Docs for smallstep/certificates#2133

step-ca/provisioners.mdx

@@ -1,5 +1,5 @@
 ---
-updated_at: July 07, 2025
+updated_at: July 09, 2025
 title: Configuring `step-ca` Provisioners
 html_title: Configuring open source step-ca Provisioners
 description: Learn how to configure step-ca Provisioners
@@ -1575,6 +1575,7 @@ In the `ca.json`, a GCP provisioner looks like:
     "name": "Google Cloud",
     "serviceAccounts": ["1234567890"],
     "projectIDs": ["project-id"],
+    "organizationID": "organization-id",
     "disableCustomSANs": false,
     "disableTrustOnFirstUse": false,
     "instanceAge": "1h",
@@ -1601,6 +1602,8 @@ In the `ca.json`, a GCP provisioner looks like:
 - **projectIDs**<Reference id="star9" marker="*" />: the list of project identifiers that are allowed to
   use this provisioner. If non is specified all project will be valid.
 
+- **organizationID**: an optional GCP organization ID. If provided, the provisioner will verify that the project ID in the token belongs to the GCP organization, using the `projects.getAncestry` call in the Cloud Resource Manager API.
+
 - **disableCustomSANs**<Reference id="star9" marker="*" />: by default custom SANs are valid, but if this
   option is set to true only the SANs available in the instance identity
   document will be valid, these are the DNS