Cannot update existing AppRole

Hello there,

we’re trying to restrict our existing AppRoles so that they can only be used by certain CIDRs. Looking at the API docs at, it should be possible by writing to /auth/approle/role/:role_name/token-bound-cidrs.

When trying this using

vault write /auth/approle/role/my-role/token-bound-cidrs token_bound_cidrs=my-cidr

vault returns a 500 with the error message “role_id already in use”.

Our current vault version is 1.2.2. The documentation didn’t mention that this should not be possible, so I’m wondering whether this is the intended behavior (especially because a 500 error is returned).