From cd999ecc92a22d2d9c8ef86aa539ae109bc04265 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Wed, 24 Jun 2026 10:09:45 -0600 Subject: [PATCH 1/5] DOC-2277: Warn that BYOC GCP credential rotation needs Support Add a "Service account credential rotation" callout to the GCP IAM Policies and Create a BYOC Cluster on GCP pages, explaining that GCP service account credential rotation is not self-service and must be coordinated with Redpanda Support. The callout lives in a shared partial included by both pages. Co-Authored-By: Claude Opus 4.8 (1M context) --- .../cluster-types/byoc/gcp/create-byoc-cluster-gcp.adoc | 2 ++ .../pages/authorization/cloud-iam-policies-gcp.adoc | 4 +++- .../security/partials/byoc-gcp-credential-rotation.adoc | 8 ++++++++ 3 files changed, 13 insertions(+), 1 deletion(-) create mode 100644 modules/security/partials/byoc-gcp-credential-rotation.adoc diff --git a/modules/get-started/pages/cluster-types/byoc/gcp/create-byoc-cluster-gcp.adoc b/modules/get-started/pages/cluster-types/byoc/gcp/create-byoc-cluster-gcp.adoc index cf7f425f3..714059575 100644 --- a/modules/get-started/pages/cluster-types/byoc/gcp/create-byoc-cluster-gcp.adoc +++ b/modules/get-started/pages/cluster-types/byoc/gcp/create-byoc-cluster-gcp.adoc @@ -56,6 +56,8 @@ include::get-started:partial$no-access.adoc[] include::get-started:partial$custom-tags-gcp.adoc[] +include::security:partial$byoc-gcp-credential-rotation.adoc[] + == Next steps xref:networking:byoc/gcp/index.adoc[Configure private networking] diff --git a/modules/security/pages/authorization/cloud-iam-policies-gcp.adoc b/modules/security/pages/authorization/cloud-iam-policies-gcp.adoc index 21f70609b..58a930418 100644 --- a/modules/security/pages/authorization/cloud-iam-policies-gcp.adoc +++ b/modules/security/pages/authorization/cloud-iam-policies-gcp.adoc @@ -4,4 +4,6 @@ :page-aliases: deploy:deployment-option/cloud/security/authorization/cloud-iam-policies-gcp.adoc :env-gcp: true -include::security:partial$iam-policies.adoc[] \ No newline at end of file +include::security:partial$iam-policies.adoc[] + +include::security:partial$byoc-gcp-credential-rotation.adoc[] \ No newline at end of file diff --git a/modules/security/partials/byoc-gcp-credential-rotation.adoc b/modules/security/partials/byoc-gcp-credential-rotation.adoc new file mode 100644 index 000000000..a6950e9f5 --- /dev/null +++ b/modules/security/partials/byoc-gcp-credential-rotation.adoc @@ -0,0 +1,8 @@ +== Service account credential rotation + +To rotate service account credentials for your BYOC cluster, contact https://support.redpanda.com/hc/en-us/requests/new[Redpanda Support^] with your cluster ID, the service accounts that need rotation, and your target timeline. + +[WARNING] +==== +GCP service account credential rotation for BYOC clusters is not self-service. Rotating these credentials without coordinating with Redpanda can disrupt cluster connectivity, monitoring, and tiered storage, and can leave the cluster in an unrecoverable state. +==== From 70a6db7fc23a19baa15725fbb141509574f4793c Mon Sep 17 00:00:00 2001 From: micheleRP Date: Thu, 25 Jun 2026 11:42:24 -0600 Subject: [PATCH 2/5] DOC-2277: Refine GCP credential rotation warning per SME review Address review feedback on the disruption warning: add agent connectivity, specify tiered storage uploads, and replace "unrecoverable state" with cluster stuck and unable to complete future operations. Co-Authored-By: Claude Opus 4.8 (1M context) --- modules/security/partials/byoc-gcp-credential-rotation.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/security/partials/byoc-gcp-credential-rotation.adoc b/modules/security/partials/byoc-gcp-credential-rotation.adoc index a6950e9f5..89159d5d1 100644 --- a/modules/security/partials/byoc-gcp-credential-rotation.adoc +++ b/modules/security/partials/byoc-gcp-credential-rotation.adoc @@ -4,5 +4,5 @@ To rotate service account credentials for your BYOC cluster, contact https://sup [WARNING] ==== -GCP service account credential rotation for BYOC clusters is not self-service. Rotating these credentials without coordinating with Redpanda can disrupt cluster connectivity, monitoring, and tiered storage, and can leave the cluster in an unrecoverable state. +GCP service account credential rotation for BYOC clusters is not self-service. Rotating these credentials without coordinating with Redpanda can disrupt agent connectivity, cluster connectivity, monitoring, and tiered storage uploads, and can leave the cluster stuck and unable to complete future operations. ==== From 98d0c7698fd4e170356bb57dd6419bddbf79d102 Mon Sep 17 00:00:00 2001 From: Michele Cyran Date: Thu, 25 Jun 2026 11:54:29 -0600 Subject: [PATCH 3/5] Apply suggestion from @micheleRP --- modules/security/partials/byoc-gcp-credential-rotation.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/security/partials/byoc-gcp-credential-rotation.adoc b/modules/security/partials/byoc-gcp-credential-rotation.adoc index 89159d5d1..c72de5b2a 100644 --- a/modules/security/partials/byoc-gcp-credential-rotation.adoc +++ b/modules/security/partials/byoc-gcp-credential-rotation.adoc @@ -4,5 +4,5 @@ To rotate service account credentials for your BYOC cluster, contact https://sup [WARNING] ==== -GCP service account credential rotation for BYOC clusters is not self-service. Rotating these credentials without coordinating with Redpanda can disrupt agent connectivity, cluster connectivity, monitoring, and tiered storage uploads, and can leave the cluster stuck and unable to complete future operations. +GCP service account credential rotation for BYOC clusters is not self-service. Rotating these credentials without coordinating with Redpanda can disrupt agent connectivity, monitoring, and tiered storage uploads, and can leave the cluster stuck and unable to complete future operations. ==== From 77e90119828c6903b1fb0081d8f91dba3dfd64b5 Mon Sep 17 00:00:00 2001 From: Michele Cyran Date: Fri, 26 Jun 2026 08:35:01 -0600 Subject: [PATCH 4/5] Update modules/security/partials/byoc-gcp-credential-rotation.adoc Co-authored-by: Joyce Fee <102751339+Feediver1@users.noreply.github.com> --- modules/security/partials/byoc-gcp-credential-rotation.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/security/partials/byoc-gcp-credential-rotation.adoc b/modules/security/partials/byoc-gcp-credential-rotation.adoc index c72de5b2a..0855521d7 100644 --- a/modules/security/partials/byoc-gcp-credential-rotation.adoc +++ b/modules/security/partials/byoc-gcp-credential-rotation.adoc @@ -1,6 +1,6 @@ == Service account credential rotation -To rotate service account credentials for your BYOC cluster, contact https://support.redpanda.com/hc/en-us/requests/new[Redpanda Support^] with your cluster ID, the service accounts that need rotation, and your target timeline. +To rotate service account credentials for your BYOC cluster, contact https://support.redpanda.com/hc/en-us/requests/new[Redpanda Support^] with your cluster ID, the service accounts that require rotation, and your target timeline. [WARNING] ==== From ab93ff7bf210e38c5d6d597c1e034e2c23b38cac Mon Sep 17 00:00:00 2001 From: Michele Cyran Date: Fri, 26 Jun 2026 08:36:21 -0600 Subject: [PATCH 5/5] Update modules/security/partials/byoc-gcp-credential-rotation.adoc Co-authored-by: Joyce Fee <102751339+Feediver1@users.noreply.github.com> --- modules/security/partials/byoc-gcp-credential-rotation.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/security/partials/byoc-gcp-credential-rotation.adoc b/modules/security/partials/byoc-gcp-credential-rotation.adoc index 0855521d7..1f9d52998 100644 --- a/modules/security/partials/byoc-gcp-credential-rotation.adoc +++ b/modules/security/partials/byoc-gcp-credential-rotation.adoc @@ -4,5 +4,5 @@ To rotate service account credentials for your BYOC cluster, contact https://sup [WARNING] ==== -GCP service account credential rotation for BYOC clusters is not self-service. Rotating these credentials without coordinating with Redpanda can disrupt agent connectivity, monitoring, and tiered storage uploads, and can leave the cluster stuck and unable to complete future operations. +GCP service account credential rotation for BYOC clusters is not self-service. Rotating these credentials without coordinating with Redpanda can disrupt agent connectivity, monitoring, and Tiered Storage uploads, and can leave the cluster stuck and unable to complete future operations. ====