From 2ad6fab61ba5fb16b7e05fcf609130b0c554e318 Mon Sep 17 00:00:00 2001
From: Michael Ernest <michael.ernest@gmail.com>
Date: Tue, 17 Mar 2026 12:39:52 -0700
Subject: [PATCH] fix(DOC-2058): clarify GCP IAM permissions are for agent, not
 Terraform bootstrap

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 modules/security/partials/iam-policies.adoc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/security/partials/iam-policies.adoc b/modules/security/partials/iam-policies.adoc
index fafb8f8e1..3f2f4c92c 100644
--- a/modules/security/partials/iam-policies.adoc
+++ b/modules/security/partials/iam-policies.adoc
@@ -529,7 +529,7 @@ When you run `rpk cloud byoc gcp apply` to create a BYOC cluster, you grant IAM
 
 [NOTE]
 ====
-* This page lists the IAM permissions Redpanda requires to create xref:get-started:cluster-types/byoc/gcp/create-byoc-cluster-gcp.adoc[BYOC clusters]. This does _not_ pertain to permissions for  xref:get-started:cluster-types/byoc/gcp/vpc-byo-gcp.adoc[BYOVPC clusters]. 
+* This page lists the IAM permissions the Redpanda agent service account uses to manage xref:get-started:cluster-types/byoc/gcp/create-byoc-cluster-gcp.adoc[BYOC cluster] resources. These are not the permissions your GCP account needs to run the initial Terraform bootstrap. This does _not_ pertain to permissions for xref:get-started:cluster-types/byoc/gcp/vpc-byo-gcp.adoc[BYOVPC clusters].
 * No IAM permissions are required for Redpanda Cloud users. IAM policies do not grant user access to a cluster; rather, they grant the deployed Redpanda agent access, so that brokers can communicate with the BYOC clusters. 
 ====