This page guides you through creating a new folder for Sovereign Controls by Partners. You must create this folder before creating any other resources intended for use with Sovereign Controls by Partners.
Before you begin
Before you can create a new folder, ensure that you've done the following:
- Completed onboarding to Google Cloud and received an email instructing you to create a partner-managed folder.
Create a new folder
In the Google Cloud console, go to the Assured Workloads page.
If prompted, select your organization.
Click Create.
In the Check prerequisites step, ensure that you meet the required prerequisites, and click Next.
In the Select compliance type step, select the drop-down item from Origin of compliance type, and then choose your partner-managed solution. Click Next.
Depending on which sovereign partner you've chosen, you may have an additional Configure partner permissions step. In this step, you can choose to grant your partner access to the following data:
- Monitoring: This includes permissions to view Assured Workloads monitoring information about your folder. This includes any unresolved or resolved compliance violations, and any exceptions you've granted for those violations.
- Access Transparency and emergency access logs: This includes permissions to view Access Transparency logs and emergency access logs for your folder.
- Access Approval information: This includes permissions to view Access Approval logs for your folder.
For more information about how these permissions are granted or revoked, see the Partner permissions section below.
Click Next.
In the Configure your folder step, provide a folder name and a parent resource in which to create the folder, and then click Next.
In the Configure key management step, a project is created to store your cryptographic keys. The keys themselves are not created during this step. Provide a key ring name, a project name, and an optional project ID. Select a billing account for the project. Click Next.
In the Review and create folder step, verify each field is correct, and then click Create.
Partner permissions
If you choose to grant your partner access to Assured Workloads monitoring and access history data, you can revoke this access at any time. To grant or revoke access for all types of data, complete the following steps:
In the Google Cloud console, go to the Assured Workloads page.
Click the name of your Sovereign Controls by Partners folder to view the folder's details.
From the Assured Workloads Folder Details page, click the Configure Partner Permissions button in the info Partner permissions section.
In the Configure partner permissions panel, select the checkboxes to grant or revoke permission for each type of data, and then click Save.
Your partner's access to this data will be granted or revoked depending on your selections.
Monitoring
To enable partner access to your folder's Assured Workloads monitoring data, an Identity and Access Management (IAM) role is granted to the Cloud Controls Partner Service Agent. Like all service agents, the Cloud Controls Partner Service Agent is a Google-managed service account, and it acts on behalf of Sovereign Controls by Partners. It is visible in the IAM policy for your Sovereign Controls by Partners folder, and uses the following email format, where FOLDER_ID is the ID of that folder:
service-folder-[FOLDER_ID]@gcp-sa-cloudcontrolspartner.iam.gserviceaccount.com
The service agent is granted the
Cloud Controls Partner Monitoring Service Agent
(roles/cloudcontrolspartner.monitoringServiceAgent) IAM role on
your folder. See the
IAM reference
for more information about this role and its permissions.
Next steps
- Understand restrictions and limitations in Sovereign Controls by Partners
- Learn how to configure partner-managed KMS