This topic guides you through setting up a new Assured Workloads environment in Google Cloud Console for IL4 (Preview) and CJIS compliance regimes. For more information about Assured Workloads, see the Assured Workloads overview.
Before you begin
Before you can perform the procedure described in this guide, ensure you created a folder for Assured Workloads environments and received a confirmation email.
Assign Identity and Access Management permissions
Assured Workloads Administrator Identity and Access Management (IAM) role,
which contains the minimum IAM permission levels to create and
access Assured Workloads environments.
To grant the role, run the following
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \ --member="MEMBER" \ --role="roles/assuredworkloads.admin"
Replace the following:
- ORGANIZATION_ID: your organization identifier
- MEMBER: the email address of the user you want to grant the role to, in the format
roles/assuredworkloads.admin role enables the creation of workload
To learn how more about to grant, change, or revoke access to resources using IAM roles, see Granting, changing, and revoking access to resources.
For more information about the IAM roles related to Assured Workloads, see IAM roles.
Access Transparency configuration
Access Transparency is required for certain platform controls. To use these controls, enable Access Transparency. See Access Transparency documentation to learn more.
Create a new project in a workload environment
To create a new workload environment, do the following:
Go to Assured Workloads.
In the Project Selector, choose your organization.
At the top of the Assured Workloads page, click New Workload Environment.
In the Location and personnel controls section, select the appropriate controls. Note which Google Cloud services are available, based on your selections.
In the Environment name field on the New Assured Workloads environment page, type a name for the workload environment—for example,
Tip: When you name your Assured Workloads projects, keep the following in mind:
- Include a prefix in the name (such as
aw-) to find an Assured Workloads project in the project selector.
- Do not include sensitive data or personally identifiable information (PII) in the project name.
- Include a prefix in the name (such as
(Optional) In the Project ID field, specify the unique identifier for the project that will contain your workload environment.
- Do not include sensitive data or PII in the project ID.
- This field is no longer available in the Beta API, as the process for creating an Assured Workload now creates a folder rather than a project.
In the Billing account box, select the billing account associated with your Google Cloud organization.
In the Project location box, select the registered Assured Workloads environment folder for the environment projects.
Tip: By default, this location is the current organization. Environments can only be created in a registered Assured Workloads folder.
(Optional) In the External identifier box, enter a searchable unique identifier for the workload environment.
In the Select a region section, select the data residency location for the new workload environment.
If the selected personnel control includes Encryption, enter the Key ring name to use.
Optionally, if you want to use customer-managed encryption keys (CMEK), then, in the CMEK project ID field, specify the unique identifier for the project that will contain your key ring.
- Do not include sensitive data or PII in the CMEK project ID.
Review the configuration you specified.
Click Create when you're done.
Assured Workloads creates the following resources:
- An Assured Workloads resource project with the name of the project supplied, which enforces the compliance configuration you've specified on supported Google Cloud resources. To learn more about supported services, see Supported products by regime.
- Organization policies, to enforce resource location constraint and support case routing.
- For IL4 (Preview) and CJIS
configurations, Assured Workloads can
create a CMEK project with the name you specified, prepended with
cmek-. For example,
cmek-aw-example. This project contains the configured CMEK key ring.
If you use CMEK, see Create and obtain a CMEK key to learn more.
- Learn how to obtain your key when you deploy any of the supported Google Cloud products in your workload environment.
- Learn how to delete a workload environment.