diff --git a/website/source/api/auth/gcp/index.html.md b/website/source/api/auth/gcp/index.html.md
index 0669f592ab..6650fc7151 100644
--- a/website/source/api/auth/gcp/index.html.md
+++ b/website/source/api/auth/gcp/index.html.md
@@ -146,7 +146,7 @@ entities attempting to login.
 
 - `service_accounts` `(array: [])` - Required for `iam` roles.
   A comma-separated list of service account emails or ids.
-  Defines the service accounts that login is restricted to. If set to `\*`, all
+  Defines the service accounts that login is restricted to. If set to `*`, all
   service accounts are allowed (role will still be bound by project).
 
 ### Sample Payload
diff --git a/website/source/docs/auth/gcp.html.md b/website/source/docs/auth/gcp.html.md
index 31cab08525..57698367e5 100644
--- a/website/source/docs/auth/gcp.html.md
+++ b/website/source/docs/auth/gcp.html.md
@@ -75,7 +75,7 @@ curl -H "Authorization: Bearer $OAUTH_TOKEN" \
 
 **Golang Example**
 
-We use the Go OAuth2 libraries, GCP IAM API, and Vault API.
+We use the Go OAuth2 libraries, GCP IAM API, and Vault API. The example generates a token valid for the `dev-role` role (as indicated by the `aud` field of `jwtPayload`).
 
 ```go
 // Abbreviated imports to show libraries.
@@ -117,7 +117,7 @@ func main() {
 	// 1. Generate signed JWT using IAM.
 	resourceName := fmt.Sprintf("projects/%s/serviceAccounts/%s", project, serviceAccount)
 	jwtPayload := map[string]interface{}{
-		"aud": "auth/gcp/login",
+		"aud": "vault/dev-role",
 		"sub": serviceAccount,
 		"exp": time.Now().Add(time.Minute * 10).Unix(),
 	}