From f2dbbad5b040bdaec558af20d81924a3a8dfc769 Mon Sep 17 00:00:00 2001
From: Carl Tashian <carl@smallstep.com>
Date: Wed, 9 Jul 2025 16:00:44 +0100
Subject: [PATCH 1/2] Docs for smallstep/certificates#2133

---
 step-ca/provisioners.mdx | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/step-ca/provisioners.mdx b/step-ca/provisioners.mdx
index 731959a1..4f1eaaa1 100644
--- a/step-ca/provisioners.mdx
+++ b/step-ca/provisioners.mdx
@@ -1,5 +1,5 @@
 ---
-updated_at: June 17, 2025
+updated_at: July 09, 2025
 title: Configuring `step-ca` Provisioners
 html_title: Configuring open source step-ca Provisioners
 description: Learn how to configure step-ca Provisioners
@@ -1575,6 +1575,7 @@ In the `ca.json`, a GCP provisioner looks like:
     "name": "Google Cloud",
     "serviceAccounts": ["1234567890"],
     "projectIDs": ["project-id"],
+    "organizationID": "organization-id",
     "disableCustomSANs": false,
     "disableTrustOnFirstUse": false,
     "instanceAge": "1h",
@@ -1601,6 +1602,8 @@ In the `ca.json`, a GCP provisioner looks like:
 - **projectIDs**<Reference id="star9" marker="*" />: the list of project identifiers that are allowed to
   use this provisioner. If non is specified all project will be valid.
 
+- **organizationID**: an optional GCP organization ID. If provided, the provisioner will verify that all **projectIDs** belong to the GCP organization, using the `projects.getAncestry` call in the Cloud Resource Manager API.
+
 - **disableCustomSANs**<Reference id="star9" marker="*" />: by default custom SANs are valid, but if this
   option is set to true only the SANs available in the instance identity
   document will be valid, these are the DNS

From 46722fbdff386cabea1683fc25aa37d6b2066fd0 Mon Sep 17 00:00:00 2001
From: Carl Tashian <carl@smallstep.com>
Date: Wed, 9 Jul 2025 16:53:49 +0100
Subject: [PATCH 2/2] Clarify language around project ID token

---
 step-ca/provisioners.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/step-ca/provisioners.mdx b/step-ca/provisioners.mdx
index 4f1eaaa1..0208985a 100644
--- a/step-ca/provisioners.mdx
+++ b/step-ca/provisioners.mdx
@@ -1602,7 +1602,7 @@ In the `ca.json`, a GCP provisioner looks like:
 - **projectIDs**<Reference id="star9" marker="*" />: the list of project identifiers that are allowed to
   use this provisioner. If non is specified all project will be valid.
 
-- **organizationID**: an optional GCP organization ID. If provided, the provisioner will verify that all **projectIDs** belong to the GCP organization, using the `projects.getAncestry` call in the Cloud Resource Manager API.
+- **organizationID**: an optional GCP organization ID. If provided, the provisioner will verify that the project ID in the token belongs to the GCP organization, using the `projects.getAncestry` call in the Cloud Resource Manager API.
 
 - **disableCustomSANs**<Reference id="star9" marker="*" />: by default custom SANs are valid, but if this
   option is set to true only the SANs available in the instance identity