Analyze project move
This guide describes how to use the Cloud Asset Inventory Analyze Move API to get adetailed report on warnings and blockers from a list of critical policiessystems prior to actually moving your project.
Enable APIs
Select or create a project as your API consumer project, enableCloud Asset API
This consumer project can be different from the project you plan to analyze andmigrate. Consumer project will be used to generate credentials to make APIrequest.
The next section describes the required roles and permissions that must begranted on the source project you plan to analyze.
Required permissions
To perform a project move analysis, you need a role that grants thecloudasset.assets.analyzeMove permission, such asCloud Asset Viewer orViewer.
To receive analysis on a service, you also need roles related to those services.These permissions include the following:
If you want to view the inherited allow policies from the sourceproject's parent organization resource, you need the
resourcemanager.organizations.getIamPolicypermission on thesource project's parent organization resource.If you want to view the inherited allow policies from the sourceproject's parent folder, you need the
resourcemanager.folders.getIamPolicypermission on the source project's parent folder.If you want to view the allow policies on the project,you need the
resourcemanager.projects.getIamPolicypermission on the sourceproject.If you want to view the inherited deny policies from the sourceproject's parent organization resource, you need the
iam.denypolicies.getpermission on the source project's parent organization resource.If you want to view the organization policies that are inherited on thisproject, you need the
orgpolicy.policy.getpermission on the source project.If you want to view the Compute Engine firewall policies that are inheritedon this project, you need the
compute.organizations.setSecurityPolicypermission on the source folder or organization resource.If you want to view the inherited tags on this project, you need the
resourcemanager.hierarchyNodes.listEffectiveTagspermission on the source project or its ancestor nodes.
Perform the analysis
You can use the Google Cloud CLI or the API to analyze the migration of aresource from its current place in the resource hierarchy.
Note: This API does not perform any checks on the destination organization resource.Even if the destination organization resource specified in the API call does not exist,the analysis of the project to be moved is still performed.gcloud
To analyze the impacts of migrating a project from its current position inthe resource hierarchy, use thegcloud asset analyze-move command:
gcloud asset analyze-move --project=PROJECT_ID \ (--destination-folder=FOLDER_ID \ | --destination-organization=ORGANIZATION_ID)
To analyze the impacts of moving a project to a differentfolder, runthe command with--destination-folder:
gcloud asset analyze-move --project=PROJECT_ID \ --destination-folder=FOLDER_ID
To analyze the impacts of moving a project to a differentorganization,run the command with--destination-organization:
gcloud asset analyze-move --project=PROJECT_ID \ --destination-organization=ORGANIZATION_ID
Where:
PROJECT_IDis the unique project ID of theproject you are migrating. For example,--myProject123.FOLDER_IDis the numerical folder ID of thedestination folder on which to perform the analysis.For example,45678901123.ORGANIZATION_IDis the numerical organizationID of the destination organization on which to perform the analysis.For example,78901123456.
API
To analyze the impacts of migrating a project from its current position inthe resource hierarchy without performing the move, use thecloudasset.analyzeMove method:
GET https://cloudasset.googleapis.com/v1/{resource=*/*}: \ analyzeMove?destinationParent=DESTINATION_NAMEWhere:
resourceis the name of the resource on which toperform the analysis. Only project resources are supported, so this mustbe the Project ID or a Project Number. For example,projects/my-project-idorprojects/12345.DESTINATION_NAMEis the name of theGoogle Cloud folder or organization resource to reparent the targetresource. The analysis will be performed on the impacts of moving theresource to the specified destination parent. The destination must bea folder number or an organization resource number.For example,folders/123ororganizations/123.
Move analysis responses
The response you receive from the Move Analysis API is grouped by service name.Under each service is a list of warnings and blockers applicable to thisproject migration. Any blockers being returned by this analysis means that theproject migration will be blocked at run time if you proceed with the movebefore resolving them.
Note: Analysis results may not include functionality for services and featuresthat are in preview. If your projects are part of any preview, please refer tothat feature's user guide.Troubleshooting errors
If there is an error returned by the Move Analysis API, it includes a standardgRPC code, as wellas a message that describes the reason for the failure of the Move AnalysisAPI to analyze the project.
The following table describes the error codes that could potentially be returnedby the Move Analysis API:
| Error name | Error code | Description |
|---|---|---|
| Invalid argument | 3 | Returned if you call the API on a project with aninvalid argument, such as an incorrect resourcename. |
| Permission denied | 7 | Returned if you do not have the permissionsnecessary to perform the analysis or the sourceproject does not exist. |
| Internal | 13 | Returned if there is an issue with a call to apolicy system such as Identity and Access Management ororganization policy. This does not indicate thatthe migration is not possible, and you can retrythe analysis after checking the service for anoutage. |
| Unavailable | 14 | Returned if an internal system is out of sync.This does not indicate that the migration is notpossible, and you can retry the analysis. |
| Unauthenticated | 16 | Returned if you have not provided the correctcredentials to perform this analysis. |
Example error message
The following example demonstrates the error code returned for a user that doesnot have thecloudasset.assets.analyzeMove permission on the project to be migrated:
{"error":{"code":403,"message":"Failed to fetch Project: projects/test-project-service-3 to perform move analysis.","status":"PERMISSION_DENIED"}}Some of the policy systems may fail to analyze the resource move. The followingexample demonstrates the error returned from the Hierarchical Firewall servicewhen the user does not havecompute.organizations.setSecurityPolicypermission on the project to be migrated:
{"moveAnalysis":[{"displayName":"name hidden","analysis":{"warnings":[{"detail":"details hidden"}]}},{"displayName":"name hidden","analysis":{"warnings":[{"detail":"details hidden"}]}},{"displayName":"Hierarchical Firewall","error":{"code":7,"message":"Failed to retrieve inherited security policies to perform analysis. Required 'compute.organizations.setSecurityPolicy' permission for {resource ID}"}}]}What's next
The Move Analysis API provides details that help mitigate blockers and otherissues when moving a project from one organization resource to another. For moreinformation about migrating projects between organization resources, seeMigrating projects.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-18 UTC.