diff --git a/changelog/_10762.txt b/changelog/_10762.txt
new file mode 100644
index 0000000000..c2bc0d3284
--- /dev/null
+++ b/changelog/_10762.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+sdk/rotation: Prevent rotation attempts on read-only storage
+```
diff --git a/sdk/framework/backend.go b/sdk/framework/backend.go
index 23d528e636..47538b6599 100644
--- a/sdk/framework/backend.go
+++ b/sdk/framework/backend.go
@@ -725,6 +725,11 @@ func (b *Backend) handleRotation(ctx context.Context, req *logical.Request) (*lo
 		return nil, logical.ErrUnsupportedOperation
 	}
 
+	// rotation is a write operation, so we short-circuit the request
+	if !b.WriteSafeReplicationState() {
+		return nil, logical.ErrReadOnly
+	}
+
 	err := b.RotateCredential(ctx, req)
 	if err != nil {
 		return nil, err