diff --git a/cas/vaultcas/auth/approle/approle.go b/cas/vaultcas/auth/approle/approle.go
index d842bae0..118afb10 100644
--- a/cas/vaultcas/auth/approle/approle.go
+++ b/cas/vaultcas/auth/approle/approle.go
@@ -41,19 +41,20 @@ func NewApproleAuthMethod(mountPath string, options json.RawMessage) (*approle.A
 	}
 
 	var sid approle.SecretID
-	if opts.SecretID != "" {
+	switch {
+	case opts.SecretID != "" && opts.SecretIDFile == "" && opts.SecretIDEnv == "":
 		sid = approle.SecretID{
 			FromString: opts.SecretID,
 		}
-	} else if opts.SecretIDFile != "" {
+	case opts.SecretIDFile != "" && opts.SecretID == "" && opts.SecretIDEnv == "":
 		sid = approle.SecretID{
 			FromFile: opts.SecretIDFile,
 		}
-	} else if opts.SecretIDEnv != "" {
+	case opts.SecretIDEnv != "" && opts.SecretIDFile == "" && opts.SecretID == "":
 		sid = approle.SecretID{
 			FromEnv: opts.SecretIDEnv,
 		}
-	} else {
+	default:
 		return nil, errors.New("you must set one of secretID, secretIDFile or secretIDEnv")
 	}
 
diff --git a/cas/vaultcas/auth/approle/approle_test.go b/cas/vaultcas/auth/approle/approle_test.go
index ec4d523f..28b7b7f7 100644
--- a/cas/vaultcas/auth/approle/approle_test.go
+++ b/cas/vaultcas/auth/approle/approle_test.go
@@ -158,6 +158,30 @@ func TestApprole_NewApproleAuthMethod(t *testing.T) {
 			`{"RoleID": "0000-0000-0000-0000"}`,
 			true,
 		},
+		{
+			"fail multiple secret-id types id and env",
+			"",
+			`{"RoleID": "0000-0000-0000-0000", "SecretID": "0000-0000-0000-0000", "SecretIDEnv": "VAULT_APPROLE_SECRETID"}`,
+			true,
+		},
+		{
+			"fail multiple secret-id types id and file",
+			"",
+			`{"RoleID": "0000-0000-0000-0000", "SecretID": "0000-0000-0000-0000", "SecretIDFile": "./secret-id"}`,
+			true,
+		},
+		{
+			"fail multiple secret-id types env and file",
+			"",
+			`{"RoleID": "0000-0000-0000-0000", "SecretIDFile": "./secret-id", "SecretIDEnv": "VAULT_APPROLE_SECRETID"}`,
+			true,
+		},
+		{
+			"fail multiple secret-id types all",
+			"",
+			`{"RoleID": "0000-0000-0000-0000", "SecretID": "0000-0000-0000-0000", "SecretIDFile": "./secret-id", "SecretIDEnv": "VAULT_APPROLE_SECRETID"}`,
+			true,
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {