Cloud Build Trigger custom service account doesn't allow filename without build

Hi Friends!

Ran into this error message with a simple trigger using cloudbuild.yaml and Github push. Easy workaround to just use the built-in cloudbuild service account, but would like to be able to use a more restricted service account for deployments.

Issue seems to be a circular dependency where filename triggers don’t use the build block and thus can’t provide a build.options.logging configuration to satisfy this requirement.

Your build failed to run: generic::invalid_argument: generic::invalid_argument: if 'build.service_account' is specified, the build must either (a) specify 'build.logs_bucket' (b) use the CLOUD_LOGGING_ONLY logging option, or (c) use the NONE logging option

resource "google_cloudbuild_trigger" "microservices" {
  provider = google-beta
  location = var.region
  service_account =
  filename = "cloudbuild.yaml"

  substitutions = {
    _REGION  = "gcp_region"
    _CLUSTER = "gke_cluster"

  github {
    owner = "me"
    name  = "me_repo"
    push {
      branch = "^main$"

Tried to search for previous questions, but as always I might have messed up and missed something obvious. Appreciate any help!