diff --git a/authority/provisioner/aws.go b/authority/provisioner/aws.go
index 4a017069..a6984864 100644
--- a/authority/provisioner/aws.go
+++ b/authority/provisioner/aws.go
@@ -258,7 +258,7 @@ func (p *AWS) AuthorizeSign(token string) ([]SignOption, error) {
 	doc := payload.document
 
 	// Enforce default DNS and IP if configured.
-	// By default we we'll accept the SANs in the CSR.
+	// By default we'll accept the SANs in the CSR.
 	// There's no way to trust them other than TOFU.
 	var so []SignOption
 	if p.DisableCustomSANs {
diff --git a/authority/provisioner/azure.go b/authority/provisioner/azure.go
index 9080bcc2..725d0b19 100644
--- a/authority/provisioner/azure.go
+++ b/authority/provisioner/azure.go
@@ -135,8 +135,8 @@ func (p *Azure) GetEncryptedKey() (kid string, key string, ok bool) {
 	return "", "", false
 }
 
-// GetIdentityToken retrieves the identity document and it's signature and
-// generates a token with them.
+// GetIdentityToken retrieves from the metadata service the identity token and
+// returns it.
 func (p *Azure) GetIdentityToken() (string, error) {
 	// Initialize the config if this method is used from the cli.
 	p.assertConfig()
@@ -261,7 +261,7 @@ func (p *Azure) AuthorizeSign(token string) ([]SignOption, error) {
 	}
 
 	// Enforce default DNS if configured.
-	// By default we we'll accept the SANs in the CSR.
+	// By default we'll accept the SANs in the CSR.
 	// There's no way to trust them other than TOFU.
 	var so []SignOption
 	if p.DisableCustomSANs {
diff --git a/authority/provisioner/gcp.go b/authority/provisioner/gcp.go
index 1d67c567..bc221cbd 100644
--- a/authority/provisioner/gcp.go
+++ b/authority/provisioner/gcp.go
@@ -16,7 +16,7 @@ import (
 	"github.com/smallstep/cli/jose"
 )
 
-// gcpCertsURL is the url that servers Google OAuth2 public keys.
+// gcpCertsURL is the url that serves Google OAuth2 public keys.
 const gcpCertsURL = "https://www.googleapis.com/oauth2/v3/certs"
 
 // gcpIdentityURL is the base url for the identity document in GCP.