diff --git a/apisix/consumer.lua b/apisix/consumer.lua
index 83d2aea3ab34..6bbd6ca186c6 100644
--- a/apisix/consumer.lua
+++ b/apisix/consumer.lua
@@ -104,7 +104,8 @@ local function create_consume_cache(consumers_conf, key_attr)
     for _, consumer in ipairs(consumers_conf.nodes) do
         core.log.info("consumer node: ", core.json.delay_encode(consumer))
         local new_consumer = core.table.clone(consumer)
-        new_consumer.auth_conf = secret.fetch_secrets(new_consumer.auth_conf)
+        new_consumer.auth_conf = secret.fetch_secrets(new_consumer.auth_conf, true,
+                                                        new_consumer.auth_conf, "")
         consumer_names[new_consumer.auth_conf[key_attr]] = new_consumer
     end
 
diff --git a/apisix/plugins/authz-keycloak.lua b/apisix/plugins/authz-keycloak.lua
index 5a7d32d26a9d..587628f74bd4 100644
--- a/apisix/plugins/authz-keycloak.lua
+++ b/apisix/plugins/authz-keycloak.lua
@@ -759,7 +759,7 @@ end
 
 function _M.access(conf, ctx)
     -- resolve secrets
-    conf = fetch_secrets(conf)
+    conf = fetch_secrets(conf, true, conf, "")
     local headers = core.request.headers(ctx)
     local need_grant_token = conf.password_grant_token_generation_incoming_uri and
         ctx.var.request_uri == conf.password_grant_token_generation_incoming_uri and
diff --git a/apisix/plugins/limit-count.lua b/apisix/plugins/limit-count.lua
index cc7791a10872..e3b4c0f6c8bb 100644
--- a/apisix/plugins/limit-count.lua
+++ b/apisix/plugins/limit-count.lua
@@ -32,7 +32,7 @@ end
 
 
 function _M.access(conf, ctx)
-    conf = fetch_secrets(conf)
+    conf = fetch_secrets(conf, true, conf, "")
     return limit_count.rate_limit(conf, ctx, plugin_name, 1)
 end
 
diff --git a/apisix/ssl/router/radixtree_sni.lua b/apisix/ssl/router/radixtree_sni.lua
index ec6adac09fe3..aab6aafe8819 100644
--- a/apisix/ssl/router/radixtree_sni.lua
+++ b/apisix/ssl/router/radixtree_sni.lua
@@ -238,7 +238,8 @@ function _M.set(matched_ssl, sni)
     end
     ngx_ssl.clear_certs()
 
-    local new_ssl_value = secret.fetch_secrets(matched_ssl.value) or matched_ssl.value
+    local new_ssl_value = secret.fetch_secrets(matched_ssl.value, true, matched_ssl.value, "")
+                            or matched_ssl.value
 
     ok, err = _M.set_cert_and_key(sni, new_ssl_value)
     if not ok then