Assured Workloads API

Name: Assured Workloads API API
Brand: Assured Workloads API
Availability: InStock

✓ Official Vendor SpecSecurityComplianceoauth212 EndpointsREST

For Agents

Provision and govern Google Cloud Assured Workloads folders, restrict resource locations, acknowledge violations, and manage partner permissions for regulated workloads.

Quickstart

Get started with Assured Workloads API in minutes using your preferred integration method.

# Add to your MCP client config (Claude Desktop, Cursor, Windsurf)
{
  "jentic": {
    "url": "https://api.jentic.com/mcp",
    "auth": "oauth"
  }
}

# Then ask your agent:
"create a FedRAMP Assured Workload in Google Cloud"

# → Jentic returns the GET /events tool with parameter schema, agent executes.

Capabilities

What an agent can do with Assured Workloads API API.

Create a workload that enforces a chosen compliance regime such as FedRAMP_HIGH or EU_REGIONS_AND_SUPPORT

Restrict the set of allowed resource types within a workload via /v1/{+name}:restrictAllowedResources

Acknowledge a compliance violation surfaced on the workload to mark it reviewed

Enable resource monitoring on a workload via /v1/{+name}:enableResourceMonitoring

GET STARTED

Start building with Assured Workloads API API

Explore with Jentic

View OpenAPI Spec

Use for: I need to create a FedRAMP High Assured Workloads folder for a federal customer, Restrict a workload to only allow Compute Engine and Cloud Storage resources, List all violations on a given Assured Workloads folder, Acknowledge a sovereignty violation that has been remediated

Not supported: Does not provision projects inside the workload, run application workloads, or remediate violations automatically — use for creating, configuring, and acknowledging posture on Assured Workloads folders only.

The Assured Workloads API programmatically manages Google Cloud's compliance-controlled folders that enforce regulatory regimes such as FedRAMP, IL4, CJIS, and EU Sovereign Controls on the resources created inside them. It exposes operations to create and update workloads, restrict allowed resource types and locations, mutate partner-controlled permissions, and acknowledge violations surfaced by the platform. Workload state changes are returned as long-running operations that callers must poll for completion. The API is the control-plane for compliance posture, not for building or running the underlying applications.

Use Cases

Patterns agents use Assured Workloads API API for, with concrete tasks.

★ Provision a FedRAMP-Controlled Folder

Create a Google Cloud folder that automatically enforces FedRAMP High or Moderate controls on the projects placed inside it. The API returns a long-running operation while the workload is being prepared, then exposes endpoints to inspect violations and acknowledge them. Suited to regulated SaaS providers that need a repeatable, auditable provisioning path for compliant tenants.

POST a workload create request with complianceRegime=FEDRAMP_HIGH to /v1/{parent}/workloads and poll the returned operation until it completes.

Lock Down Allowed Resources for a Regulated Tenant

After a workload is created, restrict the resource types it can use to a curated allowlist so customers cannot inadvertently provision non-compliant services. The restrictAllowedResources endpoint accepts a list of allowed resource type strings and applies them at the workload boundary. Useful for tenants that must hold to a strict baseline like Compute Engine plus Cloud Storage only.

POST a list of allowed resource types to /v1/{name}:restrictAllowedResources for the workload and verify the response.

Acknowledge and Track Compliance Violations

When the platform raises a compliance violation on a workload, an operations team can list violations, investigate, and acknowledge each one through the API to record review. Acknowledgement does not remediate the underlying issue but records human review for audit purposes, fitting cleanly into a SOC workflow or ticketing integration.

POST an acknowledgement with the violation resource name to /v1/{name}:acknowledge and log the response in the SOC ticket.

Agent-Driven Compliance Posture Reviews via Jentic

Use an AI agent to run periodic posture reviews across an organisation's Assured Workloads, summarise open violations, and route them to the right owner. Through Jentic the agent discovers list and acknowledge operations by intent and executes them with org-scoped credentials supplied at call time, without managing service accounts inside the agent runtime.

Use Jentic search for 'list assured workloads in an organisation', iterate the results, and call the acknowledge endpoint for each violation marked closed in the ticketing system.

Key Endpoints

12 endpoints — the assured workloads api programmatically manages google cloud's compliance-controlled folders that enforce regulatory regimes such as fedramp, il4, cjis, and eu sovereign controls on the resources created inside them.

METHOD

PATH

DESCRIPTION

GET

/v1/{+name}

Get a workload or violation by resource name

PATCH

/v1/{+name}

Update a workload's mutable fields

DELETE

/v1/{+name}

Delete a workload

POST

/v1/{+name}:acknowledge

Acknowledge a compliance violation

POST

/v1/{+name}:restrictAllowedResources

Restrict the allowed resource types in a workload

POST

/v1/{+name}:enableResourceMonitoring

Enable resource monitoring on a workload

PATCH

/v1/{+name}:mutatePartnerPermissions

Update partner-controlled IAM permissions

GET

/v1/{+name}

Get a workload or violation by resource name

PATCH

/v1/{+name}

Update a workload's mutable fields

DELETE

/v1/{+name}

Delete a workload

POST

/v1/{+name}:acknowledge

Acknowledge a compliance violation

POST

/v1/{+name}:restrictAllowedResources

Restrict the allowed resource types in a workload

Why though Jentic?

Three things that make agents converge on Jentic-routed access.

Credential isolation

Google service account keys for organisation-scoped roles are stored encrypted in the Jentic vault and never exposed to the agent. Each call mints a short-lived access token bound to the requested scope.

Intent-based discovery

Agents search Jentic with intents like 'create a FedRAMP workload' and receive the matching Assured Workloads operation and schema, avoiding the need to walk Google's discovery document or compliance docs.

Time to first call

Direct integration: 2-5 days including organisation IAM grants, service account setup, and operation-polling logic. Through Jentic: under 1 hour once the credential is in the vault.

Related APIs

Alternatives and complements available in the Jentic catalogue.

Complementary

Cloud Resource Manager API

Creates the projects and folders that live inside an Assured Workload

Use alongside Assured Workloads to actually provision the projects under the compliance-bounded folder.

Complementary

Access Context Manager API

Defines access levels and service perimeters that complement workload boundaries

Pair when an agent needs to add VPC Service Controls perimeters around an Assured Workload.

Complementary

Security Command Center API

Surfaces broader security findings across the organisation including workload posture

Use to triage findings raised across many workloads, while Assured Workloads handles the regime-specific configuration.

FAQs

Specific to using Assured Workloads API API through Jentic.

What authentication does the Assured Workloads API use?

The API uses Google OAuth 2.0 with cloud-platform scope. The caller must hold the assuredworkloads.workloads.* IAM permissions on the parent organisation or folder. Through Jentic the service account credential lives in the encrypted vault and the agent only sees short-lived access tokens.

Which compliance regimes can I enforce with the Assured Workloads API?

The workload create payload accepts a complianceRegime field; supported values include FedRAMP Moderate and High, IL4, CJIS, EU Regions and Support, EU Sovereign Controls, and Canada Controlled Goods Program among others. The exact set is documented on the workload create schema in the spec.

Are workload create and update operations synchronous?

No. Create, update, and delete return long-running operation handles. List the operations under the workload via GET /v1/{name}/operations and poll until done is true to confirm completion.

How do I acknowledge a compliance violation through Jentic?

Search Jentic for 'acknowledge an Assured Workloads violation', load the schema for POST /v1/{name}:acknowledge, and execute it with the violation resource name and an acknowledgement comment. The credential is supplied from the Jentic vault.

What are the rate limits for the Assured Workloads API?

Numeric rate limits are not declared in the spec; quotas are enforced per project on assuredworkloads.googleapis.com. Review the project's quota settings in the Google Cloud console before bulk-creating workloads.

Can the API create the projects inside a workload?

No. Assured Workloads creates the bounded folder; projects inside it are still created via the Cloud Resource Manager API. Use the two together to fully provision a regulated tenant.