You need a machine account.

This is documented here.

You must be a zoneadmin to create and manage machine user accounts for identity zone management in Apigee Edge.

If you don't know what this is, you need to connect with Apigee Support who will help you out!

Do we have a way to instead access these endpoints with a service account and not need a mfa to generate the authentication?
I attempted to create a service account keyfile via our GCP but that method seemed to only give google api access and not apigee access.

Yes, that is expected. The identity and authentication for Apigee Edge is handled by Apigee. If you move to Apigee X or hybrid, then you will use the Google cloud identity and authentication. A service account in GCP does not have any access to an Apigee Edge organization.

Is there a link/documentation for this so I can recreate the flow?Similar to the KVM access, we also need to be able to access the metrics api and would like to do that via service account too.

You need to use a machine account. If you have Apigee Edge, then you access the Apigee API via api.enterprise.apigee.com. And for that you need a machine account. You should consult the documentation anchored at docs.apigee.com for information on that. You should not look at cloud.google.com/apigee/docs for documentation pertaining to Apigee Edge. The documentation available at cloud.google.com/apigee/docs pertains to Apigee X and hybrid. It does not pertain to Apigee Edge.