Creating a new workload environment

This topic guides you through setting up a new Assured Workloads for Government environment in the Google Cloud Console. For more information about Assured Workloads, see the Assured Workloads for Government overview.

Before you begin

Before you perform the procedure described in this guide, ensure you have the following resources in place:

Create or select an organization

In the Google Cloud Console, select or create a Google Cloud organization.

Go to Cloud Console

To learn how to create a Google Cloud organization, see Creating and managing organizations.

Assign IAM permissions

Assign at least the "Assured Workloads Administrator" IAM role, which contains the minimum IAM permission levels to create and access Assured Workloads environments.

To learn how to grant, change, or revoke access to resources using IAM roles, see Granting, changing, and revoking access to resources. Alternatively, run the following gcloud command, replacing ORGANIZATION_ID with your organization identifier and with the user email address.

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
  --member="" \

The roles/resourcemanager.organizationAdmin role is required for access to organization resources. To enable it, run the following:

gcloud organizations add-iam-policy-binding ORGANIZATION_ID \
  --member="" \

For more information about the IAM roles related to Assured Workloads, see IAM roles.

Create a new workload environment

To create a new workload environment, do the following:

  1. In the Cloud Console, click the project selector menu at the top of the page. In the project selector, choose your organization.
  2. Click the Navigation menu, and then click Compliance.
  3. At the top of the Assured Workloads for Government page, click New Workload Environment.
  4. In the Personnel controls section, select the appropriate personnel and location controls. Note which Google Cloud services are available based on your selections, and then click Next.
  5. In the Name field on the new workload page, type a name for the workload environment. For the purposes of this guide, we'll call the workload environment aw-example.
  6. In the Billing account box, select the billing account associated with your Google Cloud organization.
  7. Optionally, in the Project location box, select the location for the environment projects. By default, this location is the current organization, and then click Next.
  8. Optionally, in the External Identifier box, enter a searchable unique identifier for the workload environment and click Next.
  9. In the Region section, select the data residency location for the new workload environment and click Next.
  10. If the selected personnel control includes Encryption, set the rotation period and starting time to generate a customer-managed encryption key (CMEK). When you're done, click Next.

Review the configuration you've specified and click Create when you're done.

Assured Workloads creates the following resources:

  • Assured Workloads resource project with the name you gave it ("aw-example" in the example above), which enforces the compliance configuration you've specified on supported Google Cloud resources. To learn more about supported services, see Supported products by regime.
  • Organization policies, to enforce resource location constraint and support case routing.
  • For certain configurations, an Assured Workloads CMEK project with the name you specified, prepended with cmek- ("cmek-aw-example" in the example above), which hosts the configured CMEK to achieve separation of duties.

What's next