chore(byoc): add GCP priviledge documentation

[bojand]

Summary

Adds reference documentation for BYOC privilege for GCP.

Checklist

• Delete items not relevant to your PR
• URL changes should add a redirect to the old URL via https://github.com/ClickHouse/clickhouse-docs/blob/main/docusaurus.config.js
• If adding a new integration page, also add an entry to the integrations list here: https://github.com/ClickHouse/clickhouse-docs/blob/main/docs/integrations/index.mdx

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
clickhouse-docs	Ready	Preview, Comment	May 8, 2026 3:18pm

4 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
clickhouse-docs-jp	Ignored		May 8, 2026 3:18pm
clickhouse-docs-ko	Ignored		May 8, 2026 3:18pm
clickhouse-docs-ru	Ignored		May 8, 2026 3:18pm
clickhouse-docs-zh	Ignored		May 8, 2026 3:18pm

[dhtclk]

Some nits on sentence casing and standardization.

[dhtclk]

Suggested change

	## GCP Service Accounts {#gcp-service-accounts}
	## GCP service accounts {#gcp-service-accounts}

Sentence casing

[dhtclk]

Suggested change

	### Additional Service Accounts created by the controller {#additional-service-accounts-created-by-the-controller}
	### Additional service accounts created by the controller {#additional-service-accounts-created-by-the-controller}

[dhtclk]

Suggested change

	In addition to the `clickhouse-management` service account created via Terraform as part of onboarding; when you provision your first BYOC service, ClickHouse’s control plane (authenticating as `clickhouse-management`) creates additional service accounts in your project for specific in-cluster workloads. Each of these is created with a narrow, single-purpose permission set.
	In addition to the `clickhouse-management` service account created via Terraform as part of onboarding. When you provision your first BYOC service, ClickHouse’s control plane (authenticating as `clickhouse-management`) creates additional service accounts in your project for specific in-cluster workloads. Each of these is created with a narrow, single-purpose permission set.

Small nit, but semicolon is not proper grammar here.

[dhtclk]

Suggested change

	The bootstrap Service Account is granted project-scoped custom roles with the following permissions:
	The bootstrap service account is granted project-scoped custom roles with the following permissions:

[dhtclk]

Suggested change

	- **GKE Node Runtime Identity**
	- Attached to every GKE node virtual machine in your BYOC cluster.
	- Used by kubelet, node-local agents, and the Cloud Operations collectors to emit logs and metrics, and by the image pulling subsystem to download container images.
	- **Billing scraper identity**
	- Used by standalone scraper workload to collect billing telemetry.
	- **Monitoring Identity**
	- Target identity for the monitoring stack running in your cluster. Used to read/write long-term metric storage in a GCS bucket dedicated to this deployment.
	- **ClickHouse runtime management identity**
	- **GKE node runtime identity**
	- Attached to every GKE node virtual machine in your BYOC cluster.
	- Used by kubelet, node-local agents, and the Cloud Operations collectors to emit logs and metrics, and by the image pulling subsystem to download container images.
	- **Billing scraper identity**
	- Used by standalone scraper workload to collect billing telemetry.
	- **Monitoring identity**
	- Target identity for the monitoring stack running in your cluster. Used to read/write long-term metric storage in a GCS bucket dedicated to this deployment.
	- **ClickHouse runtime management identity**

Use consistent sentence casing here.