GCP Auth Fails without compute.instances.get on Vault cluster

[onetwopunch]

I'm setting up a Vault on GCE demo and granted the permissions at https://www.vaultproject.io/docs/auth/gcp.html#required-permissions to client and server but it seems when authenticating from a GCE instance (using vault agent fwiw) the Vault node needs to do a compute.instances.get request, which isn't listed anywhere in the docs. Am I missing something or was this an update that hasn't yet been reflected in the docs?

May 23 04:30:10 vault-demo vault[785]: 2019-05-23T04:30:10.673Z [ERROR] auth.handler: error authenticating: error="Error making API request.
May 23 04:30:10 vault-demo vault[785]: URL: PUT https://10.127.13.37:8200/v1/auth/gcp/login
May 23 04:30:10 vault-demo vault[785]: Code: 400. Errors:
May 23 04:30:10 vault-demo vault[785]: * error when attempting to find instance (project rcanty-project-0119, zone: us-east4-a, instance: vault-demo) :unable to find instance associated with token: googleapi: Error 403: Required 'compute.instances.get' permission for 'projects/rcanty-project-0119/zones/us-east4-a/instances/vault-demo', forbidden" backoff=2.733056585

Vault Version (both client and server)

$ vault --version
Vault v1.1.2 ('0082501623c0b704b87b1fbc84c2d725994bac54')

[emilymye]

Ah, we just didn't document this properly. We call instance.get to make sure it's still running and a valid instance, and to get things like labels to confirm against the role. I'll update the docs.

[onetwopunch]

Thank you @emilymye !