diff --git a/builtin/credential/approle/path_role_test.go b/builtin/credential/approle/path_role_test.go
index c19338549..a40cbe10d 100644
--- a/builtin/credential/approle/path_role_test.go
+++ b/builtin/credential/approle/path_role_test.go
@@ -104,7 +104,7 @@ func TestAppRole_RoleConstraints(t *testing.T) {
 	roleData["bind_secret_id"] = false
 	resp, err = b.HandleRequest(roleReq)
 	if resp != nil && resp.IsError() {
-		t.Fatalf("resp:%#v", err, resp)
+		t.Fatalf("err:%v, resp:%#v", err, resp)
 	}
 	if err == nil {
 		t.Fatalf("expected an error")
@@ -433,7 +433,7 @@ func TestAppRole_RoleSecretIDAccessorReadDelete(t *testing.T) {
 	hmacReq.Operation = logical.ReadOperation
 	resp, err = b.HandleRequest(hmacReq)
 	if resp != nil && resp.IsError() {
-		t.Fatalf("error response:%#v", err, resp)
+		t.Fatalf("err:%v resp:%#v", err, resp)
 	}
 	if err == nil {
 		t.Fatalf("expected an error")
diff --git a/builtin/credential/approle/validation.go b/builtin/credential/approle/validation.go
index 15b50bbaf..db668a825 100644
--- a/builtin/credential/approle/validation.go
+++ b/builtin/credential/approle/validation.go
@@ -352,7 +352,7 @@ func (b *backend) nonLockedSecretIDStorageEntry(s logical.Storage, roleNameHMAC,
 
 	if persistNeeded {
 		if err := b.nonLockedSetSecretIDStorageEntry(s, roleNameHMAC, secretIDHMAC, &result); err != nil {
-			return nil, fmt.Errorf("failed to upgrade role storage entry", err)
+			return nil, fmt.Errorf("failed to upgrade role storage entry %s", err)
 		}
 	}
 
diff --git a/builtin/credential/aws/path_role_test.go b/builtin/credential/aws/path_role_test.go
index a52d4fa7b..52ff43574 100644
--- a/builtin/credential/aws/path_role_test.go
+++ b/builtin/credential/aws/path_role_test.go
@@ -249,17 +249,18 @@ func TestBackend_pathIam(t *testing.T) {
 
 	// generate a second role, ensure we're able to list both
 	data["bound_ami_id"] = "ami-abcd123"
-	resp, err = b.HandleRequest(&logical.Request{
+	secondRole := &logical.Request{
 		Operation: logical.CreateOperation,
 		Path:      "role/MyOtherRoleName",
 		Data:      data,
 		Storage:   storage,
-	})
+	}
+	resp, err = b.HandleRequest(secondRole)
 	if err != nil {
 		t.Fatal(err)
 	}
 	if resp != nil && resp.IsError() {
-		t.Fatalf("failed to create additional role: %s")
+		t.Fatalf("failed to create additional role: %v", *secondRole)
 	}
 
 	resp, err = b.HandleRequest(&logical.Request{
diff --git a/builtin/credential/ldap/path_config.go b/builtin/credential/ldap/path_config.go
index b32aa1087..4fc772eaa 100644
--- a/builtin/credential/ldap/path_config.go
+++ b/builtin/credential/ldap/path_config.go
@@ -400,7 +400,7 @@ func (c *ConfigEntry) DialLDAP() (*ldap.Conn, error) {
 			}
 			conn, err = ldap.DialTLS("tcp", net.JoinHostPort(host, port), tlsConfig)
 		default:
-			retErr = multierror.Append(retErr, fmt.Errorf("invalid LDAP scheme in url %q"))
+			retErr = multierror.Append(retErr, fmt.Errorf("invalid LDAP scheme in url %q", net.JoinHostPort(host, port)))
 			continue
 		}
 		if err == nil {
diff --git a/helper/awsutil/generate_credentials.go b/helper/awsutil/generate_credentials.go
index 7605c84bb..7399a5ca3 100644
--- a/helper/awsutil/generate_credentials.go
+++ b/helper/awsutil/generate_credentials.go
@@ -48,7 +48,7 @@ func (c *CredentialsConfig) GenerateCredentialChain() (*credentials.Credentials,
 				SecretAccessKey: c.SecretKey,
 				SessionToken:    c.SessionToken,
 			}})
-	case c.AccessKey == "" && c.AccessKey == "":
+	case c.AccessKey == "" && c.SecretKey == "":
 		// Attempt to get credentials from the IAM instance role below
 
 	default: // Have one or the other but not both and not neither
diff --git a/helper/keysutil/lock_manager.go b/helper/keysutil/lock_manager.go
index 380c39af1..e0bdd648a 100644
--- a/helper/keysutil/lock_manager.go
+++ b/helper/keysutil/lock_manager.go
@@ -248,7 +248,7 @@ func (lm *LockManager) getPolicyCommon(req PolicyRequest, lockType bool) (*Polic
 
 		case KeyType_ECDSA_P256:
 			if req.Derived || req.Convergent {
-				return nil, nil, false, fmt.Errorf("key derivation and convergent encryption not supported for keys of type %s", KeyType_ECDSA_P256)
+				return nil, nil, false, fmt.Errorf("key derivation and convergent encryption not supported for keys of type %v", KeyType_ECDSA_P256)
 			}
 
 		default:
diff --git a/vault/router_test.go b/vault/router_test.go
index 5ba274bc8..e5de72e97 100644
--- a/vault/router_test.go
+++ b/vault/router_test.go
@@ -95,7 +95,7 @@ func TestRouter_Mount(t *testing.T) {
 	}
 
 	if v := r.MatchingStorageView("prod/aws/foo"); v != view {
-		t.Fatalf("bad: %s", v)
+		t.Fatalf("bad: %v", v)
 	}
 
 	if path := r.MatchingMount("stage/aws/foo"); path != "" {
@@ -103,7 +103,7 @@ func TestRouter_Mount(t *testing.T) {
 	}
 
 	if v := r.MatchingStorageView("stage/aws/foo"); v != nil {
-		t.Fatalf("bad: %s", v)
+		t.Fatalf("bad: %v", v)
 	}
 
 	mount, prefix, ok := r.MatchingStoragePrefix("logical/foo")
diff --git a/vault/token_store.go b/vault/token_store.go
index 4bd27ebfa..fed0088d0 100644
--- a/vault/token_store.go
+++ b/vault/token_store.go
@@ -2173,7 +2173,7 @@ func (ts *TokenStore) tokenStoreRoleCreateUpdate(
 			}
 			resp.AddWarning(fmt.Sprintf(
 				"Given explicit max TTL of %d is greater than system/mount allowed value of %d seconds; until this is fixed attempting to create tokens against this role will result in an error",
-				entry.ExplicitMaxTTL.Seconds(), sysView.MaxLeaseTTL().Seconds()))
+				int64(entry.ExplicitMaxTTL.Seconds()), int64(sysView.MaxLeaseTTL().Seconds())))
 		}
 	}