DOC-2277: Warn that BYOC GCP credential rotation needs Support

[micheleRP]

What

Adds a Service account credential rotation callout to two BYOC GCP pages:

• GCP IAM Policies (cloud-iam-policies-gcp.adoc) — new section at the bottom.
• Create a BYOC Cluster on GCP (create-byoc-cluster-gcp.adoc) — section before "Next steps".

The callout text lives in a single shared partial (security:partial$byoc-gcp-credential-rotation.adoc) included by both pages, so it stays in sync.

Why

Customer incident ZD-6896: a BYOC GCP customer rotated their GCP service account credentials without coordinating with Redpanda Support. The agent lost connectivity, the cluster stuck in "Upgrading," tiered storage was disrupted, and recovery took 8 days of Engineering effort. The docs never warned that credential rotation is not self-service. This PR closes that gap.

Resolves DOC-2277.

Notes

• Uses a [WARNING] admonition for the not-self-service / disruption risk, with the "contact Support" instructions as body text above it.
• The internal CIAINFRA-3907 reference is intentionally omitted from the public docs.

Preview pages

• GCP IAM Policies (updated)
• Create a BYOC Cluster on GCP (updated)

🤖 Generated with Claude Code

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 27bd1d5f-cf90-44c5-97e1-5bf509ec1637

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

A new AsciiDoc partial file, byoc-gcp-credential-rotation.adoc, is introduced under modules/security/partials/. It describes the procedure for rotating BYOC GCP service account credentials by contacting Redpanda Support and includes a warning that the rotation is not self-service and can leave the cluster in an unrecoverable state if performed without coordination. This partial is then included in two existing pages: the BYOC GCP cluster creation page (within the "Manage custom resource labels and network tags" section) and the GCP cloud IAM policies page.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• redpanda-data/cloud-docs#400: Introduced or expanded the BYOC GCP custom resource labels and network tags workflow in create-byoc-cluster-gcp.adoc, the same section where the new credential rotation partial is now included.

Suggested reviewers

• kbatuigas
• gavinheavyside
• matteogaraventa

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title is concise and accurately summarizes the main change.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description check	✅ Passed	The PR description covers the change, rationale, linked issue, notes, and preview pages, though it omits the template's review deadline and checklist.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch DOC-2277-gcp-credential-rotation-warning

---

_{Comment @coderabbitai help to get the list of available commands.}

[netlify]

✅ Deploy Preview for rp-cloud ready!

Name	Link
🔨 Latest commit	98d0c76
🔍 Latest deploy log	https://app.netlify.com/projects/rp-cloud/deploys/6a3d6b58216d910008d2fe0f
😎 Deploy Preview	https://deploy-preview-625--rp-cloud.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[matteogaraventa]

I'm not very sure about "unrecoverable"; maybe I would rather say "and can leave the cluster stuck, preventing later reconciliation operations". In the disruption list I might suggest to also add "agent connectivity" and swap "tiered storage" with "tiered storage upload".

Please let me know your thoughts, thanks!

[micheleRP]

Thanks Matteo, good catches. I've updated the warning: dropped "unrecoverable state" in favor of "stuck and unable to complete future operations," added agent connectivity to the disruption list, and changed "tiered storage" to "tiered storage uploads." Pushed in 70a6db7.

[matteogaraventa]

Probably I forgot earlier, but I would also drop "cluster connectivity", all the rest looks great to me!