diff --git a/website/content/docs/platform/k8s/vso/sources/vault/gcp-auth.mdx b/website/content/docs/platform/k8s/vso/sources/vault/gcp-auth.mdx
new file mode 100644
index 0000000000..68531edb3c
--- /dev/null
+++ b/website/content/docs/platform/k8s/vso/sources/vault/gcp-auth.mdx
@@ -0,0 +1,80 @@
+---
+layout: docs
+page_title: GCP auth support for Vault Secrets Operator
+description: >-
+ Learn how GCP authentication works for Vault Secrets Operator
+---
+
+# GCP auth support for Vault Secrets Operator
+
+The Vault Secrets Operator (VSO) supports authenticating to Vault's [GCP auth](/vault/docs/auth/gcp) method, using Google's Kubernetes Engine (GKE) workload identity.
+
+1. Follow Google's [Use Workload Identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity) guide to enable workload identity on a GKE cluster so your Kubernetes service account can impersonate a Google IAM service account.
+
+1. Create an appropriate authentication role in your Vault instance:
+
+
+
+
+ ```shell-session
+ $ vault write auth/gcp/role/ \
+ type="iam" \
+ policies="default" \
+ max_jwt_exp=3600 \
+ bound_service_accounts="@.iam.gserviceaccount.com"
+ ```
+
+
+
+
+ ```hcl
+ resource "vault_gcp_auth_backend_role" "gcp_role" {
+ backend = "auth/gcp"
+ role =
+ type = "iam"
+ token_policies = "default"
+ max_jwt_exp = 3600
+ bound_service_accounts = [
+ "@.iam.gserviceaccount.com",
+ ]
+ }
+ ```
+
+
+
+
+
+
+ `max_jwt_exp` needs to be greater than or equal to 1 hour (3600)
+
+
+
+1. Create the corresponding authentication object for VSO:
+
+ ```yaml
+ apiVersion: secrets.hashicorp.com/v1beta1
+ kind: VaultAuth
+ metadata:
+ name: vaultauth-gcp-example
+ namespace:
+ spec:
+ vaultConnectionRef:
+ mount: gcp
+ method: gcp
+ gcp:
+ role:
+ workloadIdentityServiceAccount:
+ ```
+
+
+
+ If you use Terraform to manage your GKE cluster, the
+ [GKE module](https://registry.terraform.io/modules/terraform-google-modules/kubernetes-engine/google/latest)
+ includes workload identity support through the
+ [workload identity submodule](https://registry.terraform.io/modules/terraform-google-modules/kubernetes-engine/google/latest/submodules/workload-identity).
+
+
+
+# API
+
+See the full list of GCP VaultAuth options on the [VSO API page](/vault/docs/platform/k8s/vso/api-reference#vaultauthconfiggcp).
diff --git a/website/content/docs/platform/k8s/vso/sources/vault.mdx b/website/content/docs/platform/k8s/vso/sources/vault/index.mdx
similarity index 87%
rename from website/content/docs/platform/k8s/vso/sources/vault.mdx
rename to website/content/docs/platform/k8s/vso/sources/vault/index.mdx
index 14d9415aac..c75595f855 100644
--- a/website/content/docs/platform/k8s/vso/sources/vault.mdx
+++ b/website/content/docs/platform/k8s/vso/sources/vault/index.mdx
@@ -30,12 +30,13 @@ during drift remediation.
### Supported Vault authentication methods
-| Backend | Description |
-|-------------------------------------------|-------------------------------------------------------------------------------------------------------------|
-| [Kubernetes](/vault/docs/auth/kubernetes) | Relies on short-lived Kubernetes ServiceAccount tokens for Vault authentication |
-| [JWT](/vault/docs/auth/jwt) | Relies on either static JWT tokens or short-lived Kubernetes ServiceAccount tokens for Vault authentication |
-| [AppRole](/vault/docs/auth/approle) | Relies on static AppRole credentials for Vault authentication |
-| [AWS](/vault/docs/auth/aws) | Relies on AWS credentials for Vault authentication |
+| Backend | Description |
+|------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------|
+| [Kubernetes](/vault/docs/platform/k8s/vso/api-reference#vaultauthconfigkubernetes) | Relies on short-lived Kubernetes ServiceAccount tokens for Vault authentication |
+| [JWT](/vault/docs/platform/k8s/vso/api-reference#vaultauthconfigjwt) | Relies on either static JWT tokens or short-lived Kubernetes ServiceAccount tokens for Vault authentication |
+| [AppRole](/vault/docs/platform/k8s/vso/api-reference#vaultauthconfigapprole) | Relies on static AppRole credentials for Vault authentication |
+| [AWS](/vault/docs/platform/k8s/vso/api-reference#vaultauthconfigaws) | Relies on AWS credentials for Vault authentication |
+| [GCP](/vault/docs/platform/k8s/vso/sources/vault/gcp-auth) | Relies on GCP credentials for Vault authentication |
## Vault access and custom resource definitions
diff --git a/website/data/docs-nav-data.json b/website/data/docs-nav-data.json
index 752659fbc2..1fac8b654b 100644
--- a/website/data/docs-nav-data.json
+++ b/website/data/docs-nav-data.json
@@ -1984,7 +1984,21 @@
},
{
"title": "Vault",
- "path": "platform/k8s/vso/sources/vault"
+ "routes": [
+ {
+ "title": "Overview",
+ "path": "platform/k8s/vso/sources/vault"
+ },
+ {
+ "title": "Auth Methods",
+ "routes": [
+ {
+ "title": "GCP",
+ "path": "platform/k8s/vso/sources/vault/gcp-auth"
+ }
+ ]
+ }
+ ]
},
{
"title": "HCP Vault Secrets",