external secrets operator: InvalidProviderConfig

Question

Summary My SecreteStore and ServiceAccount are in the same namespace

ServiceAccount has a trust relationship with AWS SecretsManager

But In ArgoCD, I see myapp (a cronjob) is degraded

The error message is:

 Normal   Valid                  18m (x9 over 53m)     secret-store  store validated
 Warning  InvalidProviderConfig  3m2s (x41 over 159m)  secret-store  unable to create session: ServiceAccount "myapp-service-account" not found

Advice, hints deeply appreciated

Details kubectl describe secretstore myapp -n dev shows as follows:

Name:         eng-info-secret-store
Namespace:    dev
Labels:       <none>
Annotations:  <none>
API Version:  external-secrets.io/v1beta1
Kind:         SecretStore
Metadata:
  Creation Timestamp:  2022-09-19T22:58:30Z
  Generation:          1
  Managed Fields:
    API Version:  external-secrets.io/v1beta1
    Fields Type:  FieldsV1
   ...
Spec:
  Provider:
    Aws:
      Auth:
        Jwt:
          Service Account Ref:
            Name:  myapp-service-account
      Region:      us-east-1
      Service:     SecretsManager
Status:
  Conditions:
    Last Transition Time:  2022-09-20T01:23:43Z
    Message:               unable to create client
    Reason:                InvalidProviderConfig
    Status:                False
    Type:                  Ready
Events:
  Type     Reason                 Age                   From          Message
  ----     ------                 ----                  ----          -------
  Normal   Valid                  18m (x9 over 53m)     secret-store  store validated
  Warning  InvalidProviderConfig  3m2s (x41 over 159m)  secret-store  unable to create session: ServiceAccount "myapp-service-account" not found

The service account, however, exists in the same namespace: kubectl get ServiceAccount myapp-service-account -o yaml -n dev

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::11xxxxx:role/ExternalSecretsxxxxx700000003
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"ServiceAccount","metadata":{"annotations":{"eks.amazonaws.com/role-arn":"arn:aws:iam::11xxxxx:role/ExternalSecretsxxxxx700000003"},"labels":{"argocd.argoproj.io/instance":"myapp"},"name":"myapp-service-account","namespace":"dev"}}
  creationTimestamp: "2022-09-20T01:35:42Z"
  labels:
    argocd.argoproj.io/instance: myapp
  name: myapp-service-account
  namespace: dev
  resourceVersion: "6737470"
  uid: abd794bb-d236-40b6-94bf-7e5dea2f91c1
secrets:
- name: myapp-service-account-token-v4bxg

The serviceAccount has appropriate trust relationship with AWS secrets manager