Tagging repositories

Use tags to group repositories and other resources across Google Cloud for reporting, auditing, and access control within your Google Cloud organization.

To group repositories within Artifact Registry for automation and billing purposes, use labels. Tags and labels work independently of each other, and you can apply both to the same repository.

Before you begin

Verify that you have the required permissions for working with repository tags.

If you only need to view tags attached to repositories for reporting or auditing purposes, you must have the following permissions:

  • artifactregistry.repositories.listTagBindings
  • artifactregistry.repositories.listEffectiveTags

An administrator can grant these permissions with the Artifact Registry Reader role (artifactregistry.Reader) or a role with equivalent permissions.

If you also need to attach or detach tags for repositories, you need the following permissions:

  • artifactregistry.repositories.createTagBinding
  • artifactregistry.repositories.deleteTagBinding

An administrator can grant these permissions using the Artifact Registry Admin role (artifactregistry.Admin) or a role with equivalent permissions.

Alternatively, the Tag User role (roles/resourcemanager.tagUser) grants permissions to view and set tags on all resources at the configured level of the resource hierarchy in your organization.

What are tags?

Tags are key-value pairs you can apply to your resources for fine-grained access control.

Project administrators create tags for resources across Google Cloud at the organization level and manage them in Resource Manager. When you attach a tag to a Artifact Registry repository, you can use the tag with IAM conditions to grant conditional access to the repository. You cannot attach tags to individual artifacts.

Keep these restrictions in mind:

  • Organization policies can conditionally reference tags that are inherited from the parent project and above, but they do not support tags that you directly attach to repositories.

  • You can only attach tags and view tag bindings on repositories using gcloud and the API.

  • Cloud Audit logs are not generated for attaching tags and viewing tag bindings on repositories.

For more information about tags and conditional access control with tags, see Tags and access control.

Attaching tags to repositories

After a project administrator creates tags, you can attach tags to a repository. Each tag has a key and a value. You tag a repository by binding a value to the repository.

To attach a tag to a repository:

  1. Obtain the tag value to attach from your administrator.

    You can attach a tag value with one of these types of identifiers:

    • A namespaced name, such as 123456789012/env/dev
    • A permanent ID, such as tagValues/567890123456
  2. Attach the tag value with the following command:

    gcloud alpha resource-manager tags bindings create \
        --tag-value=TAG_VALUE \
        --parent=REPOSITORY_ID \
        --location=LOCATION
    

    Replace the following values:

    • TAG_VALUE is the permanent ID or namespaced name of the tag value to attach.

    • REPOSITORY_ID is the full ID of the repository, including the API domain name to identify the type of resource (//artifactregistry.googleapis.com/). For example, //artifactregistry.googleapis.com/projects/my-project/locations/us-east1/repositories/my-repo

    • LOCATION is the location of the repository.

    Consider the following example:

    • Tag value: 815471563813/env/dev
    • Project: my-project
    • Repository: my-repo
    • Repository location: us-east1

    The following gcloud command attaches the tag to the repository:

    gcloud alpha resource-manager tags bindings create \
        --tag-value=815471563813/env/dev \
        --parent=//artifactregistry.googleapis.com/projects/my-project/locations/us-east1/repositories/my-repo \
        --location=us-east1
    

Listing tags attached to repositories

You can list tags that are attached to a resource that you have permissions to access.

To list tags attached to a repository, run the following command:

gcloud alpha resource-manager tags bindings list \
        --parent=REPOSITORY_ID \
        --location=LOCATION

The command only lists tags directly attached to the specified resource, so it doesn't return tags inherited from the parent project or above. You can list tags inherited from the parent project by specifying a project instead of a repository with the --parent flag.

For example, this command lists tags attached to the repository my-repo in the project my-project and the location us-east1:

gcloud alpha resource-manager tags bindings list \
    --parent=//artifactregistry.googleapis.com/projects/my-project/locations/us-east1/repositories/my-repo \
    --location=us-east1

This command lists tags attached to the project number 7890123456:

gcloud alpha resource-manager tags bindings list \
    --parent=//cloudresourcemanager.googleapis.com/projects/7890123456 \

Detaching tags from repositories

You can detach a tag that is directly attached to a repository. If you need to remove a tag that is inherited from the parent project or another part of the resource hierarchy, a project administrator must detach it from the resource where the tag is attached.

To remove a tag that is attached to a repository:

  1. Obtain the tag value you want to remove. If you don't know the tag value, list tags attached to the repository.

  2. Detach the tag value with the following command:

    gcloud alpha resource-manager tags bindings delete \
        --tag-value=TAG_VALUE \
        --parent=REPOSITORY_ID \
        --location=LOCATION
    

    Replace the following values:

    • TAG_VALUE tag value to detach.

    • REPOSITORY_ID is the full ID of the repository, including the API domain name to identify the type of resource (//artifactregistry.googleapis.com/). For example, //artifactregistry.googleapis.com/projects/my-project/my-repo

    • LOCATION is the location of the repository.

    Consider the following example:

    • Tag value: 815471563813/env/dev
    • Project: my-project
    • Repository: my-repo
    • Repository location: us-east1

    The following gcloud command detaches the tag from the repository:

    gcloud alpha resource-manager tags bindings delete \
        --tag-value=815471563813/env/dev \
        --parent=//artifactregistry.googleapis.com/projects/my-project/locations/us-east1/repositories/my-repo \
        --location=us-east1
    

What's next