diff --git a/builtin/credential/approle/path_role.go b/builtin/credential/approle/path_role.go
index 02f3bb3371..4ad0dfc6dd 100644
--- a/builtin/credential/approle/path_role.go
+++ b/builtin/credential/approle/path_role.go
@@ -906,7 +906,7 @@ func (b *backend) secretIDCommon(s logical.Storage, entryIndex, secretIDHMAC str
 	}
 
 	if _, ok := d["SecretIDNumUses"]; ok {
-		resp.AddWarning("The field SecretIDNumUses is deprecated and will be removed in a future release")
+		resp.AddWarning("The field SecretIDNumUses is deprecated and will be removed in a future release; refer to secret_id_num_uses instead")
 	}
 
 	return resp, nil
diff --git a/builtin/credential/approle/validation.go b/builtin/credential/approle/validation.go
index d3dedaf795..ec49c56012 100644
--- a/builtin/credential/approle/validation.go
+++ b/builtin/credential/approle/validation.go
@@ -368,9 +368,12 @@ func (b *backend) nonLockedSecretIDStorageEntry(s logical.Storage, roleNameHMAC,
 		if result.SecretIDNumUses == 0 ||
 			result.SecretIDNumUsesDeprecated < result.SecretIDNumUses {
 			result.SecretIDNumUses = result.SecretIDNumUsesDeprecated
+			persistNeeded = true
+		}
+		if result.SecretIDNumUses < result.SecretIDNumUsesDeprecated {
+			result.SecretIDNumUsesDeprecated = result.SecretIDNumUses
+			persistNeeded = true
 		}
-		result.SecretIDNumUsesDeprecated = 0
-		persistNeeded = true
 	}
 
 	if persistNeeded {