This page guides you through setting up a new Assured Workloads for Government environment in the Google Cloud Console. For more information about Assured Workloads, see the Assured Workloads for Government overview.
Before you begin
Before you can perform the procedure described in this guide, ensure you have the following resources in place. Note that the second prerequisite, requesting access to the allow-list, can take up to 24 hours to complete.
Create or select an organization
Go to the Google Cloud Console and select or create a Google Cloud organization.
To learn how to create a Google Cloud organization, see Creating and managing organizations in Resource Manager documentation.
Request access to the allow-list
Assign IAM permissions
Assign at least the minimum IAM permission levels to create and
access Assured Workloads. To learn how to grant, change, or revoke access
to resources using IAM roles, see Granting, changing, and
revoking access to resources.
Alternatively, run the following
gcloud commands. In both cases, replace
ORGANIZATION-ID with your organization
firstname.lastname@example.org with the user email address.
roles/assuredworkloads.adminrole enables the creation of workload environments:
gcloud organizations add-iam-policy-binding ORGANIZATION-ID \ --member="user:email@example.com" \ --role="roles/assuredworkloads.admin"
roles/resourcemanager.organizationAdminrole is required for access to organization resources:
gcloud organizations add-iam-policy-binding ORGANIZATION-ID \ --member="user:firstname.lastname@example.org" \ --role="roles/resourcemanager.organizationAdmin"
For more information about the IAM roles related to Assured Workloads, see Assured Workloads IAM roles.
Create a new workload environment
To create a new workload environment:
- In the Cloud Console, click the project selector menu at the top of the page. In the project selector, choose your allow-listed organization.
- Click the Navigation menu menu, and then click Compliance.
- At the top of the Assured Workloads for Government page, click New Workload.
- In the Name box on the new workload page, type a name for
the workload, and then click Next. For the purposes of this
guide, we'll call the workload
- In the Billing account box, select the billing account associated with your Google Cloud organization. Optionally, in the External Identifier box, enter a searchable unique identifier for the workload.
- In the Platform Controls section, select both a compliance regime and a region. Take a look at which Google Cloud services are available based on your selections, and then click Next.
- In the Encryption section, set the rotation period and starting time to generate a customer-managed encryption key (CMEK). When you're done, click Next.
- Review the configuration you've specified. When you're done, click Create.
Assured Workloads creates several resources:
- Assured Workloads resource project with the name you gave it ("aw-example" in the example above), which enforces the compliance configuration you've specified on supported Google Cloud resources. To learn more about supported services, see Supported products by regime.
- Assured Workloads CMEK project with the name you specified, prepended
cmek-("cmek-aw-example" in the example above), which hosts the configured CMEK to achieve separation of duties.
- Organization policies, to enforce resource location constraint and support case routing.
- Deploy any of the supported Google Cloud products in your workload environment.
- Learn how to delete a workload environment.