GCP Organization audit with service account fails

[mrtnrdl]

Issue search

• I have searched the existing issues and this bug has not been reported yet

Which component is affected?

Prowler CLI/SDK

Cloud Provider (if applicable)

GCP

Steps to Reproduce

I want to audit a GCP organization with prowler-cli. To achieve this, I tested it with my user account that has the roles/iam.securityAuditor role. Authenticated with that account, i can scan the organization.

To automate this, we created a service account with the roles/iam.securityAuditor role attached. Auditing the organization with that files silently - it only scans the service accounts home project.

Steps to reproduce

Scan GCP organization with user account

prowler gcp

Prowler version v5.24.0

scans whole org

Scan GCP organization with service account

prowler gcp

scans project where the SA has been created in

prowler gcp --organization-id 9999999999

scans project where the SA has been created in

Expected behavior

prowler gcp --organization-id 999999999 with the service account scans whole organization.

Actual Result with Screenshots or Logs

❯ prowler gcp --credentials-file gcp-sec-auditor.json --organization-id 9999999999                         
 _ __  _ __ _____      _| | ___ _ __
| '_ \| '__/ _ \ \ /\ / / |/ _ \ '__|
| |_) | | | (_) \ V  V /| |  __/ |
| .__/|_|  \___/ \_/\_/ |_|\___|_|v5.24.0
|_| Get the most at https://cloud.prowler.com

New! Send findings from Prowler CLI to Prowler Cloud
More details here: goto.prowler.com/import-findings

Date: 2026-05-20 09:31:20

-> Using the GCP credentials below:
  · GCP Account: prowler-audit@log-monitor.iam.gserviceaccount.com
  · GCP Project IDs: log-monitor-9999999999
  · Profile: prowler-audit@log-monitor.iam.gserviceaccount.com

-> Using the following configuration:
  · Config File: /opt/homebrew/Cellar/prowler/5.24.0/libexec/lib/python3.12/site-packages/prowler/config/config.yaml

Executing 102 checks, please wait...
-> Scanning cloudstorage service |▉▉▉▉▉▉▉▉▉▉▉▉▌⚠︎                          | (!) 32/102 [31%] in 9.9s

Overview Results:
╭─────────────────┬───────────────────┬────────────────╮
│ 0.0% (0) Failed │ 100.0% (1) Passed │ 0.0% (0) Muted │
╰─────────────────┴───────────────────┴────────────────╯

How did you install Prowler?

From brew (brew install prowler)

Environment Resource

To reproduce the issue, i've ran it on my local machine.

OS used

MacOS

Prowler version

v5.24.0

Python version

Python 3.14.4

Pip version

pip 26.0.1 from /opt/homebrew/lib/python3.14/site-packages/pip (python 3.14)

Context

I've ran into this issue while trying to add GCP scanning after I've implemented the same for multiple AWS account and our m365.

The target environment is a the docker container on a linux server - the same behaviour could be observed there.

[puchy22]

Hi @mrtnrdl, thanks for the detailed report.

I opened #11280 with a tentative fix. It looks that part of the code wasn't taking into account some kind of errors and it was silently skipping, now it should fail and shot the user the right logs.

What I think is going on

With --organization-id, Prowler lists projects via the Cloud Asset Inventory API. That call needs more than roles/iam.securityAuditor (you can check our docs for this information: https://docs.prowler.com/user-guide/providers/gcp/organization):

1. roles/cloudasset.viewer bound at the organization node (not a project) — securityAuditor doesn't include cloudasset.assets.list.
2. Cloud Asset API (cloudasset.googleapis.com) enabled in the SA's host project.

When that call fails, the current code swallows the HttpError and silently falls back to the project_id in your credentials JSON — your SA host project (log-monitor-9999999999). That matches your output exactly.

I can't confirm it's specifically the role vs. the API enablement vs. the binding scope without your logs, since the silent fallback hides which one failed.

What the PR changes

• Raises a clear GCPGetOrganizationProjectsError instead of swallowing the API error.
• Removes the silent home-project fallback when --organization-id was requested.
• Docs updated for the role scope and API enablement.

What to try

Likely missing pieces:

gcloud organizations add-iam-policy-binding 9999999999 \
  --member="serviceAccount:prowler-audit@log-monitor.iam.gserviceaccount.com" \
  --role="roles/cloudasset.viewer"

gcloud services enable cloudasset.googleapis.com --project=log-monitor

Then re-run your command. If it still scans only the host project, could you run it against my PR branch (#11280) with --log-level ERROR --verbose and share the output? With those flags + the PR's changes, the underlying HttpError will be visible on the CLI instead of buried — that'll tell us exactly which prerequisite is still missing.