Creating a new workload environment

This page guides you through setting up a new Assured Workloads for Government environment in the Google Cloud Console. For more information about Assured Workloads, see the Assured Workloads for Government overview.

Before you begin

Before you can perform the procedure described in this guide, ensure you have the following resources in place. Note that the second prerequisite, requesting access to the allow-list, can take up to 24 hours to complete.

Create or select an organization

Go to the Google Cloud Console and select or create a Google Cloud organization.

Go to Cloud Console

To learn how to create a Google Cloud organization, see Creating and managing organizations in Resource Manager documentation.

Request access to the allow-list

Use the GA allow-list form and provide the organization ID, organization users to approve, and the required compliance regime.

Assign IAM permissions

Assign at least the minimum IAM permission levels to create and access Assured Workloads. To learn how to grant, change, or revoke access to resources using IAM roles, see Granting, changing, and revoking access to resources. Alternatively, run the following gcloud commands. In both cases, replace ORGANIZATION-ID with your organization identifier and example@customer.org with the user email address.

  • The roles/assuredworkloads.admin role enables the creation of workload environments:

    gcloud organizations add-iam-policy-binding ORGANIZATION-ID \
    --member="user:example@customer.org" \
    --role="roles/assuredworkloads.admin"
  • The roles/resourcemanager.organizationAdmin role is required for access to organization resources:

    gcloud organizations add-iam-policy-binding ORGANIZATION-ID \
    --member="user:example@customer.org" \
    --role="roles/resourcemanager.organizationAdmin"

For more information about the IAM roles related to Assured Workloads, see Assured Workloads IAM roles.

Create a new workload environment

To create a new workload environment:

  1. In the Cloud Console, click the project selector menu at the top of the page. In the project selector, choose your allow-listed organization.
  2. Click the Navigation menu , and then click Compliance.
  3. At the top of the Assured Workloads for Government page, click New Workload.
  4. In the Name box on the new workload page, type a name for the workload, and then click Next. For the purposes of this guide, we'll call the workload aw-example.
  5. In the Billing account box, select the billing account associated with your Google Cloud organization. Optionally, in the External Identifier box, enter a searchable unique identifier for the workload.
  6. In the Platform Controls section, select both a compliance regime and a region. Take a look at which Google Cloud services are available based on your selections, and then click Next.
  7. In the Encryption section, set the rotation period and starting time to generate a customer-managed encryption key (CMEK). When you're done, click Next.
  8. Review the configuration you've specified. When you're done, click Create.

Assured Workloads creates several resources:

  • Assured Workloads resource project with the name you gave it ("aw-example" in the example above), which enforces the compliance configuration you've specified on supported Google Cloud resources. To learn more about supported services, see Supported products by regime.
  • Assured Workloads CMEK project with the name you specified, prepended with cmek- ("cmek-aw-example" in the example above), which hosts the configured CMEK to achieve separation of duties.
  • Organization policies, to enforce resource location constraint and support case routing.

What's next