diff --git a/.changelog/1389.txt b/.changelog/1389.txt
new file mode 100644
index 00000000000..42d77fb5937
--- /dev/null
+++ b/.changelog/1389.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+plugin/vault: Use new Service Account Credentials API for GCP SignJWT endpoint
+```
diff --git a/builtin/vault/internal/auth/gcp/gcp.go b/builtin/vault/internal/auth/gcp/gcp.go
index 6b7cad1b477..baad96afa64 100644
--- a/builtin/vault/internal/auth/gcp/gcp.go
+++ b/builtin/vault/internal/auth/gcp/gcp.go
@@ -16,7 +16,7 @@ import (
 	"github.com/hashicorp/vault/api"
 	"github.com/hashicorp/vault/sdk/helper/parseutil"
 	"golang.org/x/oauth2"
-	iam "google.golang.org/api/iam/v1"
+	iam "google.golang.org/api/iamcredentials/v1"
 
 	"github.com/hashicorp/waypoint/builtin/vault/internal/auth"
 )
@@ -181,13 +181,6 @@ func (g *gcpMethod) Authenticate(ctx context.Context, client *api.Client) (retPa
 			return
 		}
 
-		project := "-"
-		if g.project != "" {
-			project = g.project
-		} else if credentials != nil {
-			project = credentials.ProjectId
-		}
-
 		ttlMin := int64(defaultIamMaxJwtExpMinutes)
 		if g.jwtExp != 0 {
 			ttlMin = g.jwtExp
@@ -215,7 +208,9 @@ func (g *gcpMethod) Authenticate(ctx context.Context, client *api.Client) (retPa
 			return
 		}
 
-		resourceName := fmt.Sprintf("projects/%s/serviceAccounts/%s", project, serviceAccount)
+		// JWTs are signed via the IAM Service Account Credentials API.
+		// See https://cloud.google.com/iam/docs/reference/credentials/rest/v1/projects.serviceAccounts/signJwt
+		resourceName := fmt.Sprintf("projects/-/serviceAccounts/%s", serviceAccount)
 		resp, err := iamClient.Projects.ServiceAccounts.SignJwt(resourceName, jwtReq).Do()
 		if err != nil {
 			retErr = errwrap.Wrapf(fmt.Sprintf("unable to sign JWT for %s using given Vault credentials: {{err}}", resourceName), err)