GKE Autopilot cluster gets created with default service account

[kkalchuri-solutelabs]

Hi Team,
I am trying to create a GKE private Autopilot cluster via Pulumi typescript. I am creating a custom service account with limited IAM permission and want to attach the same to autopilot cluster instead of using default service account.

I tried multiple code changes but my Autopilot cluster is getting created with default service account only. Using this Pulumi package for autopilot cluster creation.
I came across terraform issue discussion where many users are facing similar default account issue.
hashicorp/terraform-provider-google#9505

I tried the listed solution to use clusterAutoscaling but Pulumi says it conflicts with the enable_autopilot, same behavior with node pool, you can't change much in Autopilot cluster.

Why Pulumi or terraform is failing to attach custom service account to autopilot cluster?
Any suggestions I can try?

import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";

const sa = new gcp.serviceaccount.Account("sa", {
    createIgnoreAlreadyExists: true,
    accountId: "test",
});
const project = new gcp.projects.IAMBinding("project", {
    project: "<Project_ID>",
    role: "roles/cloudsql.admin",
    members: [sa.email.apply(email => `serviceAccount:${email}`)],
});

const primary = new gcp.container.Cluster("primary", {
    name: "cluster-test",
    network: "<VPC_ID>",
    subnetwork: "<Private_Subnet_ID>",
    location: "us-east4",
    enableAutopilot: true,
    deletionProtection: false,
    masterAuthorizedNetworksConfig: {
        cidrBlocks: [{
            cidrBlock: "<IP>",
        }],
    },
    privateClusterConfig: {
        enablePrivateEndpoint: false,
        enablePrivateNodes: true,
    },
    nodeConfig: {
        serviceAccount: sa.email
    }
});