diff --git a/website/pages/docs/auth/gcp.mdx b/website/pages/docs/auth/gcp.mdx
index 46429c463..9e998a39f 100644
--- a/website/pages/docs/auth/gcp.mdx
+++ b/website/pages/docs/auth/gcp.mdx
@@ -177,6 +177,9 @@ These allow Vault to:
 - compare bound fields for GCE roles (zone/region, labels, or membership
   in given instance groups)
 
+If you are using Group Aliases as described below, you will also need to add the
+`resourcemanager.projects.get` permission.
+
 #### Permissions For Authenticating Against Vault
 
 Note that the previously mentioned permissions are given to the _Vault servers_.
@@ -204,6 +207,9 @@ will include the following aliases:
 ]
 ```
 
+If you are using a custom role for Vault server, you will need to add the
+`resourcemanager.projects.get` permission to your custom role.
+
 ## Implementation Details
 
 This section describes the implementation details for how Vault communicates