This document describes how to use Tags to manage your Cloud Logging log buckets. Tags, which are created at the organization- or project-level, let you annotate your resources. You can also conditionally grant Identity and Access Management roles or conditionally deny Identity and Access Management permissions based on whether a resource has a specific tag. For information about tags, see Tags overview.
For example,
if you use BigQuery to analyze your Cloud Billing data,
then you might attach the project:production tag to log buckets that store
log data from production resources, and you might attach the tag
project:development tag log buckets that store log data from
development resources. Then, you can query
Cloud Billing data with tags.
Tags can be explicitly attached to log buckets, or inherited from their parent organization, folders, and projects.
Before you begin
To get started with managing your log buckets by using tags, do the following:
- Ensure that you've enabled billing for your Google Cloud project.
- Ensure that you've created a tag and configured its values. You use Resource Manager to manage tag definitions. For information about how to create and manage tags, see Creating and managing tags.
-
To get the permissions that you need to manage your log buckets by using tags, ask your administrator to grant you the following IAM roles on project or organization:
-
Tag User (
roles/resourcemanager.tagUser) -
Tag Viewer (
roles/resourcemanager.tagViewer)
For more information about granting roles, see Manage access to projects, folders, and organizations.
These predefined roles contain the permissions required to manage your log buckets by using tags. To see the exact permissions that are required, expand the Required permissions section:
Required permissions
The following permissions are required to manage your log buckets by using tags:
-
Add or remove tags to log buckets:
-
resourcemanager.tagValues.[get,list] -
resourcemanager.tagKeys.[get,list] -
resourcemanager.projects.get -
logging.buckets.createTagbinding -
logging.buckets.deleteTagBinding
-
-
View tags that are attached to log buckets:
-
resourcemanager.tagValues.[get,list] -
resourcemanager.tagKeys.[get,list] -
logging.buckets.listTagBindings -
logging.buckets.listEffectiveTags
-
You might also be able to get these permissions with custom roles or other predefined roles.
-
Tag User (
-
To get the permission that you need to manage log buckets, ask your administrator to grant you the Logs Configuration Writer (
roles/logging.configWriter) IAM role on your project. For more information about granting roles, see Manage access to projects, folders, and organizations.This predefined role contains the
logging.buckets.listpermission, which is required to manage log buckets.You might also be able to get this permission with custom roles or other predefined roles.
Attach tags to a log bucket
To attach a tag to a log bucket, do the following:
Google Cloud console
-
In the Google Cloud console, go to the Logs Storage page:
If you use the search bar to find this page, then select the result whose subheading is Logging.
Locate the log bucket to attach a tag to.
On the log bucket, click Moremore_vert, and then click Edit tags.
In the dialog, in the Direct tags section, locate the tag by selecting the resource in which the tag was created. For example, to use a tag that was created at the project-level, choose Select current project as the scope.
You can also manually search for the project, organization, or tag ID by selecting the Manual Entry option.
Select the appropriate key-value pair, then click Save.
A dialog confirming your changes appears. Click Confirm to finalize your changes.
gcloud
To attach a tag to a log bucket, create a tag binding by running the
gcloud resource-manager tags bindings create
command:
gcloud resource-manager tags bindings create \ --tag-value=TAG_VALUE_ID \ --parent=BUCKET_NAME \ --location=LOCATION
In the previous command, make the following replacements:
TAG_VALUE_ID: The permanent ID or the namespaced name of the tag value. For example,
tagValues/4567890123. For more information about tag identifiers, see Tag definitions and identifiers.BUCKET_NAME: The name of the log bucket. For example,
logging.googleapis.com/projects/BUCKET_PROJECT_ID/locations/LOCATION/buckets/BUCKET_ID.LOCATION: The location of the log bucket.
API
To attach a tag to a log bucket, use the tagBindings.create
method.
View tags attached to a log bucket
To view the tags attached to a log bucket, do the following:
Google Cloud console
-
In the Google Cloud console, go to the Logs Storage page:
If you use the search bar to find this page, then select the result whose subheading is Logging.
Locate the log bucket whose tags you want to view.
In the Tags column, a tag associated with the log bucket is listed. To view all tags associated with the log bucket, click the arrow_drop_down More button to expand the list of tags.
gcloud
Run the gcloud resource-manager tags bindings list command:
gcloud resource-manager tags bindings list \ --parent=BUCKET_NAME \ --location=LOCATION
In the previous command, make the following replacements:
TAG_VALUE_ID: The permanent ID or the namespaced name of the tag value. For example,
tagValues/4567890123. For more information about tag identifiers, see Tag definitions and identifiers.BUCKET_NAME: The name of the log bucket. For example,
logging.googleapis.com/projects/BUCKET_PROJECT_ID/locations/LOCATION/buckets/BUCKET_ID.LOCATION: The location of the log bucket.
Optional: To view tags inherited by the log bucket, add the --effective
flag, Adding this flag returns a response similar to the following:
namespacedTagKey: 961309089256/environment namespacedTagValue: 961309089256/environment/production tagKey: tagKeys/417628178507 tagValue: tagValues/247197504380 inherited: true
If all tags are explicitly attached to the log bucket and no tags are
inherited, then the inherited field is false and is omitted.
API
To get a list of tag bindings for a bucket, use the
tagBindings.list method.
Remove tags on a log bucket
To remove the tags attached to a log bucket, you must delete the tag binding attached to the log bucket. To delete a tag, you must remove the tags from all attached resources.
Google Cloud console
-
In the Google Cloud console, go to the Logs Storage page:
If you use the search bar to find this page, then select the result whose subheading is Logging.
Locate the log bucket whose tag you want to remove.
On the log bucket, click Moremore_vert, and then click Edit tags.
In the dialog, hold the pointer over the tag to remove, and click Delete item. Click Save to save your changes.
A dialog confirming your changes appears. Click Confirm to finalize your changes.
gcloud
Run the gcloud resource-manager tags bindings delete
command:
gcloud resource-manager tags bindings delete \ --tag-value=TAG_VALUE_ID \ --parent=BUCKET_NAME \ --location=LOCATION
In the previous command, make the following replacements:
TAG_VALUE_ID: The permanent ID or the namespaced name of the tag value. For example,
tagValues/4567890123. For more information about tag identifiers, see Tag definitions and identifiers.BUCKET_NAME: The name of the log bucket. For example,
logging.googleapis.com/projects/BUCKET_PROJECT_ID/locations/LOCATION/buckets/BUCKET_ID.LOCATION: The location of the log bucket.
API
To remove a tag on a log bucket, use the
tagBindings.delete method.
Limitations
- If you use Cloud Billing data exports with BigQuery, then tags might take up to an hour to be used in the export. If a tag has been added or removed within an hour, or if the log bucket has existed for less than an hour, it might not appear in the export.
What's next
Learn how to set an organization policy with Tags.
For information about use tags in Cloud Billing data exports, see the Cloud Billing data exports documentation.