- NAME
-
- gcloud beta assured workloads create - create a new Assured Workloads environment
- SYNOPSIS
-
-
gcloud beta assured workloads create--billing-account=BILLING_ACCOUNT--compliance-regime=COMPLIANCE_REGIME--display-name=DISPLAY_NAME--location=LOCATION--organization=ORGANIZATION[--enable-sovereign-controls=ENABLE_SOVEREIGN_CONTROLS] [--external-identifier=EXTERNAL_IDENTIFIER] [--labels=[KEY=VALUE, …]] [--next-rotation-time=NEXT_ROTATION_TIME] [--partner=PARTNER] [--partner-permissions=[KEY=VALUE, …]] [--partner-services-billing-account=PARTNER_SERVICES_BILLING_ACCOUNT] [--provisioned-resources-parent=PROVISIONED_RESOURCES_PARENT] [--resource-settings=[KEY=VALUE, …]] [--rotation-period=ROTATION_PERIOD] [GCLOUD_WIDE_FLAG …]
-
- DESCRIPTION
-
(BETA)Create a new Assured Workloads environment - EXAMPLES
- The following example command creates a new Assured Workloads environment with
these properties:
- belonging to an organization with ID 123
- located in the
us-central1region - display name
Test-Workload - compliance regime
FEDRAMP_MODERATE - billing account
billingAccounts/456 - first key rotation set for 10:15am on the December 30, 2020
- key rotation interval set for every 48 hours
- with the label: key = 'LabelKey1', value = 'LabelValue1'
- with the label: key = 'LabelKey2', value = 'LabelValue2'
- provisioned resources parent 'folders/789'
- with custom project id 'my-custom-id' for consumer project
- with external identifier for the workload of 'external-id'
gcloud beta assured workloads create --organization = 123 --location = us-central1 --display-name = Test-Workload --compliance-regime = FEDRAMP_MODERATE --billing-account = billingAccounts/456 --next-rotation-time = 2020 -12-30T10:15:00.00Z --rotation-period = 172800s --labels = LabelKey1 = LabelValue1,LabelKey2 = LabelValue2 --provisioned-resources-parent = folders/789 --resource-settings = consumer-project-id = my-custom-id --external-identifier = external-id- belonging to an organization with ID 123
- located in the
me-central2region - display name
Test-Workload - partner
CNTXT - partner services billing account
billingAccounts/789 - billing account
billingAccounts/456 - data logs viewer partner permission enabled
- first key rotation set for 10:15am on the December 30, 2020
- key rotation interval set for every 48 hours
- with the label: key = 'LabelKey1', value = 'LabelValue1'
- with the label: key = 'LabelKey2', value = 'LabelValue2'
- provisioned resources parent 'folders/789'
- with custom project id 'my-custom-id' for consumer project
- with external identifier for the workload of 'external-id'
gcloud beta assured workloads create --organization = 123 --location = me-central2 --display-name = Test-Workload --compliance-regime = ASSURED_WORKLOADS_FOR_PARTNERS --partner = SOVEREIGN_CONTROLS_BY_CNTXT --partner-services-billing-account = billingAccounts/01BF3F-2C6DE5-30C607 --partner-permissions = data-logs-viewer = true --billing-account = billingAccounts/456 --next-rotation-time = 2020 -12-30T10:15:00.00Z --rotation-period = 172800s --labels = LabelKey1 = LabelValue1,LabelKey2 = LabelValue2 --provisioned-resources-parent = folders/789 --resource-settings = consumer-project-id = my-custom-id --external-identifier = external-id - REQUIRED FLAGS
-
-
--billing-account=BILLING_ACCOUNT - The billing account of the new Assured Workloads environment, for example, billingAccounts/0000AA-AAA00A-A0A0A0
-
--compliance-regime=COMPLIANCE_REGIME - The compliance regime of the new Assured Workloads environment.
COMPLIANCE_REGIMEmust be one of:assured-workloads-for-partners,au-regions-and-us-support,australia-data-boundary-and-support,ca-protected-b,ca-regions-and-support,canada-controlled-goods,canada-data-boundary-and-support,cjis,data-boundary-for-canada-controlled-goods,data-boundary-for-canada-protected-b,data-boundary-for-cjis,data-boundary-for-fedramp-high,data-boundary-for-fedramp-moderate,data-boundary-for-il2,data-boundary-for-il4,data-boundary-for-il5,data-boundary-for-irs-publication-1075,data-boundary-for-itar,eu-data-boundary-and-support,eu-regions-and-support,fedramp-high,fedramp-moderate,healthcare-and-life-sciences-controls,healthcare-and-life-sciences-controls-us-support,hipaa,hitrust,il2,il4,il5,irs-1075,isr-regions,isr-regions-and-support,israel-data-boundary-and-support,itar,japan-data-boundary,jp-regions-and-support,ksa-data-boundary-with-access-justifications,ksa-regions-and-support-with-sovereignty-controls,regional-controls,regional-data-boundary,us-data-boundary-and-support,us-data-boundary-for-healthcare-and-life-sciences,us-data-boundary-for-healthcare-and-life-sciences-with-support,us-regional-access. -
--display-name=DISPLAY_NAME - The display name of the new Assured Workloads environment
-
--location=LOCATION - The location of the new Assured Workloads environment. For a current list of supported LOCATION values, see Assured Workloads locations .
-
--organization=ORGANIZATION - The parent organization of the new Assured Workloads environment, provided as an organization ID
-
- OPTIONAL FLAGS
-
-
--enable-sovereign-controls=ENABLE_SOVEREIGN_CONTROLS - If true, enable sovereign controls for the new Assured Workloads environment, currently only supported by EU_REGIONS_AND_SUPPORT
-
--external-identifier=EXTERNAL_IDENTIFIER - The external identifier of the new Assured Workloads environment
-
--labels=[KEY=VALUE,…] - The labels of the new Assured Workloads environment, for example, LabelKey1=LabelValue1,LabelKey2=LabelValue2
- The next rotation time of the KMS settings of new Assured Workloads environment, for example, 2020-12-30T10:15:30.00Z
-
--partner=PARTNER - The partner choice when creating a workload managed by local trusted partners.
PARTNERmust be one of:local-controls-by-s3ns,sovereign-controls-by-cntxt,sovereign-controls-by-cntxt-no-ekm,sovereign-controls-by-psn,sovereign-controls-by-sia-minsait,sovereign-controls-by-t-systems,spain-data-boundary-by-telefonica. - The partner permissions for the partner regime, for example, data-logs-viewer=true/false
-
--partner-services-billing-account=PARTNER_SERVICES_BILLING_ACCOUNT - Billing account necessary for purchasing services from Sovereign Partners. This field is required for creating SIA/PSN/CNTXT partner workloads. The caller should have 'billing.resourceAssociations.create' IAM permission on this billing-account. The format of this string is billingAccounts/AAAAAA-BBBBBB-CCCCCC
-
--provisioned-resources-parent=PROVISIONED_RESOURCES_PARENT - The parent of the provisioned projects, for example, folders/{FOLDER_ID}
-
--resource-settings=[KEY=VALUE,…] - A comma-separated, key=value map of custom resource settings such as custom project ids, for example: consumer-project-id={CONSUMER_PROJECT_ID} Note: Currently only encryption-keys-project-id, encryption-keys-project-name and keyring-id are supported. The encryption-keys-project-id, encryption-keys-project-name and keyring-id settings can be specified only if KMS settings are provided
-
--rotation-period=ROTATION_PERIOD - The rotation period of the KMS settings of the new Assured Workloads environment, for example, 172800s
-
- GCLOUD WIDE FLAGS
- These flags are available to all commands:
--access-token-file,--account,--billing-project,--configuration,--flags-file,--flatten,--format,--help,--impersonate-service-account,--log-http,--project,--quiet,--trace-token,--user-output-enabled,--verbosity.Run
$ gcloud helpfor details. - NOTES
- This command is currently in beta and might change without notice. These
variants are also available:
gcloud assured workloads creategcloud alpha assured workloads create
gcloud beta assured workloads create
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License , and code samples are licensed under the Apache 2.0 License . For details, see the Google Developers Site Policies . Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-05-27 UTC.
