diff --git a/builtin/credential/approle/path_role.go b/builtin/credential/approle/path_role.go
index 79ae1db1a50e..593fffa16e8d 100644
--- a/builtin/credential/approle/path_role.go
+++ b/builtin/credential/approle/path_role.go
@@ -113,7 +113,7 @@ func rolePaths(b *backend) []*framework.Path {
 addresses which can perform the login operation`,
 				},
 				"policies": &framework.FieldSchema{
-					Type:        framework.TypeString,
+					Type:        framework.TypeCommaStringSlice,
 					Default:     "default",
 					Description: "Comma separated list of policies on the role.",
 				},
@@ -172,7 +172,7 @@ TTL will be set to the value of this parameter.`,
 					Description: "Name of the role.",
 				},
 				"policies": &framework.FieldSchema{
-					Type:        framework.TypeString,
+					Type:        framework.TypeCommaStringSlice,
 					Default:     "default",
 					Description: "Comma separated list of policies on the role.",
 				},
@@ -768,9 +768,9 @@ func (b *backend) pathRoleCreateUpdate(req *logical.Request, data *framework.Fie
 	}
 
 	if policiesRaw, ok := data.GetOk("policies"); ok {
-		role.Policies = policyutil.ParsePolicies(policiesRaw.(string))
+		role.Policies = policyutil.ParsePolicies(policiesRaw)
 	} else if req.Operation == logical.CreateOperation {
-		role.Policies = policyutil.ParsePolicies(data.Get("policies").(string))
+		role.Policies = policyutil.ParsePolicies(data.Get("policies"))
 	}
 
 	periodRaw, ok := data.GetOk("period")
@@ -1306,8 +1306,8 @@ func (b *backend) pathRolePoliciesUpdate(req *logical.Request, data *framework.F
 		return nil, nil
 	}
 
-	policies := strings.TrimSpace(data.Get("policies").(string))
-	if policies == "" {
+	policiesRaw, ok := data.GetOk("policies")
+	if !ok {
 		return logical.ErrorResponse("missing policies"), nil
 	}
 
@@ -1316,7 +1316,7 @@ func (b *backend) pathRolePoliciesUpdate(req *logical.Request, data *framework.F
 	lock.Lock()
 	defer lock.Unlock()
 
-	role.Policies = policyutil.ParsePolicies(policies)
+	role.Policies = policyutil.ParsePolicies(policiesRaw)
 
 	return nil, b.setRoleEntry(req.Storage, roleName, role, "")
 }
@@ -1359,7 +1359,7 @@ func (b *backend) pathRolePoliciesDelete(req *logical.Request, data *framework.F
 	lock.Lock()
 	defer lock.Unlock()
 
-	role.Policies = policyutil.ParsePolicies(data.GetDefaultOrZero("policies").(string))
+	role.Policies = policyutil.ParsePolicies(data.GetDefaultOrZero("policies"))
 
 	return nil, b.setRoleEntry(req.Storage, roleName, role, "")
 }
diff --git a/helper/policyutil/policyutil.go b/helper/policyutil/policyutil.go
index 9ac9b9379cae..22129bc26366 100644
--- a/helper/policyutil/policyutil.go
+++ b/helper/policyutil/policyutil.go
@@ -18,12 +18,21 @@ const (
 // all other policies will be ignored, the result will contain
 // just the 'root'. In cases where 'root' is not present, if
 // 'default' policy is not already present, it will be added.
-func ParsePolicies(policiesRaw string) []string {
-	if policiesRaw == "" {
+func ParsePolicies(policiesRaw interface{}) []string {
+	if policiesRaw == nil {
 		return []string{"default"}
 	}
 
-	policies := strings.Split(policiesRaw, ",")
+	var policies []string
+	switch policiesRaw.(type) {
+	case string:
+		if policiesRaw.(string) == "" {
+			return []string{"default"}
+		}
+		policies = strings.Split(policiesRaw.(string), ",")
+	case []string:
+		policies = policiesRaw.([]string)
+	}
 
 	return SanitizePolicies(policies, true)
 }