diff --git a/changelog/28059.txt b/changelog/28059.txt
new file mode 100644
index 000000000000..550fd75af5c6
--- /dev/null
+++ b/changelog/28059.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+command: The `vault secrets move` and `vault auth move` command will no longer attempt to write to storage on performance standby nodes.
+```
diff --git a/vault/auth.go b/vault/auth.go
index 379d9fb1e667..a176c5c88c19 100644
--- a/vault/auth.go
+++ b/vault/auth.go
@@ -485,15 +485,17 @@ func (c *Core) remountCredential(ctx context.Context, src, dst namespace.MountPa
 	srcMatch.Path = strings.TrimPrefix(dst.MountPath, credentialRoutePrefix)
 
 	// Update the mount table
-	if err := c.persistAuth(ctx, c.auth, &srcMatch.Local); err != nil {
-		srcMatch.Path = srcPath
-		srcMatch.Tainted = true
-		c.authLock.Unlock()
-		if err == logical.ErrReadOnly && c.perfStandby {
-			return err
-		}
+	if updateStorage {
+		if err := c.persistAuth(ctx, c.auth, &srcMatch.Local); err != nil {
+			srcMatch.Path = srcPath
+			srcMatch.Tainted = true
+			c.authLock.Unlock()
+			if err == logical.ErrReadOnly && c.perfStandby {
+				return err
+			}
 
-		return fmt.Errorf("failed to update auth table with error %+v", err)
+			return fmt.Errorf("failed to update auth table with error %+v", err)
+		}
 	}
 
 	// Remount the backend, setting the existing route entry
diff --git a/vault/mount.go b/vault/mount.go
index e8bea5ba4c65..9561a680e12a 100644
--- a/vault/mount.go
+++ b/vault/mount.go
@@ -1189,15 +1189,17 @@ func (c *Core) remountSecretsEngine(ctx context.Context, src, dst namespace.Moun
 	srcMatch.Path = dst.MountPath
 
 	// Update the mount table
-	if err := c.persistMounts(ctx, c.mounts, &srcMatch.Local); err != nil {
-		srcMatch.Path = srcPath
-		srcMatch.Tainted = true
-		c.mountsLock.Unlock()
-		if err == logical.ErrReadOnly && c.perfStandby {
-			return err
-		}
+	if updateStorage {
+		if err := c.persistMounts(ctx, c.mounts, &srcMatch.Local); err != nil {
+			srcMatch.Path = srcPath
+			srcMatch.Tainted = true
+			c.mountsLock.Unlock()
+			if err == logical.ErrReadOnly && c.perfStandby {
+				return err
+			}
 
-		return fmt.Errorf("failed to update mount table with error %+v", err)
+			return fmt.Errorf("failed to update mount table with error %+v", err)
+		}
 	}
 
 	// Remount the backend
diff --git a/vault/testing.go b/vault/testing.go
index e007ec008c3e..036087032383 100644
--- a/vault/testing.go
+++ b/vault/testing.go
@@ -652,6 +652,23 @@ func GenerateRandBytes(length int) ([]byte, error) {
 	return buf, nil
 }
 
+func TestWaitPerfStandby(t testing.TB, core *Core) {
+	t.Helper()
+	start := time.Now()
+	var perfStandby bool
+	for time.Now().Sub(start) < 30*time.Second {
+		perfStandby = core.PerfStandby()
+
+		if perfStandby {
+			break
+		}
+	}
+	if !perfStandby {
+		err := errors.New("core not in perf standby mode")
+		t.Fatal(err)
+	}
+}
+
 func TestWaitActive(t testing.TB, core *Core) {
 	t.Helper()
 	if err := TestWaitActiveWithError(core); err != nil {