Create a partner-managed folder

Stay organized with collections Save and categorize content based on your preferences.

This topic guides you through setting up a new folder for Sovereign Controls by Partners environments. You must create a folder before creating any resources using Sovereign Controls by Partners.

Before you begin

Before you can create a new folder, ensure that you've done the following:

  • Completed onboarding to Google Cloud and received an email instructing you to create a partner-managed folder.

Create a new folder

To create a new folder in your partner-managed environment:

  1. In the Google Cloud console, go to the Compliance page.

    Go to Compliance

  2. Click Create, and then select your desired partner-managed option from the drop-down menu to create a new folder.

  3. In the Configure partner roles step, you can choose to grant Identity and Access Management (IAM) roles to a service account in the partner's organization. These roles will allow the partner to perform the following tasks:

    • View your organization's Access Transparency logs
    • Monitor and manage folders
    • Remediate compliance violations

    To grant these roles, you must first know the partner-provided service account email address. Click the Configure in IAM button, and grant that service account the following roles:

    • Private Logs Viewer (roles/logging.privateLogViewer)
    • Assured Workloads Administrator (roles/assuredworkloads.admin)

    See Grant or revoke multiple roles in the IAM documentation for more information.

  4. Click Next.

  5. In the Configure folder step, you can choose to restrict resource creation to the EU region or -- if applicable -- to the partner's specific region, such as the French region. Select the check box if you want to use the partner-specific region.

  6. Provide a folder name and a parent resource in which to create the folder, and then click Next.

  7. In the Configure encryption step, a project will be created to store your cryptographic keys. The keys themselves are not created during this step. From the Encryption method drop-down menu, we recommend selecting the option for your partner to manage your encryption keys using their own External Key Manager (EKM). See Configuring partner-managed KMS for more information. Provide a key ring name, a project name, optional project ID, and select a billing account for the project. Then click Next.

  8. In the Review and create folder step, verify each field is correct, and then click Create.

Next steps