Create a new project in a workload environment (IL4, CJIS)

This topic guides you through setting up a new Assured Workloads environment in Google Cloud Console for IL4 (Preview) and CJIS compliance regimes. For more information about Assured Workloads, see the Assured Workloads overview.

Before you begin

Before you can perform the procedure described in this guide, ensure you created a folder for Assured Workloads environments and received a confirmation email.

Assign Identity and Access Management permissions

Assign the Assured Workloads Administrator Identity and Access Management (IAM) role, which contains the minimum IAM permission levels to create and access Assured Workloads environments.

To grant the role, run the following gcloud command:

  gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
    --member="MEMBER" \

Replace the following:

  • ORGANIZATION_ID: your organization identifier
  • MEMBER: the email address of the user you want to grant the role to, in the format

The roles/assuredworkloads.admin role enables the creation of workload environments.

To learn how more about to grant, change, or revoke access to resources using IAM roles, see Granting, changing, and revoking access to resources.

For more information about the IAM roles related to Assured Workloads, see IAM roles.

Access Transparency configuration

Access Transparency is required for certain platform controls. To use these controls, enable Access Transparency. See Access Transparency documentation to learn more.

Create a new project in a workload environment

To create a new workload environment, do the following:

  1. Go to Assured Workloads.

    Go to Assured Workloads

  2. In the Project Selector, choose your organization.

  3. At the top of the Assured Workloads page, click New Workload Environment.

  4. In the Location and personnel controls section, select the appropriate controls. Note which Google Cloud services are available, based on your selections.

  5. Click Next.

  6. In the Environment name field on the New Assured Workloads environment page, type a name for the workload environment—for example, aw-example.

    Tip: When you name your Assured Workloads projects, keep the following in mind:

    • Include a prefix in the name (such as aw-) to find an Assured Workloads project in the project selector.
    • Do not include sensitive data or personally identifiable information (PII) in the project name.
  7. (Optional) In the Project ID field, specify the unique identifier for the project that will contain your workload environment.

    • Do not include sensitive data or PII in the project ID.
    • This field is no longer available in the Beta API, as the process for creating an Assured Workload now creates a folder rather than a project.
  8. In the Billing account box, select the billing account associated with your Google Cloud organization.

  9. In the Project location box, select the registered Assured Workloads environment folder for the environment projects.

    Tip: By default, this location is the current organization. Environments can only be created in a registered Assured Workloads folder.

  10. (Optional) In the External identifier box, enter a searchable unique identifier for the workload environment.

  11. Click Next.

  12. In the Select a region section, select the data residency location for the new workload environment.

  13. Click Next.

  14. If the selected personnel control includes Encryption, enter the Key ring name to use.

  15. Optionally, if you want to use customer-managed encryption keys (CMEK), then, in the CMEK project ID field, specify the unique identifier for the project that will contain your key ring.

  16. Click Next.

    • Do not include sensitive data or PII in the CMEK project ID.
  17. Review the configuration you specified.

  18. Click Create when you're done.

Assured Workloads creates the following resources:

  • An Assured Workloads resource project with the name of the project supplied, which enforces the compliance configuration you've specified on supported Google Cloud resources. To learn more about supported services, see Supported products by regime.
  • Organization policies, to enforce resource location constraint and support case routing.
  • For IL4 (Preview) and CJIS configurations, Assured Workloads can create a CMEK project with the name you specified, prepended with cmek-. For example, cmek-aw-example. This project contains the configured CMEK key ring.

If you use CMEK, see Create and obtain a CMEK key to learn more.

What's next