Use secure tags

This document describes how to create secure tags, attach them to a Dataproc cluster, and then use the tags to secure cluster networking.

Benefits of using secure tags

Secure tags have key differences from network tags, including Identity and Access Management access control, tag inheritance, and single VPC network binding, which produce the following key benefits:

Enhanced access control and security

Secure tags resolve the security issues inherent with network tags by providing IAM controlled access. Unlike network tags, which can be modified by a user with cluster access, secure tags prevent unauthorized modification of tags and the resulting unwanted changes to firewall rules.

Using secure tags in IAM policies enable conditional access control, strengthening security by granting or denying roles based on the presence of tags.

Simplified firewall management

The global and regional network firewall policies support secure tags. This support simplifies firewall management in Dataproc across shared networks.

Unlike VPC firewall rules, network firewall policies that are enhanced by secure tags enable efficient grouping and simultaneous updating of multiple rules, all governed by IAM access controls. Compared to VPC firewall rules that utilize network tags, secure tags provide enhanced security and management capabilities within network firewall policies.

Hierarchical resource inheritance for efficient management

Secure tags inherit from parent resources within the Google Cloud hierarchy. This inheritance simplifies management by letting you define tags at a higher level—for example, at the organization level—so that they automatically propagate to child resources, such as folders and projects. This enables consistent tagging across your organization. For more information, see Tag inheritance.

Improved network management across shared and peered VPCs

Network tags identify sources or targets in firewall rules within a specified VPC network. Secure tags, when used to specify a source for an ingress rule in a network firewall policy, identify traffic sources in both the Dataproc cluster VPC network and peered VPC networks. When secure tags are used to specify targets for ingress or egress rules, they identify targets only within their own VPC network.

To learn more about the differences between Resource Manager tags and network tags, see Comparison of Tags and network tags.

To learn more about the differences between Resource Manager tags and labels, see Tags and labels.

Limitations

You can attach secure tags to a cluster only at the time of cluster creation.
Updation and deletion of secure tags aren't supported.

Required roles

To get the permissions that you need to create and attach secure tags to a Dataproc cluster, ask your administrator to grant you the following IAM roles on Resource Manager tags:

Create tags: Tag Administrator (roles/resourcemanager.tagAdmin)
Attach tags to a custer: Tag Viewer (roles/resourcemanager.tagViewer)

For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

Create a secure tag

To attach a secure tag to a Dataproc cluster, you must first create a Resource Manager tag with a specified key and one or more values.

Attach secure tags to the Dataproc cluster

Create a Dataproc cluster, specifying the secure tag TAG_KEY:TAG_VALUE pair.

Google Cloud CLI

To create a Dataproc cluster and add a secure tag to the cluster, run the gcloud Dataproc clusters create command with the --resource-manager-tags flag.

gcloud dataproc clusters create CLUSTER_NAME \
  --region REGION \
  --resource-manager-tags=TAG_KEY=TAG_VALUE

Replace the following:

CLUSTER_NAME: the name of the new cluster.
REGION: the Compute Engine region in which to locate the cluster.
TAG_KEY and TAG_VALUE: the key and a value of the Resource Manager tag that you created. You can specify a comma-separated list to attach multiple secure tags comprised of the same key with different values, or different keys and values.

REST

To create a Dataproc cluster and add a secure tag to the cluster, include the resourceManagerTags field as part of a clusters.create request.

The following is an sample JSON body of a cluster.create request that includes attaching a "TAG_KEY":"TAG_VALUE" secure tag to the cluster:

{
  "project_id":"PROJECT_ID",
  "config":{
    "master_config":{
      "num_instances":1,
      "machine_type_uri":"n1-standard-2",
      "image_uri":""
    },
    "softwareConfig": {
      "imageVersion": "",
      "properties": {},
      "optionalComponents": []
    },
    "worker_config":{
      "num_instances":2,
      "machine_type_uri":"n1-standard-2",
      "image_uri":""
    },
    "gce_cluster_config":{
      "zone_uri":"us-central1-a",
      "resource_manager_tags":{
        "TAG_KEY":"TAG_VALUE"
      }
    }
  }
}

Replace the following:

PROJECT_ID: your project ID that is listed in the Project info section in the Google Cloud console Dashboard.
CLUSTER_NAME: the name of the new cluster.
TAG_KEY and TAG_VALUE: the key and a value of the Resource Manager tag that you created. You can specify multiple secure tags comprised of the same key with different values or different keys and values.

Use secure tags for cluster networking

After attaching secure tags to a cluster, use secure tags to configure cluster networking:

Use secure tags to define firewall rules.
Use secure tags to conditionally grant or deny the IAM Tag Administrator TAG viewer roles needed to create and attach secure tags to a cluster.

What's next

Learn more about tags.
Learn more about network tags.