Elasticsearch ignoring serviceAccountName setting

I have an Elasticsearch cluster created by the ECK operator. But the operator is not adding the Kube service account name to the pod templates.

Here is the Elasticsearch config (truncated for brevity):

apiVersion: elasticsearch.k8s.elastic.co/v1
kind: Elasticsearch
  name: logging0
  version: 7.9.3
  serviceAccountName: logging-es

According to the ECK API docs, the serviceAccountName option "Can only be used if ECK is enforcing RBAC on references."

The operator is running with enforce-rbac-on-refs enabled:

      - image: "docker.elastic.co/eck/eck-operator:1.2.1"
        imagePullPolicy: IfNotPresent
        name: manager
          - "manager"
          - "--log-verbosity=0"
          - "--metrics-port=0"
          - "--container-registry=docker.elastic.co"
          - "--max-concurrent-reconciles=3"
          - "--ca-cert-validity=8760h"
          - "--ca-cert-rotate-before=24h"
          - "--cert-validity=8760h"
          - "--cert-rotate-before=24h"
          - "--enable-webhook"
          - "--enforce-rbac-on-refs"

Is this a bug, or is there additional configuration required to get the service account added to the Elasticsearch pods?

P.S. The service account is needed so that the Pod can use the AWS IAM roles for Kubernetes feature of EKS to access an S3 bucket to store snapshots.

Just ended up manually added the service account to the pod template. I think I misunderstood the reason for the serviceAccountName option -- it isn't intended to add that service account to the pods. It's an annotation for the Operator to know how to enforce RBAC.