Whenever a new object is created in a bucket, the account that creates it is the owner of the object. Each new object also contains an ACL, which defaults to the "default object ACL" setting on the bucket. By default, this is the "project-private" ACL, which means that any user who is an owner or an editor of the project should have full control of the object and be able to change the ACL with their own credentials.
A couple of things could have happened here. Either the service account, when creating objects, has been explicitly specifying an ACL for each object, or the default object ACL setting on the bucket has been changed to something other than project-private. Have you explicitly tried to lock down these objects to something beyond project-private? If not, make sure that the user account you've configured gsutil with is an owner of the project that you're trying to edit object ACLs with. Can you see what the ACL is from the console (http://console.developers.google.com/storage)?
You cannot act as the appengine project's service account from your own desktop. Fortunately, you CAN act as that service account from a GCE instance. One way to get out of this problem would be to launch a small GCE instance associated with this project. That GCE instance will have a gsutil installed that will be pre-configured to act as the service account. You can simply type gsutil -m acl set -R project-private gs://my-bucket/ from the GCE prompt (or whatever ACL change you want to make), and it should fix your problem.
