[[["容易理解","easyToUnderstand","thumb-up"],["確實解決了我的問題","solvedMyProblem","thumb-up"],["其他","otherUp","thumb-up"]],[["難以理解","hardToUnderstand","thumb-down"],["資訊或程式碼範例有誤","incorrectInformationOrSampleCode","thumb-down"],["缺少我需要的資訊/範例","missingTheInformationSamplesINeed","thumb-down"],["翻譯問題","translationIssue","thumb-down"],["其他","otherDown","thumb-down"]],["上次更新時間:2025-09-04 (世界標準時間)。"],[[["\u003cp\u003eTags are key-value pairs used to conditionally manage policies and IAM roles on Google Cloud resources.\u003c/p\u003e\n"],["\u003cp\u003eManaging tags involves creating, viewing, updating, and deleting tag definitions, which requires specific permissions like the Tag Administrator or Tag Viewer roles.\u003c/p\u003e\n"],["\u003cp\u003eAttaching and detaching tags to resources requires the Tag User role and specific resource-level permissions to create or delete tag bindings.\u003c/p\u003e\n"],["\u003cp\u003eTags can be attached to resources using the \u003ccode\u003egcloud resource-manager tags bindings create\u003c/code\u003e command, and a list of attached tags can be retrieved with the \u003ccode\u003egcloud resource-manager tags bindings list\u003c/code\u003e command.\u003c/p\u003e\n"],["\u003cp\u003eTags are independent from labels, which are used for automation and billing purposes within Bigtable.\u003c/p\u003e\n"]]],[],null,["# Create and manage tags\n======================\n\nAbout tags\n----------\n\nA tag is a key-value pair that can attach to a resource within\nGoogle Cloud. You can use tags to conditionally allow or deny policies based on\nwhether a resource has a specific tag. For example, you can conditionally grant\nIdentity and Access Management (IAM) roles based on whether a resource has a specific tag.\nFor more information about tags, see [Tags overview](/resource-manager/docs/tags/tags-overview).\n\nTags are attached to resources by creating a tag binding resource that links the\nvalue to the Google Cloud resource.\nTo group instances within Bigtable for automation and billing purposes, use [labels](/bigtable/docs/creating-managing-labels). Tags and labels work independently of each other, and you can apply both to resources.\n\nRequired permissions\n--------------------\n\nThe permissions you need depend on the action you need to perform.\n\nTo gain these permissions, ask your administrator to grant the suggested role at\nthe appropriate level of the\n[resource hierarchy](/iam/docs/tags-access-control#resource-hierarchy).\n\n### View tags\n\nTo view tag definitions and tags that are attached to resources, you need the\n**Tag Viewer** role (`roles/resourcemanager.tagViewer`), or another role that\nincludes the following permissions: \n\n#### Required permissions\n\n- `resourcemanager.tagKeys.get`\n- `resourcemanager.tagKeys.list`\n- `resourcemanager.tagValues.list`\n- `resourcemanager.tagValues.get`\n- `listTagBindings` for the appropriate resource type. For example, `compute.instances.listTagBindings` for viewing tags attached to Compute Engine instances.\n- `listEffectiveTags`\nfor the appropriate resource type. For example, `compute.instances.listEffectiveTags` for viewing all tags attached to or inherited by Compute Engine instances.\n\nTo view tags at the organization level you need the **Organization Viewer** role\n(`roles/resourcemanager.organizationViewer`) on the organization resource.\n\n### Administer tags\n\nTo create, update, and delete tag definitions, you need the\n**Tag Administrator** role (`roles/resourcemanager.tagAdmin`), or another role\nthat includes the following permissions: \n\n#### Required permissions\n\n- `resourcemanager.tagKeys.create`\n- `resourcemanager.tagKeys.update`\n- `resourcemanager.tagKeys.delete`\n- `resourcemanager.tagKeys.list`\n- `resourcemanager.tagKeys.get`\n- `resourcemanager.tagKeys.getIamPolicy`\n- `resourcemanager.tagKeys.setIamPolicy`\n- `resourcemanager.tagValues.create`\n- `resourcemanager.tagValues.update`\n- `resourcemanager.tagValues.delete`\n- `resourcemanager.tagValues.list`\n- `resourcemanager.tagValues.get`\n- `resourcemanager.tagValues.getIamPolicy`\n- `resourcemanager.tagValues.setIamPolicy`\n\nTo administer tags at the organization level you need the\n**Organization Viewer** role (`roles/resourcemanager.organizationViewer`) on the\norganization resource.\n\n### Manage tags on resources\n\nTo add and remove tags that are attached to resources, you need the **Tag User**\nrole (`roles/resourcemanager.tagUser`), or another role with equivalent\npermissions, on both the *tag value* and the *resources that you are attaching\nthe tag value to* . The **Tag User** role includes the following permissions: \n\n#### Required permissions\n\n- Permissions required for the resource you're attaching the tag value\n - Resource-specific `createTagBinding` permission, such as `compute.instances.createTagBinding` for Compute Engine instances.\n - Resource-specific `deleteTagBinding` permission, such as `compute.instances.deleteTagBinding` for Compute Engine instances.\n- Permissions required for the tag value:\n - `resourcemanager.tagValueBindings.create`\n - `resourcemanager.tagValueBindings.delete`\n- Permissions that let you view projects and tag definitions:\n - `resourcemanager.tagValues.get`\n - `resourcemanager.tagValues.list`\n - `resourcemanager.tagKeys.get`\n - `resourcemanager.tagKeys.list`\n - `resourcemanager.projects.get`\n\nTo attach tags to Bigtable instances, you need the\n[Bigtable Admin](/bigtable/docs/access-control#roles) role (`roles/bigtable.admin`).\n\nCreate tag keys and values\n--------------------------\n\nBefore you can attach a tag, you need to create a tag and configure its value.\nTo create tag keys and tag values, see [Creating a tag](/resource-manager/docs/tags/tags-creating-and-managing#creating_tag) and\n[Adding a tag value](/resource-manager/docs/tags/tags-creating-and-managing#adding_tag_values).\n\nAdd tags to existing resources\n------------------------------\n\nTo add a tag to existing instances, follow these steps: \n\n### gcloud\n\nTo attach a tag to an instance, you must create a\ntag binding resource by using the\n`gcloud resource-manager tags bindings create` command: \n\n```\n gcloud resource-manager tags bindings create \\\n --tag-value=TAGVALUE_NAME \\\n --parent=RESOURCE_ID \\\n --location=LOCATION\n \n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eTAGVALUE_NAME\u003c/var\u003e: the permanent ID or namespaced name of the tag value that is attached---for example, `tagValues/567890123456`.\n- \u003cvar translate=\"no\"\u003eRESOURCE_ID\u003c/var\u003e is the full ID of the resource, including the API domain name to identify the type of resource (`//bigtable.googleapis.com/`). For example, to attach a tag to an instance in `projects/7890123456`, the full ID is: `//bigtable.googleapis.com/projects/7890123456/instances/instance-ID`.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: the location of your resource. If you're attaching a tag to a global resource, such as a folder or a project, omit this flag. If you're attaching a tag to a regional or a zonal resource, you must specify the location---for example, `us-central1` (region) or `us-central1-a` (zone).\n\nList tags attached to resources\n-------------------------------\n\nYou can view a list of tag bindings directly attached to or inherited by the\ninstance. \n\n### gcloud\n\nTo get a list of tag bindings attached to a resource, use the\n`gcloud resource-manager tags bindings list` command: \n\n```\n gcloud resource-manager tags bindings list \\\n --parent=RESOURCE_ID \\\n --location=LOCATION\n \n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eRESOURCE_ID\u003c/var\u003e is the full ID of the resource, including the API domain name to identify the type of resource (`//bigtable.googleapis.com/`). For example, to attach a tag to an instance in `projects/7890123456`, the full ID is: `//bigtable.googleapis.com/projects/7890123456/instances/instance-ID`.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: the location of your resource. If you're viewing a tag attached to a global resource, such as a folder or a project, omit this flag. If you're viewing a tag attached to a regional or a zonal resource, you must specify the location---for example, `us-central1` (region) or `us-central1-a` (zone).\n\nYou should get a response similar to the following: \n\n```\nname: tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Fprojects%2F7890123456/tagValues/567890123456\n tagValue: tagValues/567890123456\n resource: //bigtable.googleapis.com/projects/7890123456/instances/instance-ID\n \n```\n\nDetach tags from resources\n--------------------------\n\nYou can detach tags that have been directly attached to\nan instance. Inherited tags can be overridden by attaching\na tag with the same key and a different value, but they can't be detached. \n\n### gcloud\n\nTo delete a tag binding, use the\n`gcloud resource-manager tags bindings delete` command: \n\n```\n gcloud resource-manager tags bindings delete \\\n --tag-value=TAGVALUE_NAME \\\n --parent=RESOURCE_ID \\\n --location=LOCATION\n \n```\n\nReplace the following:\n\n- \u003cvar translate=\"no\"\u003eTAGVALUE_NAME\u003c/var\u003e: the permanent ID or namespaced name of the tag value that is attached---for example, `tagValues/567890123456`.\n- \u003cvar translate=\"no\"\u003eRESOURCE_ID\u003c/var\u003e is the full ID of the resource, including the API domain name to identify the type of resource (`//bigtable.googleapis.com/`). For example, to attach a tag to an instance in `projects/7890123456`, the full ID is: `//bigtable.googleapis.com/projects/7890123456/instances/instance-ID`.\n- \u003cvar translate=\"no\"\u003eLOCATION\u003c/var\u003e: the location of your resource. If you're attaching a tag to a global resource, such as a folder or a project, omit this flag. If you're attaching a tag to a regional or a zonal resource, you must specify the location---for example, `us-central1` (region) or `us-central1-a` (zone).\n\nDelete tag keys and values\n--------------------------\n\nWhen removing a tag key or value definition, ensure that the tag is detached from the\ninstance. You must delete existing tag attachments, called tag\nbindings, before deleting the tag definition itself. To delete tag keys and tag\nvalues, see [Deleting tags](/resource-manager/docs/tags/tags-creating-and-managing#deleting).\n\nIdentity and Access Management conditions and tags\n--------------------------------------------------\n\nYou can use tags and IAM conditions to conditionally\ngrant role bindings to users in your hierarchy. Changing or deleting the tag\nattached to a resource can remove user access to that resource if an\nIAM policy with conditional role bindings has been applied. For\nmore information, see [Identity and Access Management conditions and tags](/resource-manager/docs/tags/tags-creating-and-managing#iam_conditions_and_tags).\n\nWhat's next\n-----------\n\n- See the other [services that support tags](/resource-manager/docs/tags/tags-supported-services).\n- See [Tags and access control](/iam/docs/tags-access-control) to learn how to use tags with IAM."]]