Access control with tags

Overview

This page describes tags and how to use them with Datastream. To use gcloud to attach, detach, and list tags on your Datastream resources, see Manage tags.

Tags are a way to organize your Datastream resources. These resources include private connectivity configurations, connection profiles, and streams.

Tags are applied at higher levels of the resource hierarchy across Google Cloud. Datastream and other resources inherit the tags. They are managed using Resource Manager. You can add a reference to tags in IAM policy bindings to grant conditional access to resources.

Tags are different from labels, which are another way to organize and filter your resources in Datastream. Tags and labels work independently of each other, and you can use both on the same resource. You can learn about using labels with Datastream resources, including connection profiles and streams.

What are tags?

Tags are key-value pairs you can apply to your Datastream resources for fine-grained access control.

A tag key could be a property, such as environment, and the tag value could be an attribute, such as development or production. A tag can have only one value for a given key on a particular resource.

Tags are created at the Organization level. Tags are attached to resources, such as a project or a Datastream private connectivity configuration, connection profile, or stream, through the Resource Manager, which is used across Google Cloud.

Grant permissions based on conditional tag bindings

After a tag is attached to or inherited by a Datastream resource, you can use the tag with IAM Conditions to grant access to Datastream resources conditionally. IAM Conditions let you impose fine-grain access control to Datastream resources. To use IAM Conditions, you reference the tag in IAM policy bindings.

Restrictions

Tags have the following restrictions:

Organization policies can conditionally reference tags inherited from the Project level and above, but don't support tags that are directly attached to Datastream resources.
Cloud Audit logs show the creation and deletion of tags, but entries are not generated for attaching tags and viewing tag bindings on Datastream resources.

What's next

Learn how to use Resource Manager to create and manage tags for your Datastream resources. .
See specific gcloud commands to attach, detach, and list tags on your Datastream resources in Manage tags.

Use customer-managed encryption keys (CMEK)

Unified types mappings