Stay organized with collections
Save and categorize content based on your preferences.
Depending on your needs, you might need to design your architecture to work
across multiple projects when using Cloud Asset Inventory. The following scenarios
are the most common:
Orchestrator projects: When you want a single project to
trigger Cloud Asset Inventory operations in other projects.
Export across projects: When you want to export resource
metadata from one project to another.
Each of these scenarios requires some setup to ensure that operations complete
successfully.
Orchestrator projects
When you use a project to trigger Cloud Asset Inventory operations on resources in
another project, in certain scenarios you need to specify that the default
Cloud Asset Inventory service account in the other project be used to perform the
operation. These scenarios include:
To set which service account to use, you set the billing project to the ID of
the project that contains the resources you're operating on. If the billing
project isn't specified, Cloud Asset Inventory uses the default Cloud Asset Inventory
service account in the project that's making the call, which might not have the
permissions required to complete the operation.
Although it isn't required for all operations, it can be good practice to always
specify a billing project to minimize confusion.
gcloud
For the gcloud CLI, add the --billing-project flag to your
command to specify the project ID that contains the correct service account:
--billing-project=BILLING_PROJECT_ID
Alternatively, you can set the billing project before you run commands with
the gcloud CLI. First, check if the billing project is different
from the core project:
BILLING_PROJECT_ID: A project ID that has the
Cloud Asset Inventory API is enabled, and a service account with permissions to
manage your target Pub/Sub topic, Cloud Storage bucket, or
BigQuery table.
REST
For the REST API, add the X-Goog-User-Project header to specify the project
ID that contains the correct service account:
"X-Goog-User-Project: BILLING_PROJECT_ID"
Provide the following values:
BILLING_PROJECT_ID: A project ID that has the
Cloud Asset Inventory API is enabled, and a service account with permissions to
manage your target Pub/Sub topic, Cloud Storage bucket, or
BigQuery table.
Export across projects
To export asset metadata from one project, PROJECT_A, to another, PROJECT_B,
you must give the default Cloud Asset Inventory service account in PROJECT_A access to
the resources in PROJECT_B.
This enables two things:
You can export asset metadata from PROJECT_A into a Pub/Sub topic,
Cloud Storage bucket, or BigQuery table located in
PROJECT_B.
You can use PROJECT_A to export asset metadata from PROJECT_B into a
Pub/Sub topic, Cloud Storage bucket, or BigQuery
table located in PROJECT_B.
To export asset metadata from one project into another, complete the following
instructions:
Make sure that the
Cloud Asset Inventory API is
enabled in the project you want to run your request from, PROJECT_A.
Make at least one call to the Cloud Asset Inventory API in PROJECT_A to create the
default Cloud Asset Inventory service account. Alternatively, you can create it
manually:
To write to a BigQuery table, grant the
BigQuery Data Editor
(roles/bigquery.dataEditor) and
BigQuery user
(roles/bigquery.user) roles to the service account on the project:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[[["\u003cp\u003eCloud Asset Inventory operations may require configuring a project as an orchestrator to trigger actions in other projects.\u003c/p\u003e\n"],["\u003cp\u003eWhen using an orchestrator project, you often need to designate a billing project to ensure the correct service account within another project is used for operations like exporting metadata or monitoring asset changes.\u003c/p\u003e\n"],["\u003cp\u003eExporting asset metadata between different projects requires granting the default Cloud Asset Inventory service account in the initiating project access to resources in the target project.\u003c/p\u003e\n"],["\u003cp\u003eTo use a different project's resources, like Pub/Sub topics, Cloud Storage buckets, or BigQuery tables, the initiating project's service account must be granted the necessary roles within the target project.\u003c/p\u003e\n"],["\u003cp\u003eTo specify a billing project when using gcloud you must add the \u003ccode\u003e--billing-project\u003c/code\u003e flag, and for the REST API, add the \u003ccode\u003eX-Goog-User-Project\u003c/code\u003e header to indicate the project ID that has the correct service account.\u003c/p\u003e\n"]]],[],null,["# Work across multiple projects\n\nDepending on your needs, you might need to design your architecture to work\nacross multiple projects when using Cloud Asset Inventory. The following scenarios\nare the most common:\n\n- [**Orchestrator projects**](#orchestrator): When you want a single project to\n trigger Cloud Asset Inventory operations in other projects.\n\n- [**Export across projects**](#export): When you want to export resource\n metadata from one project to another.\n\nEach of these scenarios requires some setup to ensure that operations complete\nsuccessfully.\n\nOrchestrator projects\n---------------------\n\nWhen you use a project to trigger Cloud Asset Inventory operations on resources in\nanother project, in certain scenarios you need to specify that the default\nCloud Asset Inventory service account in the other project be used to perform the\noperation. These scenarios include:\n\n- [Exporting asset metadata to BigQuery](/asset-inventory/docs/export-bigquery)\n\n- [Exporting asset metadata to Cloud Storage buckets](/asset-inventory/docs/export-cloud-storage)\n\n- [Monitoring asset changes with Pub/Sub](/asset-inventory/docs/monitor-asset-changes)\n\nTo set which service account to use, you set the *billing project* to the ID of\nthe project that contains the resources you're operating on. If the billing\nproject isn't specified, Cloud Asset Inventory uses the default Cloud Asset Inventory\nservice account in the project that's making the call, which might not have the\npermissions required to complete the operation.\n\nAlthough it isn't required for all operations, it can be good practice to always\nspecify a billing project to minimize confusion.\n\n### gcloud\n\nFor the gcloud CLI, add the `--billing-project` flag to your\ncommand to specify the project ID that contains the correct service account: \n\n --billing-project=\u003cvar translate=\"no\"\u003eBILLING_PROJECT_ID\u003c/var\u003e\n\nAlternatively, you can set the billing project before you run commands with\nthe gcloud CLI. First, check if the billing project is different\nfrom the core project: \n\n gcloud config list\n\nThen if you need to, set the billing project: \n\n gcloud config set billing/quota_project \u003cvar translate=\"no\"\u003eBILLING_PROJECT_ID\u003c/var\u003e\n\nProvide the following values:\n\n- \u003cvar translate=\"no\"\u003eBILLING_PROJECT_ID\u003c/var\u003e: A project ID that has the Cloud Asset Inventory API is enabled, and a service account with permissions to manage your target Pub/Sub topic, Cloud Storage bucket, or BigQuery table.\n\n### REST\n\nFor the REST API, add the `X-Goog-User-Project` header to specify the project\nID that contains the correct service account: \n\n \"X-Goog-User-Project: \u003cvar translate=\"no\"\u003eBILLING_PROJECT_ID\u003c/var\u003e\"\n\nProvide the following values:\n\n- \u003cvar translate=\"no\"\u003eBILLING_PROJECT_ID\u003c/var\u003e: A project ID that has the Cloud Asset Inventory API is enabled, and a service account with permissions to manage your target Pub/Sub topic, Cloud Storage bucket, or BigQuery table.\n\nExport across projects\n----------------------\n\nTo export asset metadata from one project, `PROJECT_A`, to another, `PROJECT_B`,\nyou must give the default Cloud Asset Inventory service account in `PROJECT_A` access to\nthe resources in `PROJECT_B`.\n\nThis enables two things:\n\n- You can export asset metadata from `PROJECT_A` into a Pub/Sub topic,\n Cloud Storage bucket, or BigQuery table located in\n `PROJECT_B`.\n\n- You can use `PROJECT_A` to export asset metadata from `PROJECT_B` into a\n Pub/Sub topic, Cloud Storage bucket, or BigQuery\n table located in `PROJECT_B`.\n\nTo export asset metadata from one project into another, complete the following\ninstructions:\n\n1. Make sure that the\n [Cloud Asset Inventory API](https://console.cloud.google.com/apis/library/cloudasset.googleapis.com) is\n enabled in the project you want to run your request from, `PROJECT_A`.\n\n2. Make at least one call to the Cloud Asset Inventory API in `PROJECT_A` to create the\n default Cloud Asset Inventory service account. Alternatively, you can create it\n manually:\n\n gcloud beta services identity create \\\n --service=cloudasset.googleapis.com \\\n --project=\u003cvar translate=\"no\"\u003ePROJECT_A_ID\u003c/var\u003e\n gcloud projects add-iam-policy-binding \u003cvar translate=\"no\"\u003ePROJECT_A_ID\u003c/var\u003e \\\n --member=serviceAccount:service-\u003cvar translate=\"no\"\u003ePROJECT_A_NUMBER\u003c/var\u003e@gcp-sa-cloudasset.iam.gserviceaccount.com \\\n --role=roles/cloudasset.serviceAgent\n\n\n How to find a Google Cloud project number\n\n ### Google Cloud console\n\n To find a Google Cloud project number, complete the following steps:\n 1. Go to the **Welcome** page in the Google Cloud console.\n\n\n [Go to Welcome](https://console.cloud.google.com/welcome)\n 2. Click the **switcher** list box in the menu bar.\n 3.\n Select your organization from the list box, and then search for your project name.\n The project name, project number, and project ID are shown near the **Welcome**\n heading.\n\n\n Up to 4,000 resources are displayed. If you don't see the project you're looking for,\n go to the\n [**Manage resources**](https://console.cloud.google.com//cloud-resource-manager) page and\n filter the list using the name of that project.\n\n ### gcloud CLI\n\n You can retrieve a Google Cloud project number with the following command: \n\n ```bash\n gcloud projects describe PROJECT_ID --format=\"value(projectNumber)\"\n ```\n\n \u003cbr /\u003e\n\n3. Grant the correct roles to the service account in `PROJECT_A`.\n\n - To publish to a feed through Pub/Sub, grant the\n [Pub/Sub Publisher role](/iam/docs/understanding-roles#pubsub.publisher)\n (`roles/pubsub.publisher`) role to the service account on the topic:\n\n gcloud pubsub topics add-iam-policy-binding projects/\u003cvar translate=\"no\"\u003ePROJECT_B_ID\u003c/var\u003e/topics/\u003cvar translate=\"no\"\u003eTOPIC_ID\u003c/var\u003e \\\n --member=serviceAccount:service-\u003cvar translate=\"no\"\u003ePROJECT_A_NUMBER\u003c/var\u003e@gcp-sa-cloudasset.iam.gserviceaccount.com \\\n --role=roles/pubsub.publisher\n\n - To write to a Cloud Storage bucket, grant the\n [Storage admin](/iam/docs/understanding-roles#storage.admin)\n (`roles/storage.admin`) role to the service account on the bucket:\n\n gcloud storage buckets add-iam-policy-binding gs://\u003cvar translate=\"no\"\u003eBUCKET_NAME\u003c/var\u003e \\\n --member=serviceAccount:service-\u003cvar translate=\"no\"\u003ePROJECT_A_NUMBER\u003c/var\u003e@gcp-sa-cloudasset.iam.gserviceaccount.com \\\n --role=roles/storage.admin\n\n - To write to a BigQuery table, grant the\n [BigQuery Data Editor](/iam/docs/understanding-roles#bigquery.dataEditor)\n (`roles/bigquery.dataEditor`) and\n [BigQuery user](/iam/docs/understanding-roles#bigquery.user)\n (`roles/bigquery.user`) roles to the service account on the project:\n\n gcloud projects add-iam-policy-binding \u003cvar translate=\"no\"\u003ePROJECT_B_ID\u003c/var\u003e \\\n --member=serviceAccount:service-\u003cvar translate=\"no\"\u003ePROJECT_A_NUMBER\u003c/var\u003e@gcp-sa-cloudasset.iam.gserviceaccount.com \\\n --role=roles/bigquery.dataEditor\n gcloud projects add-iam-policy-binding \u003cvar translate=\"no\"\u003ePROJECT_B_ID\u003c/var\u003e \\\n --member=serviceAccount:service-\u003cvar translate=\"no\"\u003ePROJECT_A_NUMBER\u003c/var\u003e@gcp-sa-cloudasset.iam.gserviceaccount.com \\\n --role=roles/bigquery.user\n\nIf you make a Cloud Asset Inventory request with the gcloud CLI from\n`PROJECT_B` or use the REST API, make sure to\n[specify `PROJECT_A` as the billing project](#billing-project)."]]
