This message was deleted.

I was looking at it from SA point of view, adding a binding on the bucket is simpler way rather than patch the service account. All good for now.