diff --git a/awx/api/serializers.py b/awx/api/serializers.py
index 29a90c08c3..08503db45e 100644
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@@ -2667,7 +2667,7 @@ class CredentialSerializer(BaseSerializer):
     def validate_inputs(self, inputs):
         if self.instance and self.instance.credential_type.kind == "vault":
             if 'vault_id' in inputs and inputs['vault_id'] != self.instance.inputs['vault_id']:
-                raise ValidationError(_('We do not permit Vault IDs to be changed after they have been created.'))
+                raise ValidationError(_('Vault IDs cannot be changed once they have been created.'))
 
         return inputs
 
diff --git a/awx/main/tests/functional/api/test_credential.py b/awx/main/tests/functional/api/test_credential.py
index 3d277049ab..52814f3655 100644
--- a/awx/main/tests/functional/api/test_credential.py
+++ b/awx/main/tests/functional/api/test_credential.py
@@ -532,6 +532,49 @@ def test_vault_password_required(post, organization, admin):
     assert 'required fields (vault_password)' in j.job_explanation
 
 
+@pytest.mark.django_db
+def test_vault_id_immutable(post, patch, organization, admin):
+    vault = CredentialType.defaults['vault']()
+    vault.save()
+    response = post(
+        reverse('api:credential_list'),
+        {
+            'credential_type': vault.pk,
+            'organization': organization.id,
+            'name': 'Best credential ever',
+            'inputs': {'vault_id': 'password', 'vault_password': 'password'},
+        },
+        admin,
+    )
+    assert response.status_code == 201
+    assert Credential.objects.count() == 1
+    response = patch(
+        reverse('api:credential_detail', kwargs={'pk': response.data['id']}), {'inputs': {'vault_id': 'password2', 'vault_password': 'password'}}, admin
+    )
+    assert response.status_code == 400
+    assert response.data['inputs'][0] == 'Vault IDs cannot be changed once they have been created.'
+
+
+@pytest.mark.django_db
+def test_patch_without_vault_id_valid(post, patch, organization, admin):
+    vault = CredentialType.defaults['vault']()
+    vault.save()
+    response = post(
+        reverse('api:credential_list'),
+        {
+            'credential_type': vault.pk,
+            'organization': organization.id,
+            'name': 'Best credential ever',
+            'inputs': {'vault_id': 'password', 'vault_password': 'password'},
+        },
+        admin,
+    )
+    assert response.status_code == 201
+    assert Credential.objects.count() == 1
+    response = patch(reverse('api:credential_detail', kwargs={'pk': response.data['id']}), {'name': 'worst_credential_ever'}, admin)
+    assert response.status_code == 200
+
+
 #
 # Net Credentials
 #