This topic shows you how to attach a tag to your existing domain in Managed Service for Microsoft Active Directory (Managed Microsoft AD), list tags attached to a domain, and remove tags from a domain.
Overview
A tag is a key-value pair that can attach to a resource within Google Cloud. You can use tags to conditionally allow or deny policies based on whether a resource has a specific tag. For example, you can conditionally grant IAM roles based on whether a Managed Microsoft AD domain has a specific tag. For more information about tags, see Tags overview.
Tags are attached to resources by creating a tag binding resource that links the value to the Google Cloud resource.
Before you begin
Before you begin, do the following:
- Create a Managed Microsoft AD domain.
- Create tag keys and add tag values. For more information about creating tag keys and adding tag values, see Creating and managing tags.
- Get the permanent ID of tag values. Permanent ID is a unique identifier that is displayed when a tag value is added to the tag key. For more information, see Tag definitions and identifiers.
- Make sure that you have the following Tag User role:
roles/resourcemanager.tagUser. For more information about the role, see Resource Manager roles.
Attach tags to a domain
You must create a tag binding resource to attach a tag to your Managed Microsoft AD domain.
Run the following gcloud CLI command:
gcloud alpha resource-manager tags bindings create --tag-value=TAG_VALUE_ID --parent=DOMAIN_NAME
Replace the following:
- TAG_VALUE_ID: The permanent ID or namespaced name of the tag value to be attached. For example,
tagValues/1234567890. - DOMAIN_NAME: The full resource name of your Managed Microsoft AD domain, in the form of:
//managedidentities.googleapis.com/projects/PROJECT_ID/locations/global/domains/DOMAIN-NAME.
You receive the details of the tag binding created as a response.
done: true response: '@type': type.googleapis.com/google.cloud.resourcemanager.v3.TagBinding name: TAG_BINDING_NAME parent: DOMAIN_NAME tagValue: TAG_VALUE_ID
After you create the tag binding, you can configure organization policies for these tags using conditions that define when the policy must be enforced. For more information, see Setting an organization policy with tags.
List tags attached to a domain
You can get the list of tag binding resources attached to your Managed Microsoft AD domain.
Run the following gcloud CLI command:
gcloud alpha resource-manager tags bindings list --parent=DOMAIN_NAME
Replace the following:
- DOMAIN_NAME: The full resource name of your Managed Microsoft AD domain, in the form of:
//managedidentities.googleapis.com/projects/PROJECT_ID/locations/global/domains/DOMAIN-NAME.
You receive the list of tag binding resources attached to your domain as a response.
tagBindings: name: TAG_BINDING_NAME parent: DOMAIN_NAME tagValue: TAG_VALUE_ID
Detach tags from a domain
You must delete the tag binding resource to detach a tag from your Managed Microsoft AD domain.
Run the following gcloud CLI command:
gcloud alpha resource-manager tags bindings delete --tag-value=TAG_VALUE_ID --parent=DOMAIN_NAME
Replace the following:
- TAG_VALUE_ID: The permanent ID or namespaced name of the tag value to be attached. For example,
tagValues/1234567890. - DOMAIN_NAME: The full resource name of your Managed Microsoft AD domain, in the form of:
//managedidentities.googleapis.com/projects/PROJECT_ID/locations/global/domains/DOMAIN-NAME.
What's next
- Learn how to control access with tags.
- Learn how to set an organization policy with tags.