Cannot create a Cloud Build trigger with Cloud Build repositories 2nd gen - permissions error

I have been following the instructions at https://cloud.google.com/build/docs/automating-builds/github/connect-repo-github?generation=2nd-gen to create a Cloud Build Trigger from a GitHub repo connected to Cloud Build repositories 2nd gen.

Whether I use gcloud as in the instructions, use the Google Cloud Console UI or even try programmatically via Terraform, I get the same error.

I cannot work out if I need to set permissions somewhere or if it is just a misleading error and something is wrong with the GitHub permissions. My user account has the roles/cloudbuild.connectionAdmin role. I cannot see why the mentioned permission would not be there.

connection of repository projects/my-project/locations/us-central1/connections/my-app-github-connection/repositories/MyApp cannot be fetched: generic::permission_denied: Permission 'cloudbuild.connections.get' denied on 'projects/my-project-number/locations/us-central1/connections/my-app-github-connection'

Here is the roles the Cloud Build service account has granted:

Any ideas?

Got it, I had to enable Secret Manager Secret Accessor on the screen below.

I had been adding permissions to :

service-262018307079@gcp-sa-cloudbuild.iam.gserviceaccount.com

rather than:

262018307079@cloudbuild.gserviceaccount.com.