This topic guides you through setting up a new folder for Sovereign Controls by Partners environments. You must create a folder before creating any resources using Sovereign Controls by Partners.
Before you begin
Before you can create a new folder, ensure that you've done the following:
- Completed onboarding to Google Cloud and received an email instructing you to create a partner-managed folder.
Create a new folder
To create a new folder in your partner-managed environment:
In the Google Cloud console, go to the Compliance page.
Click Create, and then select your desired partner-managed option from the drop-down menu to create a new folder.
In the Configure partner roles step, you can choose to grant Identity and Access Management (IAM) roles to a service account in the partner's organization. These roles will allow the partner to perform the following tasks:
- View your organization's Access Transparency logs
- Monitor and manage folders
- Remediate compliance violations
To grant these roles, you must first know the partner-provided service account email address. Click the Configure in IAM button, and grant that service account the following roles:
- Private Logs Viewer (
- Assured Workloads Administrator (
See Grant or revoke multiple roles in the IAM documentation for more information.
In the Configure folder step, you can choose to restrict resource creation to the EU region or -- if applicable -- to the partner's specific region, such as the French region. Select the check box if you want to use the partner-specific region.
Provide a folder name and a parent resource in which to create the folder, and then click Next.
In the Configure encryption step, a project will be created to store your cryptographic keys. The keys themselves are not created during this step. From the Encryption method drop-down menu, we recommend selecting the option for your partner to manage your encryption keys using their own External Key Manager (EKM). See Configuring partner-managed KMS for more information. Provide a key ring name, a project name, optional project ID, and select a billing account for the project. Then click Next.
In the Review and create folder step, verify each field is correct, and then click Create.