diff --git a/website/source/intro/getting-started/dynamic-secrets.html.md b/website/source/intro/getting-started/dynamic-secrets.html.md
index c6970313db..fa92514e1d 100644
--- a/website/source/intro/getting-started/dynamic-secrets.html.md
+++ b/website/source/intro/getting-started/dynamic-secrets.html.md
@@ -77,14 +77,9 @@ is okay - just use this one for now.
   "Version": "2012-10-17",
   "Statement": [
     {
-      "Sid": "Stmt1426528957000",
       "Effect": "Allow",
-      "Action": [
-        "ec2:*"
-      ],
-      "Resource": [
-        "*"
-      ]
+      "Action": "ec2:*",
+      "Resource": "*"
     }
   ]
 }
@@ -94,19 +89,16 @@ As mentioned above, we need to map this policy document to a named role. To do
 that, write to `aws/roles/:name`:
 
 ```text
-$ vault write aws/roles/my-role policy=-<<EOF
+$ vault write aws/roles/my-role \
+    credential_type=iam_user \
+    policy_document=-<<EOF
 {
   "Version": "2012-10-17",
   "Statement": [
     {
-      "Sid": "Stmt1426528957000",
       "Effect": "Allow",
-      "Action": [
-        "ec2:*"
-      ],
-      "Resource": [
-        "*"
-      ]
+      "Action": "ec2:*",
+      "Resource": "*"
     }
   ]
 }
@@ -153,7 +145,7 @@ Vault will automatically revoke this credential after 768 hours (see
 `lease_duration` in the output), but perhaps we want to revoke it early. Once
 the secret is revoked, the access keys are no longer valid.
 
-To revoke the secret, use `vault revoke` with the lease ID that was outputted
+To revoke the secret, use `vault lease revoke` with the lease ID that was outputted
 from `vault read` when you ran it:
 
 ```text