diff --git a/builtin/logical/database/path_roles.go b/builtin/logical/database/path_roles.go
index a6c2b233db86..f565e90ffa8a 100644
--- a/builtin/logical/database/path_roles.go
+++ b/builtin/logical/database/path_roles.go
@@ -649,11 +649,12 @@ func (b *databaseBackend) pathStaticRoleCreateUpdate(ctx context.Context, req *l
 	}
 
 	lastVaultRotation := role.StaticAccount.LastVaultRotation
+	updateAllowed := lastVaultRotation.IsZero()
+
 	if passwordRaw, ok := data.GetOk("password"); ok {
 		// We will allow users to update the password until the point where
 		// Vault assumes management of the account so that we don't break the
 		// promise of Vault being the source of truth.
-		updateAllowed := lastVaultRotation.IsZero()
 		if updateAllowed {
 			role.StaticAccount.Password = passwordRaw.(string)
 
@@ -663,7 +664,8 @@ func (b *databaseBackend) pathStaticRoleCreateUpdate(ctx context.Context, req *l
 			}
 
 			if connDetails != nil && connDetails.SelfManaged {
-				// Password and SelfManagedPassword should map to the same value
+				// SelfManagedPassword was deprecated in favor of Password, so they
+				// should map to the same value
 				role.StaticAccount.SelfManagedPassword = passwordRaw.(string)
 			}
 		} else {
@@ -671,13 +673,18 @@ func (b *databaseBackend) pathStaticRoleCreateUpdate(ctx context.Context, req *l
 		}
 	}
 
-	if smPasswordRaw, ok := data.GetOk("self_managed_password"); ok && createRole {
+	if smPasswordRaw, ok := data.GetOk("self_managed_password"); ok {
 		if _, ok := data.GetOk("password"); ok {
 			return logical.ErrorResponse(errNoPasswordAndSelfManagedPassword), nil
 		}
-		// Password and SelfManagedPassword should map to the same value
-		role.StaticAccount.SelfManagedPassword = smPasswordRaw.(string)
-		role.StaticAccount.Password = smPasswordRaw.(string)
+		if updateAllowed {
+			// SelfManagedPassword was deprecated in favor of Password, so they
+			// should map to the same value
+			role.StaticAccount.SelfManagedPassword = smPasswordRaw.(string)
+			role.StaticAccount.Password = smPasswordRaw.(string)
+		} else {
+			return logical.ErrorResponse("%s: role=%s, lastVaultRotation=%s", errNoUpdateAfterRotation, name, lastVaultRotation), nil
+		}
 	}
 
 	if skipImportRotationRaw, ok := data.GetOk("skip_import_rotation"); ok {