Organize resources using tags

This page describes Google Cloud tags and how to use them with AlloyDB for PostgreSQL. To add tags to AlloyDB clusters and backups using Google Cloud CLI, see Attach and manage tags.

Overview of tags

Google Cloud tags are key-value pairs that you can use to organize your AlloyDB resources.

For example, a tag key can be a property, such as environment, and the tag value can be an attribute, such as development or production. A tag can have only one value for a given key on a particular resource.

Tags are created at the organization or project level. In AlloyDB, they are attached to the cluster or backup resources through the Resource Manager, which is used across Google Cloud.

You can add a reference to tags in Identity and Access Management (IAM) policy bindings to grant conditional access to resources. Tags are different from labels which are another way to organize and filter your your AlloyDB resources. Tags and labels work independently of each other, and you can use both on the same AlloyDB resource.

Grant permissions based on conditional tag bindings

After you attach a tag to an AlloyDB resource, you can use the tag with IAM Conditions to conditionally grant access to AlloyDB resources. For more information about setting conditions based on tags, see Resource tags. IAM Conditions let you impose fine-grained access control on AlloyDB resources.

To use IAM Conditions, you reference the tags in IAM policy bindings. For more information about how to control access to your Google Cloud resources using use tags with IAM, see Tags and conditional access.

Limitations

Tags have the following restrictions:

  • You can't attach tags to the instance resource in AlloyDB.
  • Resource-level tags are not supported in BigQuery exports of Cloud Billing data.
  • Backup resources don't inherit tags from their corresponding clusters.

What's next