diff --git a/mmv1/third_party/terraform/website/docs/guides/using_gke_with_terraform.html.markdown b/mmv1/third_party/terraform/website/docs/guides/using_gke_with_terraform.html.markdown
index b165da73b6af..da5c7b3cd87a 100644
--- a/mmv1/third_party/terraform/website/docs/guides/using_gke_with_terraform.html.markdown
+++ b/mmv1/third_party/terraform/website/docs/guides/using_gke_with_terraform.html.markdown
@@ -59,6 +59,29 @@ provider "kubernetes" {
   )
 }
 ```
+Although the above can result in authentication errors, over time, as the token recorded in the google_client_cofig data resource is short lived (thus it expires) and it's stored in state.  Fortunately, the [kubernetes provider can accept valid credentials from an exec-based plugin](https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs#exec-plugins) to fetch a new token before each Terraform operation (so long as you have the [gke-cloud-auth-plugin for kubectl installed](https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke)), like so:
+ 
+```hcl
+# Retrieve an access token as the Terraform runner
+data "google_client_config" "provider" {}
+
+data "google_container_cluster" "my_cluster" {
+  name     = "my-cluster"
+  location = "us-central1"
+}
+
+provider "kubernetes" {
+  host  = "https://${data.google_container_cluster.my_cluster.endpoint}"
+  token = data.google_client_config.provider.access_token
+  cluster_ca_certificate = base64decode(
+    data.google_container_cluster.my_cluster.master_auth[0].cluster_ca_certificate,
+  )
+  exec {
+    api_version = "client.authentication.k8s.io/v1beta1"
+    command     = "gke-gcloud-auth-plugin"
+  }
+}
+```
 
 Alternatively, you can authenticate as another service account on which your
 Terraform user has been granted the `roles/iam.serviceAccountTokenCreator`