Can't get KEDA trigger with workload identity and postgres to work

[jblaaa-codes]

I have a workload identity that I have tested with another pod in the same namespace that has access to the postgres server and full permissions to the table I'm looking to query. This MI also has permissions to a keyvault. I want to move the triggerAuthentication from keyvault to grab a local pgsql admin account. that works fine. I tried to follow the instructions here: https://keda.sh/docs/2.16/scalers/postgresql/#example-1

The example uses a scaled object but I'm using a scaledJob. I don't see that this wouldn't be supported but wanted to mention that.

apiVersion: keda.sh/v1alpha1
kind: TriggerAuthentication
metadata:
  name: postgres-trigger-auth-wlid
  namespace: movie-api
spec:
  podIdentity:
    provider: azure
    identityId: %MI-clientId%
---
apiVersion: keda.sh/v1alpha1
kind: ScaledJob
metadata:
    name: postgres-scaledjob
    namespace: movie-api
spec:
    jobTargetRef:
        template:
            spec:
                serviceAccount: movies-api-mi
                containers:
                - name: kedaConsoleApp
                  image: ACR/kedaconsoleapp:latest
                  
    pollingInterval: 30  # Optional. Default: 30 seconds
    successfulJobsHistoryLimit: 5  # Optional. Default: 100
    failedJobsHistoryLimit: 5  # Optional. Default: 100
    triggers:
      - type: postgresql
        authenticationRef:
          name: postgres-trigger-auth-wlid
        metadata:
          host: "%pgFlexFQDN"
          port: "5432"
          userName: "movies-api-mi"
          dbName: "movies"
          sslmode: "require"
          query: "SELECT COUNT(*) FROM movies"
          targetQueryValue: '1'

I am getting the error that the password was blank

``
"error": "error establishing postgreSQL connection: failed to connect to host=postgres.postgres.database.azure.com user=movies-api-mi database=movies: server error (FATAL: empty password returned by client (SQLSTATE 28P01))"}

``

Do I have this configured wrong? I know the managed identity works because I have another triggerAuth that is used by keyvault and it works flawlessly. I also have the same MI being used by an API that is read/writing to the database fine in the same namespace.