Create a BigQuery workload

This guide shows you how to set up encryption keys in the Assured Workloads environment using Google Cloud Console, and then use the keys to secure BigQuery. For more information about Assured Workloads, see the Assured Workloads overview.

Before you begin

  1. You must be a project owner, an org admin, or have security access to the project. For first-time users, see Get started with Assured Workloads.

  2. Choose a compliance regime and encryption strategy.

  3. Create a folder for your Assured Workloads environment.

  4. Create a workload environment, including an encryption project and a resource project, and select the option to use Customer-managed encryption keys (CMEK).

  5. Select the project ID for the project that contains your Assured Workloads CMEK keys. If you chose IL4 (Preview) or CJIS as a compliance regime, then, by default, this project starts with cmek-.

Create the key

To create the CMEK key, do the following:

  1. In Google Cloud Console, go to Cryptographic Keys:

    Go to Cryptographic Keys

  2. Select the Assured Workloads CMEK project. By default, this project ID starts with cmek-.

  3. Click your key ring.

  4. Click Create Key.

  5. In the What type of key do you want to create? drop-down list, select Generated key.

  6. In Key name enter the key name.

  7. In the Protection level drop-down list, select Software.

  8. In the Purpose drop-down list, select Symmetric encryption/decryption.

  9. In the Rotation period drop-down list, select 90 days.

  10. Optional: To add a label, do the following:

    1. Click Add a label.
    2. Enter a key in the Key text field.
    3. Enter a value in the Value text field.

  11. Click Create.

You see that the key was created.

Obtain your CMEK key resource ID

  1. In Google Cloud Console, in the Project Selector, select the project ID for the project that contains your CMEK keys. By default, if Assured Workloads creates this project, it prepends the project ID cmek-.

  2. In Security, go to Cryptographic Keys:

    Go to Cryptographic Keys

  3. Under Key rings, click the key ring name.

  4. In Key ring details, in the Keys tab, click the name of the key.

  5. Click the More icon to the right of the key name.

  6. Click Copy Resource Name.

    The resource string is formatted as follows:

     projects/SECURITY_PROJECT_ID/locations/LOCATION/keyRings/KEY_RING_NAME/cryptoKeys/KEY_NAME

Use the key in BigQuery

  1. Go to BigQuery.

    Go to BigQuery

  2. In the Project Selector, select the Assured Workloads resource project in which you want to create the BigQuery resource.

  3. In Explorer, click next to the project in which you want to create the dataset.

  4. Click Create dataset.

  5. In the Dataset ID field, enter a unique dataset name.

  6. (Optional) In the Data location drop-down list, choose a geographic location for the dataset. If the value is set to Default, the location is set to US. After a dataset is created, the location can't be changed.

  7. In the Default table expiration drop-down list, select one of the following options:

    1. Never: (Default) BigQuery never deletes tables created in the dataset. You must delete them manually.
    2. Number of days after table creation: This value determines when BigQuery deletes a newly created table in the dataset. This value is applied if you don't set a table expiration when you create the table.

  8. For Encryption, select Customer-managed key.

    1. If you do not see your key, select Don't See Your Key? Enter Key Resource ID.
    2. The Enter key resource ID dialog appears.
    3. Follow the instructions in Obtain your CMEK key resource ID, earlier in this guide.
    4. Paste the key into the Key resource ID field.
    5. Click Grant.
    6. Click Create dataset.

  9. If you didn't create a Customer Managed Encryption Key (CMEK) project when you set up Assured Workloads:

    1. Select Google-managed encryption key.
    2. Click Create dataset.

What's next