Enable your organization principals to use tags

Stay organized with collections Save and categorize content based on your preferences.

After you create a Data Catalog tag template in your resource project, you can grant the Data Catalog tagTemplateUser role to principals. This enables them to create metadata, that is, use your template to tag data resources. For more information, see Attaching tags to Google Cloud resources.

The next section shows how to grant the tagTemplateUser role.

Grant the tagTemplateUser role



To grant the Data Catalog tagTemplateUser role to a principal on a project, do the following:

  1. Go to IAM in the Google Cloud console and click the edit () button at the right of the principal's listing.

  2. In the Edit permissions dialog, click ADD ANOTHER ROLE, then click the Select a role drop-down list.

  3. In the Filter box, insert Data Catalog TagTemplate User to display this role, then select it and click SAVE.


Before trying this sample, follow the Java setup instructions in the Data Catalog quickstart using client libraries. For more information, see the Data Catalog Java API reference documentation.

import com.google.cloud.datacatalog.v1.DataCatalogClient;
import com.google.cloud.datacatalog.v1.TagTemplateName;
import com.google.iam.v1.Binding;
import com.google.iam.v1.Policy;
import com.google.iam.v1.SetIamPolicyRequest;
import java.io.IOException;

// Sample to grant tag access on template
public class GrantTagTemplateUserRole {

  public static void main(String[] args) throws IOException {
    // TODO(developer): Replace these variables before running the sample.
    String projectId = "my-project";
    String tagTemplateId = "my_tag_template";
    grantTagTemplateUserRole(projectId, tagTemplateId);

  public static void grantTagTemplateUserRole(String projectId, String templateId)
      throws IOException {
    // Currently, Data Catalog stores metadata in the us-central1 region.
    String location = "us-central1";

    // Format the Template name.
    String templateName =

    // Initialize client that will be used to send requests. This client only needs to be created
    // once, and can be reused for multiple requests. After completing all of your requests, call
    // the "close" method on the client to safely clean up any remaining background resources.
    try (DataCatalogClient dataCatalogClient = DataCatalogClient.create()) {

      // Create a Binding to add the Tag Template User role and member to the policy.
      Binding binding =

      // Create a Policy object to update Template's IAM policy by adding the new binding.
      Policy policyUpdate = Policy.newBuilder().addBindings(binding).build();

      SetIamPolicyRequest request =

      // Update Template's policy.
      System.out.println("Role successfully granted");


Before trying this sample, follow the Node.js setup instructions in the Data Catalog quickstart using client libraries. For more information, see the Data Catalog Node.js API reference documentation.

// Import the Google Cloud client library.
const {DataCatalogClient} = require('@google-cloud/datacatalog').v1;
const datacatalog = new DataCatalogClient();

async function grantTagTemplateUserRole() {
  // Grant the tagTemplateUser role to a member of the project.

   * TODO(developer): Uncomment the following lines before running the sample.
  // const projectId = 'my_project'; // Google Cloud Platform project
  // const templateId = 'my_existing_template';
  // const memberId = 'my_member_id'

  const location = 'us-central1';

  // Format the Template name.
  const templateName = datacatalog.tagTemplatePath(

  // Retrieve Template's current IAM Policy.
  const [getPolicyResponse] = await datacatalog.getIamPolicy({
    resource: templateName,
  const policy = getPolicyResponse;

  // Add Tag Template User role and member to the policy.
    role: 'roles/datacatalog.tagTemplateUser',
    members: [memberId],

  const request = {
    resource: templateName,
    policy: policy,

  // Update Template's policy.
  const [updatePolicyResponse] = await datacatalog.setIamPolicy(request);

  updatePolicyResponse.bindings.forEach(binding => {
    console.log(`Role: ${binding.role}, Members: ${binding.members}`);


Before trying this sample, follow the Python setup instructions in the Data Catalog quickstart using client libraries. For more information, see the Data Catalog Python API reference documentation.

from google.cloud import datacatalog_v1
from google.iam.v1 import iam_policy_pb2 as iam_policy
from google.iam.v1 import policy_pb2

datacatalog = datacatalog_v1.DataCatalogClient()

# TODO: Set these values before running the sample.
project_id = "project_id"
tag_template_id = "existing_tag_template_id"
# For a full list of values a member can have, see:
# https://cloud.google.com/iam/docs/reference/rest/v1/Policy?hl=en#binding
member_id = "user:super-cool.test-user@gmail.com"

# For all regions available, see:
# https://cloud.google.com/data-catalog/docs/concepts/regions
location = "us-central1"

# Format the Template name.
template_name = datacatalog_v1.DataCatalogClient.tag_template_path(
    project_id, location, tag_template_id

# Retrieve Template's current IAM Policy.
policy = datacatalog.get_iam_policy(resource=template_name)

# Add Tag Template User role and member to the policy.
binding = policy_pb2.Binding()
binding.role = "roles/datacatalog.tagTemplateUser"

set_policy_request = iam_policy.SetIamPolicyRequest(
    resource=template_name, policy=policy

# Update Template's policy.
policy = datacatalog.set_iam_policy(set_policy_request)

for binding in policy.bindings:
    for member in binding.members:
        print(f"Member: {member}, Role: {binding.role}")



If you do not have access to Cloud Client libraries for your language or want to test the API using REST requests, see the following examples and refer to the Data Catalog REST API documentation.

Before using any of the request data, make the following replacements:

  • project-id: GCP project ID
  • template-id: the tag template ID

HTTP method and URL:

POST https://datacatalog.googleapis.com/v1/projects/project-id/locations/us-central1/tagTemplates/template-id:setIamPolicy

Request JSON body:


To send your request, expand one of these options:

You should receive a JSON response similar to the following: