1. Proposed title of this feature request

• Document the process for rotating service accounts on GCP environments

2. What is the nature and description of the request?

• As part of the the RHOCP 4 deployment [0] on GCP, two service accounts are manually [1] created and linked to both the VMs of the control plane (i.e. `MASTER_SERVICE_ACCOUNT`) and compute nodes (i.e. `WORKER_SERVICE_ACCOUNT`)
• We need a supported, documented process for rotating those credentials as on demand, day-2 operation

3. Why does the customer need this? (List the business requirements here)

• For security compliance reasons, customers will need to rotate said service account on demand: both in the context of rotation policy requirement, or, alternatively, in the event of a potential compromise of said credentials.

4. List any affected packages or components.

• GCP Cloud Provider

[0] https://docs.openshift.com/container-platform/4.12/installing/installing_gcp/installing-gcp-user-infra-vpc.html#installation-creating-gcp-iam-shared-vpc_installing-gcp-user-infra-vpc

[1]

$ gcloud deployment-manager deployments create ${INFRA_ID}-iam --config 03_iam.yaml
$ export MASTER_SERVICE_ACCOUNT=(`gcloud iam service-accounts list --filter "email~^${INFRA_ID}-m@${PROJECT_NAME}." --format json | jq -r '.[0].email'`)
$ export WORKER_SERVICE_ACCOUNT=(`gcloud iam service-accounts list --filter "email~^${INFRA_ID}-w@${PROJECT_NAME}." --format json | jq -r '.[0].email'`)