From 2ad6fab61ba5fb16b7e05fcf609130b0c554e318 Mon Sep 17 00:00:00 2001 From: Michael Ernest Date: Tue, 17 Mar 2026 12:39:52 -0700 Subject: [PATCH 1/4] fix(DOC-2058): clarify GCP IAM permissions are for agent, not Terraform bootstrap Co-Authored-By: Claude Sonnet 4.6 --- modules/security/partials/iam-policies.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/security/partials/iam-policies.adoc b/modules/security/partials/iam-policies.adoc index fafb8f8e1..3f2f4c92c 100644 --- a/modules/security/partials/iam-policies.adoc +++ b/modules/security/partials/iam-policies.adoc @@ -529,7 +529,7 @@ When you run `rpk cloud byoc gcp apply` to create a BYOC cluster, you grant IAM [NOTE] ==== -* This page lists the IAM permissions Redpanda requires to create xref:get-started:cluster-types/byoc/gcp/create-byoc-cluster-gcp.adoc[BYOC clusters]. This does _not_ pertain to permissions for xref:get-started:cluster-types/byoc/gcp/vpc-byo-gcp.adoc[BYOVPC clusters]. +* This page lists the IAM permissions the Redpanda agent service account uses to manage xref:get-started:cluster-types/byoc/gcp/create-byoc-cluster-gcp.adoc[BYOC cluster] resources. These are not the permissions your GCP account needs to run the initial Terraform bootstrap. This does _not_ pertain to permissions for xref:get-started:cluster-types/byoc/gcp/vpc-byo-gcp.adoc[BYOVPC clusters]. * No IAM permissions are required for Redpanda Cloud users. IAM policies do not grant user access to a cluster; rather, they grant the deployed Redpanda agent access, so that brokers can communicate with the BYOC clusters. ==== From 05f8e9ce9e191b0f702b807bcdf78f857cfb3e11 Mon Sep 17 00:00:00 2001 From: Michael Ernest Date: Mon, 23 Mar 2026 20:29:11 -0700 Subject: [PATCH 2/4] style(DOC-2058): use active voice in GCP IAM bootstrap note Co-Authored-By: Claude Sonnet 4.6 --- local-antora-playbook.yml | 72 --------------------- modules/security/partials/iam-policies.adoc | 2 +- 2 files changed, 1 insertion(+), 73 deletions(-) delete mode 100644 local-antora-playbook.yml diff --git a/local-antora-playbook.yml b/local-antora-playbook.yml deleted file mode 100644 index d8d478c82..000000000 --- a/local-antora-playbook.yml +++ /dev/null @@ -1,72 +0,0 @@ -site: - title: Redpanda Docs - start_page: redpanda-cloud:get-started:cloud-overview.adoc - url: http://localhost:5002 - robots: disallow - keys: - preview: true -urls: - html_extension_style: indexify - latest_version_segment: 'current' -output: - clean: true -content: - sources: - - url: . - branches: HEAD - - url: https://github.com/redpanda-data/documentation - branches: [main, v/*, shared, site-search] - - url: https://github.com/redpanda-data/docs-site - branches: [main] - start_paths: [home] - - url: https://github.com/redpanda-data/redpanda-labs - branches: main - start_paths: [docs,'*/docs'] - - url: https://github.com/redpanda-data/rp-connect-docs - branches: main -ui: - bundle: - url: https://github.com/redpanda-data/docs-ui/releases/latest/download/ui-bundle.zip - snapshot: true -asciidoc: - attributes: - extensions: - - '@asciidoctor/tabs' - - '@redpanda-data/docs-extensions-and-macros/macros/rp-connect-components' - - '@redpanda-data/docs-extensions-and-macros/macros/glossary' - - '@redpanda-data/docs-extensions-and-macros/macros/config-ref' - - '@redpanda-data/docs-extensions-and-macros/macros/badge' - - '@redpanda-data/docs-extensions-and-macros/macros/helm-ref' - - '@redpanda-data/docs-extensions-and-macros/asciidoc-extensions/add-line-numbers-highlights' -antora: - extensions: - - require: '@redpanda-data/docs-extensions-and-macros/extensions/generate-rp-connect-info' - - require: '@redpanda-data/docs-extensions-and-macros/extensions/unpublish-pages' - - require: '@redpanda-data/docs-extensions-and-macros/extensions/collect-bloblang-samples' - - require: '@redpanda-data/docs-extensions-and-macros/extensions/generate-rp-connect-categories' - - require: '@redpanda-data/docs-extensions-and-macros/extensions/modify-redirects' - - require: '@redpanda-data/docs-extensions-and-macros/extensions/unlisted-pages' - - require: '@redpanda-data/docs-extensions-and-macros/extensions/add-global-attributes' - - require: '@redpanda-data/docs-extensions-and-macros/extensions/version-fetcher/set-latest-version' - - require: '@redpanda-data/docs-extensions-and-macros/extensions/replace-attributes-in-attachments' - data: - replacements: - - components: - - 'ROOT' - - 'redpanda-labs' - file_patterns: - - '**/docker-compose.yaml' - - '**/docker-compose.yml' - - require: '@sntke/antora-mermaid-extension' - mermaid_library_url: https://cdn.jsdelivr.net/npm/mermaid@10/dist/mermaid.esm.min.mjs - script_stem: mermaid-scripts - mermaid_initialize_options: - start_on_load: true - theme: base - theme_variables: - line_color: '#e2401b' - font_family: Inter, sans-serif - - require: '@redpanda-data/docs-extensions-and-macros/extensions/validate-attributes' - - require: '@redpanda-data/docs-extensions-and-macros/extensions/find-related-docs' - - require: '@redpanda-data/docs-extensions-and-macros/extensions/find-related-labs' - - require: '@redpanda-data/docs-extensions-and-macros/extensions/aggregate-terms' diff --git a/modules/security/partials/iam-policies.adoc b/modules/security/partials/iam-policies.adoc index 3f2f4c92c..b643f57f8 100644 --- a/modules/security/partials/iam-policies.adoc +++ b/modules/security/partials/iam-policies.adoc @@ -529,7 +529,7 @@ When you run `rpk cloud byoc gcp apply` to create a BYOC cluster, you grant IAM [NOTE] ==== -* This page lists the IAM permissions the Redpanda agent service account uses to manage xref:get-started:cluster-types/byoc/gcp/create-byoc-cluster-gcp.adoc[BYOC cluster] resources. These are not the permissions your GCP account needs to run the initial Terraform bootstrap. This does _not_ pertain to permissions for xref:get-started:cluster-types/byoc/gcp/vpc-byo-gcp.adoc[BYOVPC clusters]. +* This page lists the IAM permissions the Redpanda agent service account uses to manage xref:get-started:cluster-types/byoc/gcp/create-byoc-cluster-gcp.adoc[BYOC cluster] resources. Your GCP account does not need these permissions for the initial Terraform bootstrap. This does _not_ pertain to permissions for xref:get-started:cluster-types/byoc/gcp/vpc-byo-gcp.adoc[BYOVPC clusters]. * No IAM permissions are required for Redpanda Cloud users. IAM policies do not grant user access to a cluster; rather, they grant the deployed Redpanda agent access, so that brokers can communicate with the BYOC clusters. ==== From e7472ee21e4ce85d91f0caa44a259b1f557396ca Mon Sep 17 00:00:00 2001 From: micheleRP Date: Thu, 26 Mar 2026 17:41:01 -0600 Subject: [PATCH 3/4] doc-2058 iam bootstrap-misleading --- local-antora-playbook.yml | 72 +++++++++++++++++++ .../byoc/gcp/create-byoc-cluster-gcp.adoc | 14 +++- 2 files changed, 85 insertions(+), 1 deletion(-) create mode 100644 local-antora-playbook.yml diff --git a/local-antora-playbook.yml b/local-antora-playbook.yml new file mode 100644 index 000000000..d8d478c82 --- /dev/null +++ b/local-antora-playbook.yml @@ -0,0 +1,72 @@ +site: + title: Redpanda Docs + start_page: redpanda-cloud:get-started:cloud-overview.adoc + url: http://localhost:5002 + robots: disallow + keys: + preview: true +urls: + html_extension_style: indexify + latest_version_segment: 'current' +output: + clean: true +content: + sources: + - url: . + branches: HEAD + - url: https://github.com/redpanda-data/documentation + branches: [main, v/*, shared, site-search] + - url: https://github.com/redpanda-data/docs-site + branches: [main] + start_paths: [home] + - url: https://github.com/redpanda-data/redpanda-labs + branches: main + start_paths: [docs,'*/docs'] + - url: https://github.com/redpanda-data/rp-connect-docs + branches: main +ui: + bundle: + url: https://github.com/redpanda-data/docs-ui/releases/latest/download/ui-bundle.zip + snapshot: true +asciidoc: + attributes: + extensions: + - '@asciidoctor/tabs' + - '@redpanda-data/docs-extensions-and-macros/macros/rp-connect-components' + - '@redpanda-data/docs-extensions-and-macros/macros/glossary' + - '@redpanda-data/docs-extensions-and-macros/macros/config-ref' + - '@redpanda-data/docs-extensions-and-macros/macros/badge' + - '@redpanda-data/docs-extensions-and-macros/macros/helm-ref' + - '@redpanda-data/docs-extensions-and-macros/asciidoc-extensions/add-line-numbers-highlights' +antora: + extensions: + - require: '@redpanda-data/docs-extensions-and-macros/extensions/generate-rp-connect-info' + - require: '@redpanda-data/docs-extensions-and-macros/extensions/unpublish-pages' + - require: '@redpanda-data/docs-extensions-and-macros/extensions/collect-bloblang-samples' + - require: '@redpanda-data/docs-extensions-and-macros/extensions/generate-rp-connect-categories' + - require: '@redpanda-data/docs-extensions-and-macros/extensions/modify-redirects' + - require: '@redpanda-data/docs-extensions-and-macros/extensions/unlisted-pages' + - require: '@redpanda-data/docs-extensions-and-macros/extensions/add-global-attributes' + - require: '@redpanda-data/docs-extensions-and-macros/extensions/version-fetcher/set-latest-version' + - require: '@redpanda-data/docs-extensions-and-macros/extensions/replace-attributes-in-attachments' + data: + replacements: + - components: + - 'ROOT' + - 'redpanda-labs' + file_patterns: + - '**/docker-compose.yaml' + - '**/docker-compose.yml' + - require: '@sntke/antora-mermaid-extension' + mermaid_library_url: https://cdn.jsdelivr.net/npm/mermaid@10/dist/mermaid.esm.min.mjs + script_stem: mermaid-scripts + mermaid_initialize_options: + start_on_load: true + theme: base + theme_variables: + line_color: '#e2401b' + font_family: Inter, sans-serif + - require: '@redpanda-data/docs-extensions-and-macros/extensions/validate-attributes' + - require: '@redpanda-data/docs-extensions-and-macros/extensions/find-related-docs' + - require: '@redpanda-data/docs-extensions-and-macros/extensions/find-related-labs' + - require: '@redpanda-data/docs-extensions-and-macros/extensions/aggregate-terms' diff --git a/modules/get-started/pages/cluster-types/byoc/gcp/create-byoc-cluster-gcp.adoc b/modules/get-started/pages/cluster-types/byoc/gcp/create-byoc-cluster-gcp.adoc index cf86bf6b5..989709ac7 100644 --- a/modules/get-started/pages/cluster-types/byoc/gcp/create-byoc-cluster-gcp.adoc +++ b/modules/get-started/pages/cluster-types/byoc/gcp/create-byoc-cluster-gcp.adoc @@ -10,6 +10,18 @@ If your clients need to connect from different GCP regions than where your clust == Prerequisites +Before you deploy a BYOC cluster on GCP, check that the user creating the cluster has the following prerequisites: + +* A minimum version of Redpanda `rpk` v24.1. See xref:manage:rpk/rpk-install.adoc[]. +* The GCP user or service account running the bootstrap has the `roles/editor` role (or higher, such as `roles/owner`) on the target GCP project. This grants the permissions needed to create VPC networks, GKE clusters, service accounts, and other infrastructure during the initial bootstrap. These bootstrap permissions are separate from the xref:security:authorization/cloud-iam-policies-gcp.adoc[agent permissions] that Redpanda assigns after bootstrap. +* The user has the https://cloud.google.com/sdk/docs/install[Google Cloud CLI^] installed and authenticated, with the target project selected. To verify, run: ++ +[,bash] +---- +gcloud auth list +gcloud config get-value project +---- + include::partial$gpq-quotas.adoc[] == Create a BYOC cluster @@ -36,7 +48,7 @@ NOTE: After the cluster is created, you can change the API Gateway access on the . Click *Next*. . On the Deploy page, follow the steps to log in to Redpanda Cloud and deploy the agent. + -Note that `rpk` configures the permissions required by the agent to provision and actively maintain the cluster. For details about these permissions, see xref:security:authorization/cloud-iam-policies-gcp.adoc[GCP IAM permissions]. +As part of agent deployment, Redpanda assigns the permissions required to run the agent. For details about these permissions, see xref:security:authorization/cloud-iam-policies-gcp.adoc[GCP IAM permissions]. include::get-started:partial$no-access.adoc[] From 8a1155da5053be19554442b72420b811cd61ac26 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Thu, 26 Mar 2026 17:54:50 -0600 Subject: [PATCH 4/4] style edits --- .../pages/cluster-types/byoc/gcp/create-byoc-cluster-gcp.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/get-started/pages/cluster-types/byoc/gcp/create-byoc-cluster-gcp.adoc b/modules/get-started/pages/cluster-types/byoc/gcp/create-byoc-cluster-gcp.adoc index 989709ac7..321a28196 100644 --- a/modules/get-started/pages/cluster-types/byoc/gcp/create-byoc-cluster-gcp.adoc +++ b/modules/get-started/pages/cluster-types/byoc/gcp/create-byoc-cluster-gcp.adoc @@ -10,10 +10,10 @@ If your clients need to connect from different GCP regions than where your clust == Prerequisites -Before you deploy a BYOC cluster on GCP, check that the user creating the cluster has the following prerequisites: +Before you deploy a BYOC cluster on GCP, verify the following prerequisites: * A minimum version of Redpanda `rpk` v24.1. See xref:manage:rpk/rpk-install.adoc[]. -* The GCP user or service account running the bootstrap has the `roles/editor` role (or higher, such as `roles/owner`) on the target GCP project. This grants the permissions needed to create VPC networks, GKE clusters, service accounts, and other infrastructure during the initial bootstrap. These bootstrap permissions are separate from the xref:security:authorization/cloud-iam-policies-gcp.adoc[agent permissions] that Redpanda assigns after bootstrap. +* Assign the `roles/editor` role (or higher, such as `roles/owner`) to the GCP user or service account that runs the bootstrap on the target GCP project. This grants the permissions needed to create VPC networks, GKE clusters, service accounts, and other infrastructure during the initial bootstrap. These bootstrap permissions are separate from the xref:security:authorization/cloud-iam-policies-gcp.adoc[agent permissions] that Redpanda assigns after bootstrap. * The user has the https://cloud.google.com/sdk/docs/install[Google Cloud CLI^] installed and authenticated, with the target project selected. To verify, run: + [,bash]