diff --git a/awx/api/serializers.py b/awx/api/serializers.py
index c4cdc3086d02..a0dd5ada19b2 100644
--- a/awx/api/serializers.py
+++ b/awx/api/serializers.py
@@ -2446,7 +2446,8 @@ def validate(self, attrs):
                     cred = v1_credentials[attr] = Credential.objects.get(pk=pk)
                     if cred.credential_type.kind != kind:
                         raise serializers.ValidationError({attr: error})
-                    if view and view.request and view.request.user not in cred.use_role:
+                    if ((not self.instance or cred.pk != getattr(self.instance, attr)) and
+                            view and view.request and view.request.user not in cred.use_role):
                         raise PermissionDenied()
 
         if 'project' in self.fields and 'playbook' in self.fields:
diff --git a/awx/main/tests/functional/test_rbac_job_templates.py b/awx/main/tests/functional/test_rbac_job_templates.py
index e6e526bc0668..91778a3c5d6f 100644
--- a/awx/main/tests/functional/test_rbac_job_templates.py
+++ b/awx/main/tests/functional/test_rbac_job_templates.py
@@ -136,7 +136,7 @@ def test_job_template_can_add_extra_credentials(self, job_template, credential,
             job_template, credential, 'credentials', {})
 
     def test_job_template_vault_cred_check(self, mocker, job_template, vault_credential, rando, project):
-        # TODO: remove in 3.3
+        # TODO: remove in 3.4
         job_template.admin_role.members.add(rando)
         # not allowed to use the vault cred
         # this is checked in the serializer validate method, not access.py
@@ -151,9 +151,27 @@ def test_job_template_vault_cred_check(self, mocker, job_template, vault_credent
                 'ask_inventory_on_launch': True,
             })
 
+    def test_job_template_vault_cred_check_noop(self, mocker, job_template, vault_credential, rando, project):
+        # TODO: remove in 3.4
+        job_template.credentials.add(vault_credential)
+        job_template.admin_role.members.add(rando)
+        # not allowed to use the vault cred
+        # this is checked in the serializer validate method, not access.py
+        view = mocker.MagicMock()
+        view.request = mocker.MagicMock()
+        view.request.user = rando
+        serializer = JobTemplateSerializer(job_template, context={'view': view})
+        # should not raise error:
+        serializer.validate({
+            'vault_credential': vault_credential.pk,
+            'project': project,  # necessary because job_template fixture fails validation
+            'playbook': 'helloworld.yml',
+            'ask_inventory_on_launch': True,
+        })
+
     def test_new_jt_with_vault(self, mocker, vault_credential, project, rando):
         project.admin_role.members.add(rando)
-        # TODO: remove in 3.3
+        # TODO: remove in 3.4
         # this is checked in the serializer validate method, not access.py
         view = mocker.MagicMock()
         view.request = mocker.MagicMock()