Manage tags

Stay organized with collections Save and categorize content based on your preferences.

In this section, you learn how to attach, detach, and list tags on Datastream resources, such as streams, connection profiles, or private connections. For an overview of tags on Datastream, see Access control with tags.

About tags

A tag is a key-value pair that can attach to a resource within Google Cloud. You can use tags to conditionally allow or deny policies based on whether a resource has a specific tag. For example, you can conditionally grant Identity and Access Management (IAM) roles based on whether a resource has a specific tag. For more information about tags, see Tags overview.

Tags are attached to resources by creating a tag binding resource that links the value to the Google Cloud resource.

To group streams, connection profiles, or private connections within Datastream for automation and billing purposes, use labels. Tags and labels work independently of each other, and you can apply both to resources.

Required permissions

The permissions you need depend on the action you need to perform.

To gain these permissions, ask your administrator to grant the suggested role at the appropriate level of the resource hierarchy.

View tags

To view tag definitions and tags that are attached to resources, you need the Tag Viewer role (roles/resourcemanager.tagViewer), or another role that includes the following permissions:

Required permissions

  • resourcemanager.tagKeys.get
  • resourcemanager.tagKeys.list
  • resourcemanager.tagValues.list
  • resourcemanager.tagValues.get
  • listTagBindings for the appropriate resource type. For example, compute.instances.listTagBindings for viewing tags attached to Compute Engine instances.
  • listEffectiveTags
    • for the appropriate resource type. For example, compute.instances.listEffectiveTags for viewing all tags attached to or inherited by Compute Engine instances.

Administer tags

To create, update, and delete tag definitions, you need the Tag Administrator role (roles/resourcemanager.tagAdmin), or another role that includes the following permissions:

Required permissions

  • resourcemanager.tagKeys.create
  • resourcemanager.tagKeys.update
  • resourcemanager.tagKeys.delete
  • resourcemanager.tagKeys.list
  • resourcemanager.tagKeys.get
  • resourcemanager.tagKeys.getIamPolicy
  • resourcemanager.tagKeys.setIamPolicy
  • resourcemanager.tagValues.create
  • resourcemanager.tagValues.update
  • resourcemanager.tagValues.delete
  • resourcemanager.tagValues.list
  • resourcemanager.tagValues.get
  • resourcemanager.tagValues.getIamPolicy
  • resourcemanager.tagValues.setIamPolicy

Manage tags on resources

To add and remove tags that are attached to resources, you need the Tag User role (roles/resourcemanager.tagUser), or another role with equivalent permissions, on both the tag value and the resources that you are attaching the tag value to. The Tag User role includes the following permissions:

Required permissions

  • Permissions required for the resource you're attaching the tag value
    • Resource-specific createTagBinding permission, such as compute.instances.createTagBinding for Compute Engine instances.
    • Resource-specific deleteTagBinding permission, such as compute.instances.deleteTagBinding for Compute Engine instances.
  • Permissions required for the tag value:
    • resourcemanager.tagValueBindings.create
    • resourcemanager.tagValueBindings.delete
  • Permissions that let you view projects and tag definitions:
    • resourcemanager.tagValues.get
    • resourcemanager.tagValues.list
    • resourcemanager.tagKeys.get
    • resourcemanager.tagKeys.list
    • resourcemanager.projects.get

To attach tags to Datastream resources, you need the Datastream Admin role (roles/datastream.admin), or another role that includes the following permissions:

Required permissions

  • datastream.connectionProfiles.createTagBinding
  • datastream.connectionProfiles.deleteTagBinding
  • datastream.connectionProfiles.listTagBindings
  • datastream.connectionProfiles.listEffectiveTags
  • datastream.streams.createTagBinding
  • datastream.streams.deleteTagBinding
  • datastream.streams.listTagBindings
  • datastream.streams.listEffectiveTags
  • datastream.privateConnections.createTagBinding
  • datastream.privateConnections.deleteTagBinding
  • datastream.privateConnections.listTagBindings
  • datastream.privateConnections.listEffectiveTags

Create tag keys and values

Before you can attach a tag, you need to create a tag and configure its value. To create tag keys and tag values, see Creating a tag and Adding a tag value.

Attach a tag to a stream, connection profile, or private connection

After the tag has been created, you must attach it to a stream, connection profile, or private connection.

Console

  1. Go to the Datastream page in the Google Cloud console.

    2. Go to Datastream

  2. Select the page for the resource to which you want to attach a tag. For example, to attach a tag to a connection profile, go to the Connection profiles page.
  3. Click Tags.
  4. In the Tags panel, select Add tag.
  5. Select the key for the tag you want to attach from the list. You can filter the list by typing keywords.
  6. Select the value for the tag you want to attach from the list. You can filter the list by typing keywords.
  7. Click Save.
  8. In the Confirm dialog, click Confirm to attach the tag.

    9. A notification confirms that your tags updated.

gcloud

To attach a tag to a stream, connection profile, or private connection, you must create a tag binding resource by using the gcloud resource-manager tags bindings create command: 

gcloud resource-manager tags bindings create \
    --tag-value=TAGVALUE_NAME \
    --parent=RESOURCE_ID \
    --location=LOCATION

Where:

  • TAGVALUE_NAME is the permanent ID or namespaced name of the tag value that is attached; for example: tagValues/567890123456.
  • RESOURCE_ID is the full ID of the resource, including the API domain name to identify the type of resource (//datastream.googleapis.com/). For example, to attach a tag to projects/PROJECT_NAME/streams/STREAM_NAME, the full ID is: //datastream.googleapis.com/projects/PROJECT_NAME/streams/STREAM_NAME.
  • LOCATION is the location of your resource. If you are attaching a tag to a global resource, such as a folder or a project, you should omit this flag. If you are attaching a tag to a regional resource, you must specify the location; for example: us-central1.

List tags attached to a stream, connection profile, or private connection

You can view a list of tag bindings directly attached to or inherited by the stream, connection profile, or private connection.

Console

  1. Go to the Datastream page in the Google Cloud console.

    2. Go to Datastream

  2. Select the page for the resource to which you want to view tags. For example, to view tags for connection profile, go to the Connection profiles page.

    Tags are displayed in the Tags column of the stream, connection profile, or private connection.

gcloud

To get a list of tag bindings attached to a resource, use the gcloud resource-manager tags bindings list command: 

gcloud resource-manager tags bindings list \
    --parent=RESOURCE_ID \
    --location=LOCATION

Where:

  • RESOURCE_ID is the full ID of the resource, including the API domain name to identify the type of resource (//datastream.googleapis.com/). For example, to attach a tag to projects/PROJECT_NAME/streams/STREAM_NAME, the full ID is: //datastream.googleapis.com/projects/PROJECT_NAME/streams/STREAM_NAME.
  • LOCATION is the location of your resource. If you are viewing a tag attached to a global resource, such as a folder or a project, you should omit this flag. If you are viewing a tag attached to a regional resource, you must specify the location; for example: us-central1.

    • You should get a response similar to the following:

    name: tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Fprojects%2F7890123456/tagValues/567890123456
    tagValue: tagValues/567890123456
    resource: //datastream.googleapis.com/projects/project-abc/streams/stream-xyz<

Detach tags from a stream, connection profile, or private connection

You can detach tags that have been directly attached to a stream, connection profile, or private connection. Inherited tags can be overridden by attaching a tag with the same key and a different value, but they can't be detached. Before you can delete a tag, you must detach its key and values from every resource to which it is attached.

Console

  1. Go to the Datastream page in the Google Cloud console.

    2. Go to Datastream

  2. Select the page for the resource to which you want to remove a tag. For example, to remove a tag from a connection profile, go to the Connection profiles page.
  3. Click Tags.
  4. In the Tags panel, next to the tag you want to detach, click Delete item.
  5. Click Save.
  6. In the Confirm dialog, click Confirm to detach the tag.

    7. A notification confirms that your tags updated.

gcloud

To delete a tag binding, use the gcloud resource-manager tags bindings delete command: 

gcloud resource-manager tags bindings delete \
    --tag-value=TAGVALUE_NAME \
    --parent=RESOURCE_ID \
    --location=LOCATION

Where:

  • TAGVALUE_NAME is the permanent ID or namespaced name of the tag value that is attached; for example: tagValues/567890123456.
  • RESOURCE_ID is the full ID of the resource, including the API domain name to identify the type of resource (//datastream.googleapis.com/). For example, to attach a tag to projects/PROJECT_NAME/streams/STREAM_NAME, the full ID is: //datastream.googleapis.com/projects/PROJECT_NAME/streams/STREAM_NAME.
  • LOCATION is the location of your resource. If you are attaching a tag to a global resource, such as a folder or a project, you should omit this flag. If you are attaching a tag to a regional resource, you must specify the location; for example: us-central1.

Delete tag keys and values

When removing a tag key or value definition, ensure the tag is detached from the stream, connection profile, or private connection. You must delete existing tag attachments, called tag bindings, before deleting the tag definition itself. To delete tag keys and tag values, see Deleting tags.

Identity and Access Management conditions and tags

You can use tags and IAM conditions to conditionally grant role bindings to users in your hierarchy. Changing or deleting the tag attached to a resource can remove user access to that resource, if an IAM policy with conditional role bindings has been applied. For more information, see Identity and Access Management conditions and tags.

What's next

Previous
Delete a private connectivity configuration
Next
Manage private connectivity configurations