Organize resources using tags

This page describes Google Cloud tags and how to use them with Dataproc Metastore. To add tags to Dataproc Metastore Services and Federations using the Google Cloud CLI, see Attach and manage tags.

Overview of tags

Google Cloud tags_ are key-value pairs that you can use to organize your Dataproc Metastore resources.

For example, a tag key can be a property, such as environment, and the tag value can be an attribute, such as development or production. A tag can have only one value for a given key on a particular resource.

Tags are created at the organization or project level. In Dataproc Metastore, they are attached to the service or or federation resources through the Resource Manager, which is used across Google Cloud.

You can add a reference to tags in Identity and Access Management (IAM) policy bindings to grant conditional access to resources. Tags are different from labels which are another way to organize and filter your Dataproc Metastore resources. Tags and labels work independently of each other, and you can use both on the same Dataproc Metastore resource.

Grant permissions based on conditional tag bindings

After you attach a tag to an Dataproc Metastore resource, you can use the tag with IAM Conditions to conditionally grant access to Dataproc Metastore resources. For more information about setting conditions based on tags, see Resource tags. IAM Conditions let you impose fine-grained access control on Dataproc Metastore resources.

To use IAM Conditions, you reference the tags in IAM policy bindings. For more information about how to control access to your Google Cloud resources using use tags with IAM, see Tags and conditional access.

Limitations

Tags have the following restrictions:

  • You can't attach tags to the instance resource in Dataproc Metastore.
  • Backup and metadata import resources don't inherit tags from their corresponding services.

What's next