Terraform Vault Provider unexpectedly deletes secret_key

provider "vault" {
  version = "~> 2.7.0"
  address = var.vault_addr
  auth_login {
    path = "auth/approle/login"

    parameters = {
      role_id   = var.approle_roleid
      secret_id = var.approle_secretid
    }
  }
}
resource "vault_aws_secret_backend" "this" {
  #access_key                = ""
  #secret_key                = ""
  path                      = join("-", [var.team, var.env, var.account_name, "aws"])
  default_lease_ttl_seconds = var.lease_ttl
  max_lease_ttl_seconds     = var.lease_max_ttl
  depends_on                = [null_resource.validator]

  lifecycle {
    ignore_changes = [access_key, secret_key]
  }
}

Given the above statement, both with the access_key / secret_key lines commented and uncommented, new Terraform plans want to destroy the secret_key on every apply.

I’m lost. I thought using empty quotes would make sure there was no value in the field only on the first run, and that any subsequent runs, the lifecycle.ignore_changes would make sure that Terraform didn’t touch the field. What am I missing here?

This is what appears in the plan output:

  # module.modulename.vault_aws_secret_backend.this will be updated in-place
  ~ resource "vault_aws_secret_backend" "this" {
      - access_key                = (sensitive value)
        default_lease_ttl_seconds = 3600
        id                        = "team-prd-modulename-aws"
        max_lease_ttl_seconds     = 7200
        path                      = "team-prd-modulename-aws"
        region                    = "us-east-1"
    }

(where the - indicates an action Terraform will take to destroy the indicated parameter)