By default, Prowler scans all Google Cloud projects accessible to the authenticated user.
To limit the scan to projects within a specific Google Cloud organization, use the --organization-id option with the GCP organization’s ID:
prowler gcp --organization-id organization-id
Ensure the credentials used have one of the following roles bound at the organization node (not at a project): Cloud Asset Viewer (roles/cloudasset.viewer) or Cloud Asset Owner (roles/cloudasset.owner). The role must be bound directly on the organization so the Cloud Asset API can enumerate projects across the whole hierarchy.gcloud organizations add-iam-policy-binding <organization-id> \
--member="serviceAccount:<service-account-email>" \
--role="roles/cloudasset.viewer"
cloudasset.googleapis.com) must also be enabled in the project that owns the credentials (the service account’s host project, or the quota project for user credentials):gcloud services enable cloudasset.googleapis.com --project <credentials-project-id>
With this option, Prowler retrieves all projects under the specified Google Cloud organization, including those organized within folders and nested subfolders. This ensures full visibility across the entire organization’s hierarchy.
To obtain the Google Cloud organization ID, use:gcloud organizations list
About Us