Create a new project in a workload environment (IL4, CJIS)

This topic guides you through setting up a new Assured Workloads environment in Google Cloud Console for IL4 (Preview) and CJIS compliance regimes. For more information about Assured Workloads, see the Assured Workloads overview.

Before you begin

Before you can perform the procedure described in this guide, ensure you created a folder for Assured Workloads environments and received a confirmation email.

Assign Identity and Access Management permissions

Assign the Assured Workloads Administrator Identity and Access Management (IAM) role, which contains the minimum IAM permission levels to create and access Assured Workloads environments.

To grant the role, run the following gcloud command:

  gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
    --member="MEMBER" \
    --role="roles/assuredworkloads.admin"

Replace the following:

  • ORGANIZATION_ID: your organization identifier
  • MEMBER: the email address of the user you want to grant the role to, in the format example@customer.org

The roles/assuredworkloads.admin role enables the creation of workload environments.

To learn how more about to grant, change, or revoke access to resources using IAM roles, see Granting, changing, and revoking access to resources.

For more information about the IAM roles related to Assured Workloads, see IAM roles.

Access Transparency configuration

Access Transparency is required for certain platform controls. To use these controls, enable Access Transparency. See Access Transparency documentation to learn more.

Create a new project in a workload environment

To create a new workload environment, do the following:

  1. In the Google Cloud Console, go to the Assured Workloads page.

    Go to Assured Workloads

  2. On the Cloud Console toolbar, click Select a project, and then choose your organization.

  3. Click New workload environment.

  4. In the Select location and personnel controls for Google Cloud section, select the appropriate controls. For more information about selecting your platform controls, see Getting started with Assured Workloads.

  5. Click Next.

  6. On the New Assured Workloads environment page, do the following:

    1. In the Environment name field, type a name for the workload environment—for example, aw-example.

    2. Optional: In the Project ID field, specify the unique identifier for the project that contains your workload environment.

    3. In the Billing account field, select the billing account that's associated with your Google Cloud organization.

    4. In the Project location field, select the registered Assured Workloads environment folder for the environment projects.

    5. Optional: In the External identifier field, enter a searchable unique identifier for the workload environment.

  7. Click Next.

  8. In the Select a region section, in the Choose region menu, select the data residency location for the new workload environment.

  9. Click Next.

  10. If Set encryption controls appears, then do the following:

    1. In the Keyring name field, enter a name for the key ring.
    2. Optionally, if you want to use customer-managed encryption keys (CMEK), then, in the CMEK key project name field, specify the unique identifier for the project that contains your key ring.

      Do not include sensitive data or PII in the CMEK project ID field.

  11. Click Next.

  12. Review the configuration that you specified.

  13. When you're finished, click Create.

Assured Workloads creates the following resources:

  • An Assured Workloads resource project with the name of the project supplied, which enforces the compliance configuration you've specified on supported Google Cloud resources. To learn more about supported services, see Supported products by regime.
  • Organization policies, to enforce resource location constraint and support case routing.
  • For IL4 (Preview) and CJIS configurations, Assured Workloads can create a CMEK project with the name you specified, prepended with cmek-. For example, cmek-aw-example. This project contains the configured CMEK key ring.

If you use CMEK, see Create and obtain a CMEK key to learn more.

What's next