diff --git a/internal/kms/vault.go b/internal/kms/vault.go
index 6a7fc001c..d1e146538 100644
--- a/internal/kms/vault.go
+++ b/internal/kms/vault.go
@@ -192,11 +192,16 @@ func (vc *vaultConnection) initConnection(config map[string]interface{}) error {
 	if errors.Is(err, errConfigOptionInvalid) {
 		return err
 	}
-	vaultAuthNamespace := vaultNamespace // optional, same as vaultNamespace
+	vaultAuthNamespace := ""
 	err = setConfigString(&vaultAuthNamespace, config, "vaultAuthNamespace")
 	if errors.Is(err, errConfigOptionInvalid) {
 		return err
 	}
+	// if the vaultAuthNamespace key is present and value is empty in config, set
+	// the optional vaultNamespace.
+	if vaultAuthNamespace == "" {
+		vaultAuthNamespace = vaultNamespace
+	}
 	// set the option if the value was not invalid
 	if firstInit || !errors.Is(err, errConfigOptionMissing) {
 		vaultConfig[api.EnvVaultNamespace] = vaultAuthNamespace