diff --git a/api/secret.go b/api/secret.go
index d37bf3cf06..7df9f66a4d 100644
--- a/api/secret.go
+++ b/api/secret.go
@@ -159,6 +159,10 @@ TOKEN_DONE:
 			goto DONE
 		}
 
+		if s.Data["identity_policies"] == nil {
+			goto DONE
+		}
+
 		sList, ok := s.Data["identity_policies"].([]string)
 		if ok {
 			identityPolicies = sList
diff --git a/changelog/17007.txt b/changelog/17007.txt
new file mode 100644
index 0000000000..6c2a2801b2
--- /dev/null
+++ b/changelog/17007.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+auth/token: fixes an edge case bug that "identity_policies" is nil and causes cli vault login error
+```
diff --git a/vault/token_store.go b/vault/token_store.go
index 7e4d5951bc..30d9170e20 100644
--- a/vault/token_store.go
+++ b/vault/token_store.go
@@ -3435,8 +3435,10 @@ func (ts *TokenStore) handleLookup(ctx context.Context, req *logical.Request, da
 			return nil, err
 		}
 		if len(identityPolicies) != 0 {
-			resp.Data["identity_policies"] = identityPolicies[out.NamespaceID]
-			delete(identityPolicies, out.NamespaceID)
+			if _, ok := identityPolicies[out.NamespaceID]; ok {
+				resp.Data["identity_policies"] = identityPolicies[out.NamespaceID]
+				delete(identityPolicies, out.NamespaceID)
+			}
 			resp.Data["external_namespace_policies"] = identityPolicies
 		}
 	}