When your Cloud Scheduler job runs, I think we will find that it runs with the identity of a Service Account. In your environment, your Service Account will have been granted access to a set of Google Cloud IAM roles. First thing I’d look at is “What is the set of roles granted to the service account?”. Following that, we want to look at what is the request you are submitting? It looks like a request to run a Cloud Storage Transfer Service job. Now we need to ask ourselves “What roles are required to run such a job?”. From there, it becomes a case of pairing the two together. Marry “What roles does my service account posses?” against “What roles does my service account require?” … and match the two.
See also:
https://cloud.google.com/storage-transfer/docs/iam-cloud