Migrating Existing Projects into the Organization

Once an Organization resource has been created for your domain, you can move your existing projects into the organization. You must be an owner or an editor of the project and a Project Creator in the organization to be able to move the projects.

All projects created after the creation of the Organization resource will automatically belong to the Organization resource. You can migrate a project into an organization using the GCP Console, the Resource Manager API, or the gcloud command-line tool.

Project migration isn't reversible. After a project is associated with an organization, you can't change it back to "no organization" or move it to another organization on your own. To change the organization a project is associated with, you'll need to be a G Suite or Cloud Premium customer with a support package. If you have a G Suite or Cloud Premium support package, you can get help from G Suite Support or GCP Premium Support.

Console


  1. Open the IAM & admin > Settings page in the GCP Console.

    Open the Settings page

  2. Click Select, then select No Organization from the Organization list.

  3. Select the project you want to migrate, then click Migrate.

  4. Select the desired Organization for your project from the Organization list.

Remember, after a project is added to an Organization, you cannot undo the selection on your own.

gcloud


To migrate a project into an organization, run the follwing command:

gcloud alpha projects move [PROJECT_ID] --organization [ORGANIZATION_ID]

where,

  • PROJECT_ID is the ID of the project you wish to move into the organization.
  • ORGANIZATION_ID is the ID of the organization to which you wish to move the project.

Remember, after a project is added to an Organization, you cannot undo the selection on your own.

API


Using the Resource Manager API, you can move a project into the Organization resource by setting its parent field to the organization ID of the Organization. To move a project, you must have the owner or the editor role on the project, and the Project Creator role on the Organization.

To migrate a project into the Organization:

  • Get the project object using projects.get() method.
  • Set its parent field to the Organization ID of the Organization.
  • Update the project object using projects.update() method.

Remember that you can't change the parent field after you set it.

The following code snippet demonstrates the steps above:

    project = crm.projects().get(projectId=flags.projectId).execute()
    project['parent'] = {
        'type': 'organization',
        'id': flags.organizationId
    }

    project = crm.projects().update(
    projectId=flags.projectId, body=project).execute()

Note on policy implications

Cloud IAM policies that are already defined for a project are imported with the project. This means users who have permissions on a project before it moves maintain the permissions after the project is migrated into the organization.

Cloud IAM permissions are inherited and additive; if there are roles defined at the organization level, those roles are inherited by the projects as they are moved into the organization. If, for example, bob@myorganization.com has the Project Editor role defined at the organization level, he will also have this role on any project migrated into the organization. This does not break anything in existing projects, but more users may gain access due to inheritance.

Similarly, organization policies are also inherited down the hierarchy. By default no organization policy is defined for an organization when it is created. If you have subsequently defined organization policies on your organization, care needs to be taken when moving projects into the organization to make sure projects are consistent with such policies.

Adding a Billing Account Creator

To migrate existing billing accounts into an organization, a user must have the Billing Account Creator Cloud IAM role. By default, when an organization is created, all users in your domain are granted this role. To add additional Billing Account Creators, follow these steps:

Console

To grant the Billing Account Creator role using Google Cloud Platform Console:

  1. Go to the Manage resources page in the GCP Console:

    Open the Manage resources page

  2. Click the Organization drop-down at the top of the page and then select your organization.

  3. Select the check box for the Organization resource node to select it.

  4. Under Add members in the Permissions pane on the right, enter the email address of the user.

  5. In the Select a role drop-down, select Billing > Billing Account Creator.

  6. Click Add. A dialog will appear confirming the addition or update of the member and their new Billing Account Creator role.

Migrating existing billing accounts

Use the following steps to migrate your existing billing accounts into an organization. You must be a Billing Creator to be able to migrate billing accounts. Migrating a billing account into an Organization does not impact project services.

Console

If you have existing billing accounts, you can migrate them to your organization. You must be a Billing Creator to migrate billing accounts. Migrating a billing account into an Organization doesn't impact project services.

  1. Go to the GCP Console Billing page:
    GO TO THE BILLING PAGE
  2. In the drop-down at the top of the page, select No organization to see billing accounts that aren't associated with an organization.
  3. Under Billing account name, click the name of the billing account that you want to migrate.
  4. On the billling account details that appear, click Change Organization and then select the organization to which you want to migrate the billing account.

Send feedback about...

Google Cloud Resource Manager Documentation