ${NAMESPACE} \
  --image vault \
  -- vault login -address="$VAULT_ADDR" -method=gcp service_account="${SERVER_SERVICEACC_NAME}" role="${ROLE_NAME}"

Do you have any ideas?

the question is removed, there were problems with the firewall in google cloud