Organize resources using tags

This page describes Google Cloud tags and how to use them with AlloyDB for PostgreSQL. To add tags to AlloyDB clusters and backups using Google Cloud CLI, see Attach and manage tags.

Overview of tags

Google Cloud tags are key-value pairs that you can use to organize your AlloyDB resources.

For example, a tag key can be a property, such as environment, and the tag value can be an attribute, such as development or production. A tag can have only one value for a given key on a particular resource.

Tags are created at the organization or project level. In AlloyDB, they are attached to the cluster or backup resources through the Resource Manager, which is used across Google Cloud.

You can add a reference to tags in Identity and Access Management (IAM) policy bindings to grant conditional access to resources. Tags are different from labels which are another way to organize and filter your your AlloyDB resources. Tags and labels work independently of each other, and you can use both on the same AlloyDB resource.

Grant permissions based on conditional tag bindings

After you attach a tag to an AlloyDB resource, you can use the tag with IAM Conditions to conditionally grant access to AlloyDB resources. For more information about setting conditions based on tags, see Resource tags. IAM Conditions let you impose fine-grained access control on AlloyDB resources.

To use IAM Conditions, you reference the tags in IAM policy bindings. For more information about how to control access to your Google Cloud resources using use tags with IAM, see Tags and conditional access.

Export Cloud Billing data to BigQuery with resource-level tags

After configuring your project to export Cloud Billing data to BigQuery, your Cloud Billing data such as usage, cost estimates, and pricing details are automatically and continuously exported to a BigQuery dataset. You can then query this data using resource-level tags in BigQuery.

For setup instructions and query examples, see:

Limitations

Tags have the following restrictions:

  • You can't attach tags to the instance resource in AlloyDB.
  • Backup resources don't inherit tags from their corresponding clusters.
  • Tag-based permissions might fail permission checks performed using the UI since AlloyDB might falsely deny access for resources that have policies applied at the resource level. However, other access methods like Google Cloud CLI, REST API, and Terraform work correctly.

What's next