diff --git a/vault/config.go b/vault/config.go
index bc8c6eca4..f769b772d 100644
--- a/vault/config.go
+++ b/vault/config.go
@@ -698,7 +698,12 @@ func (c *ProfileConfig) Validate() error {
 	}
 	if c.HasSourceProfile() {
 		n++
-	} else if c.HasRole() {
+	}
+	if c.HasRole() &&
+		// these cases require the role to be set in addition, so it's part of
+		// their credential.
+		!c.HasSourceProfile() &&
+		!c.HasWebIdentity() {
 		n++
 	}
 	if n > 1 {
diff --git a/vault/config_test.go b/vault/config_test.go
index 3e3644ab0..c69c116db 100644
--- a/vault/config_test.go
+++ b/vault/config_test.go
@@ -635,6 +635,10 @@ source_profile = foo
 region         = eu-west-2
 mfa_serial     = arn:aws:iam::9999999999999:mfa/david
 credential_process = true
+
+[profile withwebidentity]
+role_arn = arn:aws:iam::123457890:role/foo
+web_identity_token_process = oidccli -issuer=https://example.com -client-id=aws -client-secret=localonly raw
 `))
 	defer os.Remove(f)
 	configFile, _ := vault.LoadConfig(f)
@@ -651,4 +655,10 @@ credential_process = true
 	if err == nil {
 		t.Fatalf("Should have failed validation: %v", err)
 	}
+
+	config, _ = configLoader.GetProfileConfig("withwebidentity")
+	err = config.Validate()
+	if err != nil {
+		t.Fatalf("Should have validated withwebidentity: %v", err)
+	}
 }