AWS credentials does not work when using S3 secret manager

We are following https://www.spinnaker.io/reference/halyard/secrets/ to move credentials in Halyard configurations to a S3 bucket. It seems that some secrets in the secret file is replaced successfully, but some are not. To be specific, it seems all Github credentials (OAuth credentials, access tokens, etc) are successfully replaced in various services, but AWS credentials are not and we got credentials not valid from front50 and clouddriver.

Further inspecting the staging files generated by Halyard, we noticed that in staging/aws/clouddriver-credentials_root and other credentials files, aws_secret_access_key is replaced with the real credential, but value of aws_access_key_id is still the reference string (encrypted:s3!...).

Did anyone experience similar problem and maybe point us toward where we should look? Many thanks.