diff --git a/agent/connect/ca/provider_vault_auth_approle.go b/agent/connect/ca/provider_vault_auth_approle.go
index ba7ea086ad19..fad6011fcb37 100644
--- a/agent/connect/ca/provider_vault_auth_approle.go
+++ b/agent/connect/ca/provider_vault_auth_approle.go
@@ -34,13 +34,17 @@ func NewAppRoleAuthClient(authMethod *structs.VaultAuthMethod) (*VaultAuthClient
 	return authClient, nil
 }
 
-// don't need to check for legacy params as this func isn't used in that case
 func ArLoginDataGen(authMethod *structs.VaultAuthMethod) (map[string]any, error) {
+	// don't need to check for legacy params as this func isn't used in that case
 	params := authMethod.Params
 	// role_id is required
 	roleIdFilePath := params["role_id_file_path"].(string)
 	// secret_id is optional (secret_ok is used in check below)
-	secretIdFilePath, secret_ok := params["secret_id_file_path"].(string)
+	// secretIdFilePath, secret_ok := params["secret_id_file_path"].(string)
+	secretIdFilePath, hasSecret := params["secret_id_file_path"].(string)
+	if hasSecret && strings.TrimSpace(secretIdFilePath) == "" {
+		hasSecret = false
+	}
 
 	var err error
 	var rawRoleID, rawSecretID []byte
@@ -49,11 +53,13 @@ func ArLoginDataGen(authMethod *structs.VaultAuthMethod) (map[string]any, error)
 		return nil, err
 	}
 	data["role_id"] = string(rawRoleID)
-	switch rawSecretID, err = os.ReadFile(secretIdFilePath); {
-	case err != nil && secret_ok:
-		return nil, err
-	case len(bytes.TrimSpace(rawSecretID)) > 0:
-		data["secret_id"] = string(rawSecretID)
+	if hasSecret {
+		switch rawSecretID, err = os.ReadFile(secretIdFilePath); {
+		case err != nil:
+			return nil, err
+		case len(bytes.TrimSpace(rawSecretID)) > 0:
+			data["secret_id"] = strings.TrimSpace(string(rawSecretID))
+		}
 	}
 
 	return data, nil