Authenticate success but "RBAC: access denied"

We use apigee-envoy-adapter 1.0.0 and when we try to hit the service we got:

curl -i http://example-dev2.eus1-devqa.xxx.com/example/v1/items -H "x-api-key: xxx"
HTTP/1.1 403 Forbidden
content-length: 19
content-type: text/plain
date: Wed, 07 Oct 2020 23:29:32 GMT
server: istio-envoy
x-envoy-upstream-service-time: 8
RBAC: access denied%

in apigee-remote-service-envoy logs we see that Authenticate success but still PERMISSION_DENIED:

DEBUG auth/auth.go:98 Authenticate: key: YJNo1..., claims: map[string]interface {}(nil)<br />DEBUG auth/auth.go:125 using api key from request<br />DEBUG auth/auth.go:157 Authenticate success: &auth.Context{Context:(*server.Handler)(0xc0000b2600), ClientID:"YJNo1...", AccessToken:"", Application:"example-ms", APIProducts:[]string{"remote-service"}, Expires:time.Time{wall:0x0, ext:63737710469, loc:(*time.Location)(0x15ab960)}, DeveloperEmail:"xxx", Scopes:[]string{""}, APIKey:"YJNo1..."}<br />DEBUG product/manager.go:246<br />Resolve api: example-dev2.eus1-devqa.xxx.com, path: /example/v1/items, scopes: []<br />Selected: []<br />Eliminated: [remote-service doesn't exist]<br />DEBUG server/authorization.go:225 sending ok (actual: PERMISSION_DENIED)

On Apigee side we see that requests are passing fine

Could you please suggest what could be misconfigured?