This is the only API I've seen behave like this.

Setting export GOOGLE_APPLICATION_CREDENTIALS=mykey works but doing gcloud auth activate-service-account --key-file=mykey and then executing my code I see a perms error:

google.api_core.exceptions.PermissionDenied: 403 Request had insufficient authentication scopes. [reason: "ACCESS_TOKEN_SCOPE_INSUFFICIENT"
domain: "googleapis.com"
metadata {
  key: "service"
  value: "analyticsadmin.googleapis.com"
}
metadata {
  key: "method"
  value: "google.analytics.admin.v1alpha.AnalyticsAdminService.ListAccessBindings"
}
]

This is my code:

client = AnalyticsAdminServiceClient(transport=None)
res = client.list_access_bindings(parent=f"accounts/{account}")

Every other API I use honors activated service accounts. Does this API really only support setting the env var?

This is confusing but the behavior is correct.

gcloud authentication and Application Default Credentials are similar but distinct.

See search order for Application Default Credentials.

Assuming you're running off-cloud, when you unset GOOGLE_APPLICATION_CREDENTIALS, the code's credentials are your user credentials from gcloud auth application-default.

The error results from these credentials (on Linux: ${HOME}/.config/gcloud/application_default_credentials.json) being insufficient.

When you run gcloud auth activate-service-account, gcloud (but not your code) is authenticated as the Service Account.

The solution here, when running off-cloud, is to use GOOGLE_APPLICATION_CREDENTIALS.

When your code runs on a Google compute service, then you can leave GOOGLE_APPLICATION_CREDENTIALS unset and trust the metadata service to provide the compute service's Service Account credentials to the code.