Use tags to group repositories and other resources across Google Cloud for reporting, auditing, and access control within your Google Cloud organization.
To group repositories within Artifact Registry for automation and billing purposes, use labels. Tags and labels work independently of each other, and you can apply both to the same repository.
Before you begin
Verify that you have the required permissions for working with repository tags.
If you only need to view tags attached to repositories for reporting or auditing purposes, you must have the following permissions:
artifactregistry.repositories.listTagBindingsartifactregistry.repositories.listEffectiveTags
An administrator can grant these permissions with the Artifact Registry
Reader role (artifactregistry.Reader) or a role with equivalent permissions.
If you also need to attach or detach tags for repositories, you need the following permissions:
artifactregistry.repositories.createTagBindingartifactregistry.repositories.deleteTagBinding
An administrator can grant these permissions using the Artifact Registry
Admin role (artifactregistry.Admin) or a role with equivalent permissions.
Alternatively, the Tag User role (roles/resourcemanager.tagUser)
grants permissions to view and set tags on all resources at the configured
level of the resource hierarchy in your organization.
What are tags?
Tags are key-value pairs you can apply to your resources for fine-grained access control.
Project administrators create tags for resources across Google Cloud at the organization level and manage them in Resource Manager. When you attach a tag to a Artifact Registry repository, you can use the tag with IAM conditions to grant conditional access to the repository. You cannot attach tags to individual artifacts.
Keep these restrictions in mind:
Organization policies can conditionally reference tags that are inherited from the parent project and above, but they do not support tags that you directly attach to repositories.
You can only attach tags and view tag bindings on repositories using gcloud and the API.
Cloud Audit logs are not generated for attaching tags and viewing tag bindings on repositories.
For more information about tags and conditional access control with tags, see Tags and access control.
Attaching tags to repositories
After a project administrator creates tags, you can attach tags to a repository. Each tag has a key and a value. You tag a repository by binding a value to the repository.
To attach a tag to a repository:
Obtain the tag value to attach from your administrator.
You can attach a tag value with one of these types of identifiers:
- A namespaced name, such as
123456789012/env/dev - A permanent ID, such as
tagValues/567890123456
- A namespaced name, such as
Attach the tag value with the following command:
gcloud alpha resource-manager tags bindings create \ --tag-value=TAG_VALUE \ --parent=REPOSITORY_ID \ --location=LOCATIONReplace the following values:
TAG_VALUEis the permanent ID or namespaced name of the tag value to attach.REPOSITORY_IDis the full ID of the repository, including the API domain name to identify the type of resource (//artifactregistry.googleapis.com/). For example,//artifactregistry.googleapis.com/projects/my-project/locations/us-east1/repositories/my-repoLOCATIONis the location of the repository.
Consider the following example:
- Tag value:
815471563813/env/dev - Project:
my-project - Repository:
my-repo - Repository location:
us-east1
The following gcloud command attaches the tag to the repository:
gcloud alpha resource-manager tags bindings create \ --tag-value=815471563813/env/dev \ --parent=//artifactregistry.googleapis.com/projects/my-project/locations/us-east1/repositories/my-repo \ --location=us-east1
Listing tags attached to repositories
You can list tags that are attached to a resource that you have permissions to access.
To list tags attached to a repository, run the following command:
gcloud alpha resource-manager tags bindings list \
--parent=REPOSITORY_ID \
--location=LOCATION
The command only lists tags directly attached to the specified resource, so
it doesn't return tags inherited from the parent project or above. You can list
tags inherited from the parent project by specifying a project instead of a
repository with the --parent flag.
For example, this command lists tags attached to the repository my-repo in
the project my-project and the location us-east1:
gcloud alpha resource-manager tags bindings list \
--parent=//artifactregistry.googleapis.com/projects/my-project/locations/us-east1/repositories/my-repo \
--location=us-east1
This command lists tags attached to the project number 7890123456:
gcloud alpha resource-manager tags bindings list \
--parent=//cloudresourcemanager.googleapis.com/projects/7890123456 \
Detaching tags from repositories
You can detach a tag that is directly attached to a repository. If you need to remove a tag that is inherited from the parent project or another part of the resource hierarchy, a project administrator must detach it from the resource where the tag is attached.
To remove a tag that is attached to a repository:
Obtain the tag value you want to remove. If you don't know the tag value, list tags attached to the repository.
Detach the tag value with the following command:
gcloud alpha resource-manager tags bindings delete \ --tag-value=TAG_VALUE \ --parent=REPOSITORY_ID \ --location=LOCATIONReplace the following values:
TAG_VALUEtag value to detach.REPOSITORY_IDis the full ID of the repository, including the API domain name to identify the type of resource (//artifactregistry.googleapis.com/). For example,//artifactregistry.googleapis.com/projects/my-project/my-repoLOCATIONis the location of the repository.
Consider the following example:
- Tag value:
815471563813/env/dev - Project:
my-project - Repository:
my-repo - Repository location:
us-east1
The following gcloud command detaches the tag from the repository:
gcloud alpha resource-manager tags bindings delete \ --tag-value=815471563813/env/dev \ --parent=//artifactregistry.googleapis.com/projects/my-project/locations/us-east1/repositories/my-repo \ --location=us-east1
What's next
- Learn about repository labels.