[[["易于理解","easyToUnderstand","thumb-up"],["解决了我的问题","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["很难理解","hardToUnderstand","thumb-down"],["信息或示例代码不正确","incorrectInformationOrSampleCode","thumb-down"],["没有我需要的信息/示例","missingTheInformationSamplesINeed","thumb-down"],["翻译问题","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["最后更新时间 (UTC):2025-09-04。"],[[["\u003cp\u003eCloud Asset Inventory operations may require configuring a project as an orchestrator to trigger actions in other projects.\u003c/p\u003e\n"],["\u003cp\u003eWhen using an orchestrator project, you often need to designate a billing project to ensure the correct service account within another project is used for operations like exporting metadata or monitoring asset changes.\u003c/p\u003e\n"],["\u003cp\u003eExporting asset metadata between different projects requires granting the default Cloud Asset Inventory service account in the initiating project access to resources in the target project.\u003c/p\u003e\n"],["\u003cp\u003eTo use a different project's resources, like Pub/Sub topics, Cloud Storage buckets, or BigQuery tables, the initiating project's service account must be granted the necessary roles within the target project.\u003c/p\u003e\n"],["\u003cp\u003eTo specify a billing project when using gcloud you must add the \u003ccode\u003e--billing-project\u003c/code\u003e flag, and for the REST API, add the \u003ccode\u003eX-Goog-User-Project\u003c/code\u003e header to indicate the project ID that has the correct service account.\u003c/p\u003e\n"]]],[],null,["# Work across multiple projects\n\nDepending on your needs, you might need to design your architecture to work\nacross multiple projects when using Cloud Asset Inventory. The following scenarios\nare the most common:\n\n- [**Orchestrator projects**](#orchestrator): When you want a single project to\n trigger Cloud Asset Inventory operations in other projects.\n\n- [**Export across projects**](#export): When you want to export resource\n metadata from one project to another.\n\nEach of these scenarios requires some setup to ensure that operations complete\nsuccessfully.\n\nOrchestrator projects\n---------------------\n\nWhen you use a project to trigger Cloud Asset Inventory operations on resources in\nanother project, in certain scenarios you need to specify that the default\nCloud Asset Inventory service account in the other project be used to perform the\noperation. These scenarios include:\n\n- [Exporting asset metadata to BigQuery](/asset-inventory/docs/export-bigquery)\n\n- [Exporting asset metadata to Cloud Storage buckets](/asset-inventory/docs/export-cloud-storage)\n\n- [Monitoring asset changes with Pub/Sub](/asset-inventory/docs/monitor-asset-changes)\n\nTo set which service account to use, you set the *billing project* to the ID of\nthe project that contains the resources you're operating on. If the billing\nproject isn't specified, Cloud Asset Inventory uses the default Cloud Asset Inventory\nservice account in the project that's making the call, which might not have the\npermissions required to complete the operation.\n\nAlthough it isn't required for all operations, it can be good practice to always\nspecify a billing project to minimize confusion.\n\n### gcloud\n\nFor the gcloud CLI, add the `--billing-project` flag to your\ncommand to specify the project ID that contains the correct service account: \n\n --billing-project=\u003cvar translate=\"no\"\u003eBILLING_PROJECT_ID\u003c/var\u003e\n\nAlternatively, you can set the billing project before you run commands with\nthe gcloud CLI. First, check if the billing project is different\nfrom the core project: \n\n gcloud config list\n\nThen if you need to, set the billing project: \n\n gcloud config set billing/quota_project \u003cvar translate=\"no\"\u003eBILLING_PROJECT_ID\u003c/var\u003e\n\nProvide the following values:\n\n- \u003cvar translate=\"no\"\u003eBILLING_PROJECT_ID\u003c/var\u003e: A project ID that has the Cloud Asset Inventory API is enabled, and a service account with permissions to manage your target Pub/Sub topic, Cloud Storage bucket, or BigQuery table.\n\n### REST\n\nFor the REST API, add the `X-Goog-User-Project` header to specify the project\nID that contains the correct service account: \n\n \"X-Goog-User-Project: \u003cvar translate=\"no\"\u003eBILLING_PROJECT_ID\u003c/var\u003e\"\n\nProvide the following values:\n\n- \u003cvar translate=\"no\"\u003eBILLING_PROJECT_ID\u003c/var\u003e: A project ID that has the Cloud Asset Inventory API is enabled, and a service account with permissions to manage your target Pub/Sub topic, Cloud Storage bucket, or BigQuery table.\n\nExport across projects\n----------------------\n\nTo export asset metadata from one project, `PROJECT_A`, to another, `PROJECT_B`,\nyou must give the default Cloud Asset Inventory service account in `PROJECT_A` access to\nthe resources in `PROJECT_B`.\n\nThis enables two things:\n\n- You can export asset metadata from `PROJECT_A` into a Pub/Sub topic,\n Cloud Storage bucket, or BigQuery table located in\n `PROJECT_B`.\n\n- You can use `PROJECT_A` to export asset metadata from `PROJECT_B` into a\n Pub/Sub topic, Cloud Storage bucket, or BigQuery\n table located in `PROJECT_B`.\n\nTo export asset metadata from one project into another, complete the following\ninstructions:\n\n1. Make sure that the\n [Cloud Asset Inventory API](https://console.cloud.google.com/apis/library/cloudasset.googleapis.com) is\n enabled in the project you want to run your request from, `PROJECT_A`.\n\n2. Make at least one call to the Cloud Asset Inventory API in `PROJECT_A` to create the\n default Cloud Asset Inventory service account. Alternatively, you can create it\n manually:\n\n gcloud beta services identity create \\\n --service=cloudasset.googleapis.com \\\n --project=\u003cvar translate=\"no\"\u003ePROJECT_A_ID\u003c/var\u003e\n gcloud projects add-iam-policy-binding \u003cvar translate=\"no\"\u003ePROJECT_A_ID\u003c/var\u003e \\\n --member=serviceAccount:service-\u003cvar translate=\"no\"\u003ePROJECT_A_NUMBER\u003c/var\u003e@gcp-sa-cloudasset.iam.gserviceaccount.com \\\n --role=roles/cloudasset.serviceAgent\n\n\n How to find a Google Cloud project number\n\n ### Google Cloud console\n\n To find a Google Cloud project number, complete the following steps:\n 1. Go to the **Welcome** page in the Google Cloud console.\n\n\n [Go to Welcome](https://console.cloud.google.com/welcome)\n 2. Click the **switcher** list box in the menu bar.\n 3.\n Select your organization from the list box, and then search for your project name.\n The project name, project number, and project ID are shown near the **Welcome**\n heading.\n\n\n Up to 4,000 resources are displayed. If you don't see the project you're looking for,\n go to the\n [**Manage resources**](https://console.cloud.google.com//cloud-resource-manager) page and\n filter the list using the name of that project.\n\n ### gcloud CLI\n\n You can retrieve a Google Cloud project number with the following command: \n\n ```bash\n gcloud projects describe PROJECT_ID --format=\"value(projectNumber)\"\n ```\n\n \u003cbr /\u003e\n\n3. Grant the correct roles to the service account in `PROJECT_A`.\n\n - To publish to a feed through Pub/Sub, grant the\n [Pub/Sub Publisher role](/iam/docs/understanding-roles#pubsub.publisher)\n (`roles/pubsub.publisher`) role to the service account on the topic:\n\n gcloud pubsub topics add-iam-policy-binding projects/\u003cvar translate=\"no\"\u003ePROJECT_B_ID\u003c/var\u003e/topics/\u003cvar translate=\"no\"\u003eTOPIC_ID\u003c/var\u003e \\\n --member=serviceAccount:service-\u003cvar translate=\"no\"\u003ePROJECT_A_NUMBER\u003c/var\u003e@gcp-sa-cloudasset.iam.gserviceaccount.com \\\n --role=roles/pubsub.publisher\n\n - To write to a Cloud Storage bucket, grant the\n [Storage admin](/iam/docs/understanding-roles#storage.admin)\n (`roles/storage.admin`) role to the service account on the bucket:\n\n gcloud storage buckets add-iam-policy-binding gs://\u003cvar translate=\"no\"\u003eBUCKET_NAME\u003c/var\u003e \\\n --member=serviceAccount:service-\u003cvar translate=\"no\"\u003ePROJECT_A_NUMBER\u003c/var\u003e@gcp-sa-cloudasset.iam.gserviceaccount.com \\\n --role=roles/storage.admin\n\n - To write to a BigQuery table, grant the\n [BigQuery Data Editor](/iam/docs/understanding-roles#bigquery.dataEditor)\n (`roles/bigquery.dataEditor`) and\n [BigQuery user](/iam/docs/understanding-roles#bigquery.user)\n (`roles/bigquery.user`) roles to the service account on the project:\n\n gcloud projects add-iam-policy-binding \u003cvar translate=\"no\"\u003ePROJECT_B_ID\u003c/var\u003e \\\n --member=serviceAccount:service-\u003cvar translate=\"no\"\u003ePROJECT_A_NUMBER\u003c/var\u003e@gcp-sa-cloudasset.iam.gserviceaccount.com \\\n --role=roles/bigquery.dataEditor\n gcloud projects add-iam-policy-binding \u003cvar translate=\"no\"\u003ePROJECT_B_ID\u003c/var\u003e \\\n --member=serviceAccount:service-\u003cvar translate=\"no\"\u003ePROJECT_A_NUMBER\u003c/var\u003e@gcp-sa-cloudasset.iam.gserviceaccount.com \\\n --role=roles/bigquery.user\n\nIf you make a Cloud Asset Inventory request with the gcloud CLI from\n`PROJECT_B` or use the REST API, make sure to\n[specify `PROJECT_A` as the billing project](#billing-project)."]]