> ## Documentation Index
> Fetch the complete documentation index at: https://docs.prowler.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Scanning a Specific GCP Organization

By default, Prowler scans all Google Cloud projects accessible to the authenticated user.

To limit the scan to projects within a specific Google Cloud organization, use the `--organization-id` option with the GCP organization’s ID:

```console theme={null}
prowler gcp --organization-id organization-id
```

<Warning>
  Ensure the credentials used have one of the following roles bound **at the organization node** (not at a project): Cloud Asset Viewer (`roles/cloudasset.viewer`) or Cloud Asset Owner (`roles/cloudasset.owner`). The role must be bound directly on the organization so the Cloud Asset API can enumerate projects across the whole hierarchy.

  ```bash theme={null}
  gcloud organizations add-iam-policy-binding <organization-id> \
    --member="serviceAccount:<service-account-email>" \
    --role="roles/cloudasset.viewer"
  ```

  The Cloud Asset API (`cloudasset.googleapis.com`) must also be enabled in the project that owns the credentials (the service account's host project, or the quota project for user credentials):

  ```bash theme={null}
  gcloud services enable cloudasset.googleapis.com --project <credentials-project-id>
  ```
</Warning>

<Note>
  With this option, Prowler retrieves all projects under the specified Google Cloud organization, including those organized within folders and nested subfolders. This ensures full visibility across the entire organization’s hierarchy.
</Note>

<Note>
  To obtain the Google Cloud organization ID, use:

  ```console theme={null}
  gcloud organizations list
  ```
</Note>
