Use tags to group repositories and other resources across Google Cloud for reporting, auditing, and access control within your Google Cloud organization.
To group repositories within Artifact Registry for automation and billing purposes, use labels. Tags and labels work independently of each other, and you can apply both to the same repository. For more information on the differences between tags and labels see Tags and labels.
What are tags?
Tags are key-value pairs you can apply to your resources for fine-grained access control.
Project administrators create tags for resources across Google Cloud at the organization level and manage them in Resource Manager. When you attach a tag to a Artifact Registry repository, you can use the tag with IAM conditions to grant conditional access to the repository. You cannot attach tags to individual artifacts.
Keep these restrictions in mind:
Organization policies can conditionally reference tags that are inherited from the parent project and higher, but they don't support tags that you directly attach to repositories.
Cloud Audit logs are not generated for attaching tags and viewing tag bindings on repositories.
For more information about tags and conditional access control with tags, see Tags and access control.
Required permissions
To get the permissions that you need to manage tags, ask your administrator to grant you the following IAM roles:
-
Tag Viewer (
roles/resourcemanager.tagViewer) on the resources the tags are attached to -
View and manage tags at the organization level:
Organization Viewer (
roles/resourcemanager.organizationViewer) on the organization -
Create, update, and delete tag definitions:
Tag Administrator (
roles/resourcemanager.tagAdmin) on the resource you're creating, updating, or deleting tags for -
Attach and remove tags from resources:
Tag User (
roles/resourcemanager.tagUser) on the tag value and the resources that you are attaching or removing the tag value to
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
Attaching tags to repositories
After a project administrator creates tags, you can attach tags to a repository. Each tag has a key and a value. You tag a repository by binding a value to the repository.
To attach a tag to a repository:
Console
Obtain the tag value to attach from your administrator.
You can attach a tag value with one of these types of identifiers:
- A namespaced name, such as
123456789012/env/dev - A permanent ID, such as
tagValues/567890123456
- A namespaced name, such as
Open the Repositories page in the Google Cloud console.
Select the repository you want to tag.
In the Repository Details section, click Show more.
Existing tags for the repository, including inherited tags, are shown.
Click the
Edit tags icon.In the Direct tags section, click Select scope.
Select your repository project.
In the key field, type to filter the tag list, then select the tag key.
In the Value field, type to filter the tag list, then select the tag value.
Click Save.
Click Confirm.
The tag is attached to your repository.
gcloud CLI
Obtain the tag value to attach from your administrator.
You can attach a tag value with one of these types of identifiers:
- A namespaced name, such as
123456789012/env/dev - A permanent ID, such as
tagValues/567890123456
- A namespaced name, such as
Attach the tag value with the following command:
gcloud resource-manager tags bindings create \ --tag-value=TAG_VALUE \ --parent=REPOSITORY_ID \ --location=LOCATIONReplace the following values:
TAG_VALUEis the permanent ID or namespaced name of the tag value to attach.REPOSITORY_IDis the full ID of the repository, including the API domain name to identify the type of resource (//artifactregistry.googleapis.com/). For example,//artifactregistry.googleapis.com/projects/my-project/locations/us-east1/repositories/my-repoLOCATIONis the location of the repository.
Consider the following example:
- Tag value:
815471563813/env/dev - Project:
my-project - Repository:
my-repo - Repository location:
us-east1
The following gcloud CLI command attaches the tag to the repository:
gcloud resource-manager tags bindings create \ --tag-value=815471563813/env/dev \ --parent=//artifactregistry.googleapis.com/projects/my-project/locations/us-east1/repositories/my-repo \ --location=us-east1
Listing tags attached to repositories
You can list tags that are attached to a resource that you have permissions to access.
Console
Open the Repositories page in the Google Cloud console.
Select the repository you want to view.
In the Repository Details section, click Show more.
The Tags list shows all repository tags including direct tags, and inherited tags from higher in the resource hierarchy.
gcloud CLI
To list tags attached to a repository, run the following command:
gcloud resource-manager tags bindings list \
--parent=REPOSITORY_ID \
--location=LOCATION
The command only lists tags directly attached to the specified resource, so
it doesn't return tags inherited from the parent project or higher. You can list
tags inherited from the parent project by specifying a project instead of a
repository with the --parent flag.
For example, this command lists tags attached to the repository my-repo in
the project my-project and the location us-east1:
gcloud resource-manager tags bindings list \
--parent=//artifactregistry.googleapis.com/projects/my-project/locations/us-east1/repositories/my-repo \
--location=us-east1
This command lists tags attached to the project number 7890123456:
gcloud resource-manager tags bindings list \
--parent=//cloudresourcemanager.googleapis.com/projects/7890123456 \
Detaching tags from repositories
You can detach a tag that is directly attached to a repository. If you need to remove a tag that is inherited from the parent project or another part of the resource hierarchy, a project administrator must detach it from the resource where the tag is attached.
To remove a tag that is attached to a repository:
Console
Obtain the tag value you want to remove. If you don't know the tag value, list tags attached to the repository.
Open the Repositories page in the Google Cloud console.
Select the repository.
In the Repository Details section, click Show more.
Existing tags for the repository, including inherited tags, are shown.
Click the
Edit tags icon.In the Direct tags section, locate the tag you want to remove.
Click the delete icon next to the tag you want to remove.
Click Save.
Click Confirm.
The tag is removed from your repository.
gcloud CLI
Obtain the tag value you want to remove. If you don't know the tag value, list tags attached to the repository.
Detach the tag value with the following command:
gcloud resource-manager tags bindings delete \ --tag-value=TAG_VALUE \ --parent=REPOSITORY_ID \ --location=LOCATIONReplace the following values:
TAG_VALUEtag value to detach.REPOSITORY_IDis the full ID of the repository, including the API domain name to identify the type of resource (//artifactregistry.googleapis.com/). For example,//artifactregistry.googleapis.com/projects/my-project/my-repoLOCATIONis the location of the repository.
Consider the following example:
- Tag value:
815471563813/env/dev - Project:
my-project - Repository:
my-repo - Repository location:
us-east1
The following gcloud CLI command detaches the tag from the repository:
gcloud resource-manager tags bindings delete \ --tag-value=815471563813/env/dev \ --parent=//artifactregistry.googleapis.com/projects/my-project/locations/us-east1/repositories/my-repo \ --location=us-east1
What's next
- Learn about repository labels.