On cluster master one of $SPLUNK_HOME/etc/master-apps/<app-name>/local/indexes.conf, I set remote.s3.access_key and remote.s3.secret_key with the same access_key and secret_key used with s3cmd. However after apply cluster-bundle, the indexes.conf is updated and both key values are replaced. The new set of keys not only replace the ones under [default] stanza, but also on each index stanza.
Where the new keys come from? Is it expected that keys be overwritten?
Yes. Starts with $7. Thanks for the reply
Do the "new" keys start with $7$? If yes, they are encrypted.