diff --git a/agent/connect/ca/provider_vault_auth_approle.go b/agent/connect/ca/provider_vault_auth_approle.go
index 0c782a6de33ac..96d3c61900eb1 100644
--- a/agent/connect/ca/provider_vault_auth_approle.go
+++ b/agent/connect/ca/provider_vault_auth_approle.go
@@ -16,19 +16,28 @@ import (
 //                                    (which we don't need to do)
 
 func NewAppRoleAuthClient(authMethod *structs.VaultAuthMethod) (*VaultAuthClient, error) {
-	// role_id_file_path is required
+	params := authMethod.Params
+	client := NewVaultAPIAuthClient(authMethod, "")
+	// handle legacy case where role_id and secret_id are passed in directly.
+	_, role_id_ok := params["role_id"].(string)
+	_, secret_id_ok := params["secret_id"].(string)
+	if role_id_ok && secret_id_ok {
+		return client, nil
+	}
+
+	// vault-agent auth config, role_id_file_path is required
 	key := "role_id_file_path"
 	if val, ok := authMethod.Params[key].(string); !ok {
 		return nil, fmt.Errorf("missing '%s' value", key)
 	} else if strings.TrimSpace(val) == "" {
 		return nil, fmt.Errorf("'%s' value is empty", key)
 	}
-
-	client := NewVaultAPIAuthClient(authMethod, "")
 	client.LoginDataGen = ArLoginDataGen
+
 	return client, nil
 }
 
+// don't need to check for legacy params as this func isn't used in that case
 func ArLoginDataGen(authMethod *structs.VaultAuthMethod) (map[string]any, error) {
 	params := authMethod.Params
 	// role_id is required
diff --git a/agent/connect/ca/provider_vault_auth_test.go b/agent/connect/ca/provider_vault_auth_test.go
index f916a22124796..817c7017a61a7 100644
--- a/agent/connect/ca/provider_vault_auth_test.go
+++ b/agent/connect/ca/provider_vault_auth_test.go
@@ -363,6 +363,19 @@ func TestVaultCAProvider_AppRoleAuthClient(t *testing.T) {
 			},
 			expErr: fmt.Errorf("missing '%s' value", "role_id_file_path"),
 		},
+		"legacy-direct-values": {
+			authMethod: &structs.VaultAuthMethod{
+				Type: "approle",
+				Params: map[string]any{
+					"role_id":   "test-role",
+					"secret_id": "test-secret",
+				},
+			},
+			expData: map[string]any{
+				"role_id":   "test-role",
+				"secret_id": "test-secret",
+			},
+		},
 	}
 
 	for k, c := range cases {
@@ -374,9 +387,11 @@ func TestVaultCAProvider_AppRoleAuthClient(t *testing.T) {
 				return
 			}
 			require.NoError(t, err)
-			data, err := auth.LoginDataGen(c.authMethod)
-			require.NoError(t, err)
-			require.Equal(t, c.expData, data)
+			if auth.LoginDataGen != nil {
+				data, err := auth.LoginDataGen(c.authMethod)
+				require.NoError(t, err)
+				require.Equal(t, c.expData, data)
+			}
 		})
 	}
 }