10

I would like to know the organization ID of my current project in GCP.

gcloud projects describe PROJECT_ID will show the parent which can be the organization, but if the parent is a folder, the organization ID does not appear.

I could recurse up the parent hierarchy of the folders using gcloud resource-manager folders describe FOLDER_ID, but that is a hassle. It is also impossible if I do not have organization-level permissions.

Yet I do have access to organization IDs: gcloud organizations list shows several organizations, though not their mapping to projects.

How can I achieve this?

Joshua Fox
  • 18,704
  • 23
  • 87
  • 147

2 Answers2

14

Use the below gcloud command in cloud shell.

gcloud projects get-ancestors {projectId}

This should give the output as below.

ID                      TYPE
Your-project-ID         project
123456789012            folder
567890123456            organization
Akshay Kalbhor
  • 151
  • 1
  • 5
4

If we read here we find that your organization is the root of the ancestor tree of your current project.

We also find that there is an API that can be called to retrieve the ancestry chain from a given project upwards. This means that we can retrieve the organization id of your project using that API.

The API is documented here.

It has the high level REST format of:

POST https://cloudresourcemanager.googleapis.com/v1/projects/{projectId}:getAncestry

A possible command might be:

curl -X POST -H "Authorization: Bearer \"$(gcloud auth application-default print-access-token)\"" \
          -H "Content-Type: application/json; charset=utf-8" \
             https://cloudresourcemanager.googleapis.com/v1/projects/<MY_PROJECT>:getAncestry
Joshua Fox
  • 18,704
  • 23
  • 87
  • 147
Kolban
  • 13,794
  • 3
  • 38
  • 60
  • That works! But please explain how to do direct REST calls. Can I do it with my local `gcloud` environment and without generating a credentials JSON? (With the credentials JSON I'd do `GOOGLE_APPLICATION_CREDENTIALS=` followed by `curl -X POST -H "Authorization: Bearer "$(gcloud auth application-default print-access-token) -H "Content-Type: application/json; charset=utf-8" https://cloudresourcemanager.googleapis.com/v1/projects/:getAncestry`) – Joshua Fox Jan 15 '20 at 15:09
  • Didn't you just answer your own question of how to make a REST call with your post using the "curl" command? – Kolban Jan 15 '20 at 21:15
  • Yes. It would be good to have runnable command in the official answer. Also, how do I do this using gcloud authenticated user (that was set up during `gcloud init`) rather than with a service-user json credentials file? – Joshua Fox Jan 16 '20 at 05:19
  • Howdy Joshua. Ive updated the answer with our best so far command. If we imagine that we need some credentials in order to make the call ... we should think about the concept of "Application Default Credentials". When you set the environment variable, you were setting some explicit credentials. However, if you are running in CLoud Shell or a GCP Compute Engine, you have implicit credentials. – Kolban Jan 16 '20 at 05:41
  • Thank you. I edited some typos in that string. I'd like to just run it as I run `gcloud` , on my dev machine, with no JSON file, but perhaps I'll ask that as a separate question – Joshua Fox Jan 16 '20 at 06:19
  • On how to avoid downloading a JSON from the Cloud Console, see here https://stackoverflow.com/questions/59764257 – Joshua Fox Jan 16 '20 at 09:36
  • 2
    Using `gcloud auth print-access-token` as the authentication command will avoid the need to download a separate JSON file – Joshua Fox Jan 16 '20 at 11:21
  • 2
    There's a gcloud command that uses this API now: `ORG_ID="$(gcloud projects get-ancestors $PROJECT_ID | grep organization | cut -f1 -d' ')"` – KarlKFI Oct 15 '20 at 20:18
  • Amazingly, `gcloud projects get-ancestors` (as of gcloud CLI version 428.0.0) doesn't accept the `--filter` argument like most other `gcloud` commands do. So, it seems we have to use command pipes (e.g., `grep`, `jq`, etc.) to massage the data as illustrated by @KarlKFI rather than using `gcloud ... --filter=...` – Vincent Yin May 02 '23 at 18:56