Granting the Tag Template User role

After you create a Data Catalog tag template in your project, you can grant the Data Catalog tagTemplateUser role to members of your organization to enable them to use your template to tag data resources (see Attaching tags to GCP resources).

The next section shows how to grant the tagTemplateUser role to members.

Grant the tagTemplateUser role

Console

Grant the Data Catalog tagTemplateUser role to member of your project by clicking the edit (pencil) icon at the right of the member's listing on the IAM page in the Google Cloud Console.

The "Edit permissions" dialog opens. Click "ADD ANOTHER ROLE", then click the "Select a role" box. Add a filter by typing "data catalog" to list available Data Catalog roles. Click the "Data Catalog TagTemplate User" role to select the role, then click Save to close the dialog.

Python

"""This application demonstrates how to allow a project member to use a
Template in order to create Tags with the Cloud Data Catalog API.

For more information, see the README.md under /datacatalog and the
documentation at https://cloud.google.com/data-catalog/docs.
"""

import argparse

from google.cloud import datacatalog_v1beta1


def grant_tag_template_user_role(project_id, template_id, member_id):
    """Grants a user the Tag Template User role for a given template."""
    datacatalog = datacatalog_v1beta1.DataCatalogClient()

    # Currently, Data Catalog stores metadata in the us-central1 region.
    location = "us-central1"

    # Format the Template name.
    template_name = datacatalog_v1beta1.DataCatalogClient.tag_template_path(
        project_id, location, template_id)

    # Retrieve Template's current IAM Policy.
    policy = datacatalog.get_iam_policy(template_name)

    # Add Tag Template User role and member to the policy.
    binding = policy.bindings.add()
    binding.role = 'roles/datacatalog.tagTemplateUser'
    binding.members.append(member_id)

    # Update Template's policy.
    datacatalog.set_iam_policy(template_name, policy)


if __name__ == '__main__':
    parser = argparse.ArgumentParser(
        description=__doc__,
        formatter_class=argparse.RawDescriptionHelpFormatter
    )

    parser.add_argument('project_id', help='Your Google Cloud project ID')
    parser.add_argument('template_id', help='Your Template ID')
    parser.add_argument('member_id', help='Member who will be granted access,'
                                          ' e.g. \'user:test-user@gmail.com\'')

    args = parser.parse_args()

    grant_tag_template_user_role(
        args.project_id, args.template_id, args.member_id)

Java

package com.example.datacatalog;

import com.google.cloud.datacatalog.TagTemplateName;
import com.google.cloud.datacatalog.v1beta1.DataCatalogClient;
import com.google.iam.v1.Binding;
import com.google.iam.v1.Policy;

public class AllowMemberUseTemplate {

  /**
   * Grant a project member the Tag Template User role for a given template.
   *
   * @param projectId The project ID to which the Template belongs, e.g. 'my-project'.
   * @param templateId The template ID to grant access, e.g. 'my_template'.
   * @param memberId The member ID who access will be granted to, e.g. 'user:test-user@gmail.com'.
   */
  public static void grantTagTemplateUserRole(
      String projectId, String templateId, String memberId) {
    // String projectId = "my-project"
    // String templateId = "my_template"
    // String memberId = "user:test-user@gmail.com"

    // Currently, Data Catalog stores metadata in the us-central1 region.
    String location = "us-central1";

    // Format the Template name.
    String templateName =
        TagTemplateName.newBuilder()
            .setProject(projectId)
            .setLocation(location)
            .setTagTemplate(templateId)
            .build()
            .toString();

    // Initialize client that will be used to send requests. This client only needs to be created
    // once, and can be reused for multiple requests. After completing all of your requests, call
    // the "close" method on the client to safely clean up any remaining background resources.
    try (DataCatalogClient dataCatalogClient = DataCatalogClient.create()) {

      // Create a Binding to add the Tag Template User role and member to the policy.
      Binding binding =
          Binding.newBuilder()
              .setRole("roles/datacatalog.tagTemplateUser")
              .addMembers(memberId)
              .build();

      // Create a Policy object to update Template's IAM policy by adding the new binding.
      Policy policyUpdate =
          Policy.newBuilder()
              .addBindings(binding)
              .build();

      // Update Template's policy.
      dataCatalogClient.setIamPolicy(templateName, policyUpdate);

      System.out.println(String.format("Role successfully granted to %s", memberId));

    } catch (Exception e) {
      System.out.print("Error during AllowMemberUseTemplate:\n" + e.toString());
      e.printStackTrace();
    }
  }
}

Node.js

// This application demonstrates how to grant a project member
// the Tag Template User role for a given template.

// See the documentation at https://cloud.google.com/data-catalog/docs
// for more information.

async function grantTagTemplateUserRole() {
  // -------------------------------
  // Import required modules.
  // -------------------------------
  const {DataCatalogClient} = require('@google-cloud/datacatalog').v1beta1;
  const datacatalog = new DataCatalogClient();

  // -------------------------------
  // Set your Project, Template, and Member.
  // -------------------------------
  // TODO: Uncomment and edit the following lines before running the sample.
  // const projectId = 'my-project';
  // const templateId = 'my-template';
  // const memberId = 'user:member@gmail.com';

  // Currently, Data Catalog stores metadata in the us-central1 region.
  const location = 'us-central1';

  // Format the Template name.
  const templateName = datacatalog.tagTemplatePath(
    projectId,
    location,
    templateId
  );

  // Retrieve Template's current IAM Policy.
  const responses = await datacatalog.getIamPolicy({resource: templateName});
  const policy = responses[0];

  // Add Tag Template User role and member to the policy.
  policy.bindings.push({
    role: 'roles/datacatalog.tagTemplateUser',
    members: [memberId],
  });

  const request = {
    resource: templateName,
    policy: policy,
  };

  // Update Template's policy.
  await datacatalog.setIamPolicy(request);
}

grantTagTemplateUserRole();

REST & CMD LINE

If you do not have access to Cloud Client libraries for your language or want to test the API using REST requests, see the following examples and refer to the Data Catalog REST API documentation.

Before using any of the request data below, make the following replacements:

  • project-id: GCP project ID
  • template-id: the tag template ID

HTTP method and URL:

POST https://datacatalog.googleapis.com/v1beta1/projects/project-id/locations/us-central1/tagTemplates/template-id:setIamPolicy

Request JSON body:

{
  "policy":{
    "bindings":[
      {
        "role":"roles/datacatalog.tagTemplateUser",
        "members":[
          "user:username@gmail.com"
        ]
      }
    ]
  }
}

To send your request, expand one of these options:

You should receive a JSON response similar to the following:

{
  "version":1,
  "etag":"xxxxx.....",
  "bindings":[
    {
      "role":"roles/datacatalog.tagTemplateUser",
      "members":[
        "user:username@gmail.com"
      ]
    }
  ]
}