Migrating a project from one organization to another — GCP

We had a requirement from our client to migrate all their GCP projects to another organization. We did not get a proper document online initially. I spoke to support and found limitations and process to be followed in Google console.

In this blog, I will try to explain the limitation/process to be followed while migrating a project from one organization to another, and it will be a manual support process that requires Project configuration.

Process :

Step 1: Analyze a list of projects that we would like to move and identify all dependency (shared VPC, Custom roles) and mitigation plan applied for the same.

Step 2: Move all the projects out of any folders in the current organization and into the top level.

Step 3: Contact Google support with a list of projects that you’d like to move from the current organization to another organization. Google support will move the projects out of the organization. So they have no parent organization. (No Organization)

Step 4: Once Google confirms the activity is completed. We will be migrating the projects to the destination organization.

NOTE: You cannot migrate a project which is associated with a Shared VPC. In this case, you will have to detach the service projects from the host project and then migrate.

a. Cloud IAM policies and the service account that is already defined in a project are migrated with the project.

b. End users who have permissions on a project before we initiate migration will maintain the same permissions after the project is migrated into the destination organization.

c. During the migration phase, end users can continue to access the projects without any issues. (No Downtime needed)

Step 5: On the Organization drop-down list, select the organization you want to migrate your project to

In this blog, we will be migrating a project name: My First Project which is highlighted below,

Click the project you want to migrate and go to IAM & admin → Setting → Migrate.

Select the project name and click on MIGRATE

Click on Select an Organization

To migrate a project, you will need the below roles, on the organization to which you want to migrate your project. If you don’t have these roles, the target organization won’t appear in the Google Cloud Platform Console as a choice for migration.

Project Creator role (roles/resourcemanager.projectCreator)

Project Mover role (roles/resourcemanager.projectMover)

Now, select the target organization from the drop-down and the project will be migrated

Select the destination organization from the dropdown.

Organization policy might differ when you migrate a project from one organization to another, so make sure you define the necessary organization policy before you migrate.

Cloud IAM policies that are already defined for a project are imported with the project. This means users who have permissions on a project before it moves will maintain the permissions after the project is migrated into the organization.