fix(DOC-2058): clarify GCP IAM permissions are for agent, not Terraform bootstrap (#531)

* fix(DOC-2058): clarify GCP IAM permissions are for agent, not Terraform bootstrap

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* style(DOC-2058): use active voice in GCP IAM bootstrap note

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* doc-2058 iam bootstrap-misleading

* style edits

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: micheleRP <michele@redpanda.com>

Author: 3 people

modules/get-started/pages/cluster-types/byoc/gcp/create-byoc-cluster-gcp.adoc

@@ -10,6 +10,18 @@ If your clients need to connect from different GCP regions than where your clust
 
 == Prerequisites
 
+Before you deploy a BYOC cluster on GCP, verify the following prerequisites:
+
+* A minimum version of Redpanda `rpk` v24.1. See xref:manage:rpk/rpk-install.adoc[].
+* Assign the `roles/editor` role (or higher, such as `roles/owner`) to the GCP user or service account that runs the bootstrap on the target GCP project. This grants the permissions needed to create VPC networks, GKE clusters, service accounts, and other infrastructure during the initial bootstrap. These bootstrap permissions are separate from the xref:security:authorization/cloud-iam-policies-gcp.adoc[agent permissions] that Redpanda assigns after bootstrap.
+* The user has the https://cloud.google.com/sdk/docs/install[Google Cloud CLI^] installed and authenticated, with the target project selected. To verify, run:
++
+[,bash]
+----
+gcloud auth list
+gcloud config get-value project
+----
+
 include::partial$gpq-quotas.adoc[]
 
 == Create a BYOC cluster
@@ -36,7 +48,7 @@ NOTE: After the cluster is created, you can change the API Gateway access on the
 . Click *Next*.
 . On the Deploy page, follow the steps to log in to Redpanda Cloud and deploy the agent.
 +
-Note that `rpk` configures the permissions required by the agent to provision and actively maintain the cluster. For details about these permissions, see xref:security:authorization/cloud-iam-policies-gcp.adoc[GCP IAM permissions].
+As part of agent deployment, Redpanda assigns the permissions required to run the agent. For details about these permissions, see xref:security:authorization/cloud-iam-policies-gcp.adoc[GCP IAM permissions].
 
 include::get-started:partial$no-access.adoc[]
 

modules/security/partials/iam-policies.adoc

@@ -529,7 +529,7 @@ When you run `rpk cloud byoc gcp apply` to create a BYOC cluster, you grant IAM
 
 [NOTE]
 ====
-* This page lists the IAM permissions Redpanda requires to create xref:get-started:cluster-types/byoc/gcp/create-byoc-cluster-gcp.adoc[BYOC clusters]. This does _not_ pertain to permissions for  xref:get-started:cluster-types/byoc/gcp/vpc-byo-gcp.adoc[BYOVPC clusters]. 
+* This page lists the IAM permissions the Redpanda agent service account uses to manage xref:get-started:cluster-types/byoc/gcp/create-byoc-cluster-gcp.adoc[BYOC cluster] resources. Your GCP account does not need these permissions for the initial Terraform bootstrap. This does _not_ pertain to permissions for xref:get-started:cluster-types/byoc/gcp/vpc-byo-gcp.adoc[BYOVPC clusters].
 * No IAM permissions are required for Redpanda Cloud users. IAM policies do not grant user access to a cluster; rather, they grant the deployed Redpanda agent access, so that brokers can communicate with the BYOC clusters. 
 ====