This topic guides you through setting up a new Assured Workloads for Government environment in the Google Cloud Console. For more information about Assured Workloads, see the Assured Workloads for Government overview.
Before you begin
Before you perform the procedure described in this guide, ensure you have the following resources in place:
Create or select an organization
In the Google Cloud Console, select or create a Google Cloud organization.
To learn how to create a Google Cloud organization, see Creating and managing organizations.
Assign IAM permissions
Assign at least the "Assured Workloads Administrator" IAM role, which contains the minimum IAM permission levels to create and access Assured Workloads environments.
To learn how to grant, change, or revoke access to resources using
IAM roles, see Granting, changing, and revoking access to
resources. Alternatively, run the
gcloud command, replacing ORGANIZATION_ID with your
firstname.lastname@example.org with the user email address.
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \ --member="user:email@example.com" \ --role="roles/assuredworkloads.admin"
roles/resourcemanager.organizationAdmin role is required for access to
organization resources. To enable it, run the following:
gcloud organizations add-iam-policy-binding ORGANIZATION_ID \ --member="user:firstname.lastname@example.org" \ --role="roles/resourcemanager.organizationAdmin"
For more information about the IAM roles related to Assured Workloads, see IAM roles.
Create a new workload environment
To create a new workload environment, do the following:
- In the Cloud Console, click the project selector menu at the top of the page. In the project selector, choose your organization.
- Click the menuNavigation menu, and then click Compliance.
- At the top of the Assured Workloads for Government page, click New Workload Environment.
- In the Personnel controls section, select the appropriate personnel and location controls. Note which Google Cloud services are available based on your selections, and then click Next.
- In the Name field on the new workload page, type a name
for the workload environment. For the purposes of this guide, we'll call the
- In the Billing account box, select the billing account associated with your Google Cloud organization.
- Optionally, in the Project location box, select the location for the environment projects. By default, this location is the current organization, and then click Next.
- Optionally, in the External Identifier box, enter a searchable unique identifier for the workload environment and click Next.
- In the Region section, select the data residency location for the new workload environment and click Next.
- If the selected personnel control includes Encryption, set the rotation period and starting time to generate a customer-managed encryption key (CMEK). When you're done, click Next.
Review the configuration you've specified and click Create when you're done.
Assured Workloads creates the following resources:
- Assured Workloads resource project with the name you gave it ("aw-example" in the example above), which enforces the compliance configuration you've specified on supported Google Cloud resources. To learn more about supported services, see Supported products by regime.
- Organization policies, to enforce resource location constraint and support case routing.
- For certain configurations, an Assured Workloads CMEK project with the
name you specified, prepended with
cmek-("cmek-aw-example" in the example above), which hosts the configured CMEK to achieve separation of duties.
- Deploy any of the supported Google Cloud products in your workload environment.
- Learn how to delete a workload environment.