GCP org-level discovery broken when SA cannot list projects #738
Description
Problem
GCP Organization Provider fails with no projects available for organization discovery when the service account cannot list projects via cloudresourcemanager.Projects.List, even though org-level Asset API discovery does not require project listing.
This is a regression introduced in PR #719 (commit 334ae91 — "Added provider_ids for GCP"), merged Feb 28 via d933347. The change added an unconditional guard:
if len(projects) == 0 {
return nil, errkit.New("no projects available for organization discovery")
}This blocks org-level discovery for any SA that authenticates fine but lacks resourcemanager.projects.list at the org level. Previously, projects: [] was valid — Resources() correctly fell back to organizations/{id} scope for Asset API calls.
Impact
All GCP org-level integrations where the SA does not have project-list permission are broken. Confirmed affecting production customers (Unity, org 257001958474).
Root Cause
Commit 334ae91 added project_ids filtering support but applied the empty-projects guard unconditionally to both:
- Explicit
project_idsconfig (where failing on empty is correct) - Org-level discovery with no configured projects (where empty is expected and the Asset API handles it)
Fix
PR #737 separates the two paths:
- Configured
project_ids: strict validation, hard error if they resolve to nothing - No configured projects (org-level):
Projects.Listfailure is a warning, provider proceeds with org-level Asset API
Reference
- Slack thread: https://projectdiscoveryhq.slack.com/archives/C05J80AEYJY/p1773063698481909
- Regression PR: Fix GCP provider to iterate over only provided project_ids in config instead of looping through All projects #719
- Regression commit:
334ae91 - Fix PR: fix(gcp): allow org-level discovery when Projects.List returns zero results #737