diff --git a/website/content/docs/secrets/gcp.mdx b/website/content/docs/secrets/gcp.mdx
index d1be65ba48..9c8da6c7d0 100644
--- a/website/content/docs/secrets/gcp.mdx
+++ b/website/content/docs/secrets/gcp.mdx
@@ -75,6 +75,34 @@ when creating or updating the roleset.
 For more information on the differences between rolesets and static accounts, see the
 [things to note](#things-to-note) section below.
 
+### Roleset Policy Considerations
+
+Starting with Vault 1.8.0, existing permissive policies containing globs 
+for the GCP Secrets Engine may grant additional privileges due to the introduction 
+of `/gcp/roleset/:roleset/token` and `/gcp/roleset/:roleset/key` endpoints.
+
+The following policy grants a user the ability to read all rolesets, but would 
+also allow them to generate tokens and keys. This type of policy is not recommended:
+
+```hcl
+# DO NOT USE
+path "/gcp/roleset/*" {
+    capabilities = ["read"]
+}
+```
+
+The following example demonstrates how a wildcard can instead be used in a roleset policy to 
+adhere to the principle of least privilege:
+
+```hcl
+path "/gcp/roleset/+" {
+    capabilities = ["read"]
+}
+```
+
+For more more information on policy syntax, see the 
+[policy documentation](/docs/concepts/policies#policy-syntax).
+
 ### Examples
 
 To configure a roleset that generates OAuth2 access tokens (preferred):
diff --git a/website/content/docs/upgrading/upgrade-to-1.8.0.mdx b/website/content/docs/upgrading/upgrade-to-1.8.0.mdx
index e327043fb7..df904d32ea 100644
--- a/website/content/docs/upgrading/upgrade-to-1.8.0.mdx
+++ b/website/content/docs/upgrading/upgrade-to-1.8.0.mdx
@@ -27,6 +27,9 @@ The following API endpoints have been deprecated and will be removed in a future
 * `/gcp/token/:roleset` and `/gcp/key/:roleset` paths for generating secrets for rolesets
   in GCP Secrets. Use `/gcp/roleset/:roleset/token` and `/gcp/roleset/:roleset/key` instead.
 
+-> **Note:** Policies containing globs should be avoided when giving users read access
+to `/gcp/roleset` to avoid giving users permissions to generate tokens.
+
 ## Go Version
 
 Vault 1.8.0 is built with Go 1.16. Please review the [Go Release
@@ -48,3 +51,7 @@ Notes](https://golang.org/doc/go1.16) for full details. Of particular note:
   the defaults when a new package was installed. This
   [issue](https://github.com/hashicorp/vault/issues/12275) affects RedHat
   packages for Vault 1.8.0 and the 1.8.1-0 package, and is fixed in 1.8.1-1 and up.
+- The introduction of `/gcp/roleset/:roleset/token` and `/gcp/roleset/:roleset/key` could inadvertently give
+  users the ability to generate tokens and key if globs are used in policies. To avoid issues like this,
+  globs should be avoided in policies to help adhere to the principle of least privilege. See the 
+  [roleset documentation](/docs/secrets/gcp#rolesets) for more information.