This guide describes how to create and manage tags. A tag is a key-value pair that can be attached to an organization, folder, or project. You can use tags to conditionally allow or deny policies based on whether a resource has a specific tag.
Before you begin
For more information about what tags are and how they work, see the Tags overview.
Required permissions
The permissions you need depend on the action you need to perform.
To gain these permissions, ask your administrator to grant the suggested role at the appropriate level of the resource hierarchy.
View tags
To view tag definitions, you need the Tag Viewer role
(roles/resourcemanager.tagViewer
), or another role that includes the following
permissions:
resourcemanager.tagKeys.get
resourcemanager.tagKeys.list
resourcemanager.tagValues.list
resourcemanager.tagValues.get
resourcemanager.resourceTagBindings.list
Administer tags
To create, update, and delete tag definitions, you need the
Tag Administrator role (roles/resourcemanager.tagAdmin
), or another role
that includes the following permissions:
resourcemanager.tagKeys.create
resourcemanager.tagKeys.update
resourcemanager.tagKeys.delete
resourcemanager.tagKeys.list
resourcemanager.tagKeys.get
resourcemanager.tagValues.create
resourcemanager.tagValues.update
resourcemanager.tagValues.delete
resourcemanager.tagValues.list
resourcemanager.tagValues.get
Manage tags on resources
To add and remove tags that are attached to resources, you need the Tag User
role (roles/resourcemanager.tagUser
), or another role with equivalent
permissions, on both the tag value and the resources that you are attaching
the tag value to. The Tag User role includes the following permissions:
Permissions required for the resource you're attaching the tag value to:
resourcemanager.resourceTagBindings.create
resourcemanager.resourceTagBindings.delete
resourcemanager.resourceTagBindings.list
Permissions required for the tag value:
resourcemanager.tagValueBindings.create
resourcemanager.tagValueBindings.delete
Permissions that let you view projects and tag definitions:
resourcemanager.tagValues.get
resourcemanager.tagKeys.list
resourcemanager.tagValues.list
resourcemanager.projects.get
Creating and defining a new tag
Tags are comprised of a key-value pair, and are attached to an organization,
folder, or project resource in your Google Cloud hierarchy. To create a new
tag, you must first create a tag key that describes the tag you are creating.
For example, you might want to specify production, test, and development
environments for resources in your resource hierarchy by creating a key with the
name env
.
Then, you can create the different values that the key can have. If you created
a tag key named env
, you might want to specify that there are three
potential environments, and create a value for each: prod
,dev
,
and test
.
You can create a maximum of 300 keys created under a given organization and there can be a total of 300 values created for each key.
Finally, you can then attach these values to resources in your hierarchy,
which carries with it the key-value pair association. For example, you could
attach test
to multiple test environment folders across your
organization, and each one would carry the env: test
key-value pair.
Creating a tag
To begin, you need to create a tag key.
The tag key's shortName
can have a maximum length of 63 characters. The
permitted character set for the shortName
includes upper-and lower-case
alphanumerics (no internationalization), hyphens, underscores and periods.
The shortName
must begin and end with an alphanumeric character. Once
the shortName
has been created, it cannot be changed, and must be unique
within the same namespace.
Console
To create a new tag key, do the following:
Open the Tags page in the Cloud Console.
Select the Project picker at the top of the page.
From the Organization picker, select your organization.
Click
Create tag.In the Tag name box, enter the display name of your tag key. This becomes part of the namespaced name of your tag.
In the Tag description box, enter a description of your tag key.
If you want to add tag values to this key, click
Add value for each tag value you want to create.In the Tag value box, enter the display name of your tag value. This becomes part of the namespaced name of your tag.
In the Tag value description box, enter a description of your tag value.
When you have finished adding tag values, click Create tag.
gcloud
To create a new tag key, use the gcloud alpha resource-manager tags keys create
command:
gcloud alpha resource-manager tags keys create SHORT_NAME \ --parent=organizations/ORGANIZATION_ID
Where:
SHORT_NAME
is the display name for your tag key. For example:env
ORGANIZATION_ID
is the ID of the organization to be the parent resource to this tag key. For example:12345678901
. To learn how to get your organization ID, see Creating and managing organizations.
You should get a response similar to the following:
Creating tag key env in organization 1234567890... <blocking wait until creation completes> name: tagKeys/123456789012 short_name: env namespaced_name: 12345678901/env parent: organizations/12345678901
API
To create a new tag key, create a JSON representation of the key. For more information about the format of a tag key, see the TagKey reference.
Then, use the tagKeys.create method:
POST https://cloudresourcemanager.googleapis.com/v3/tagKeys/ -d
Request JSON body:
{ "parent": ORGANIZATION_ID, "shortName": SHORT_NAME, "description": DESCRIPTION, }
Where:
SHORT_NAME
is the display name for your tag key. For example:env
ORGANIZATION_ID
is the ID of the organization to be the parent resource to this tag key. For example:organizations/12345678901
. To learn how to get your organization ID, see Creating and managing organizations.DESCRIPTION
is a description of the key, and no longer than 256 characters.
After you have created the key, you can find the unique human-readable display
name called the namespacedName
that is namespaced within its parent
organization, and a globally unique permanent ID called the name
.
Viewing a tag key
You can find information about a particular tag key using the permanent ID or namespaced name that is displayed when you created it.
Console
To view a created tag, do the following:
Open the Tags page in the Cloud Console.
Select the Project picker at the top of the page.
From the Organization picker, select your organization.
All tags in this organization appear in the list. Click on the tag for which you want to see the tag key.
gcloud
To display the information related to a given tag key, use the
gcloud alpha resource-manager tags keys describe
command:
gcloud alpha resource-manager tags keys describe TAGKEY_NAME
Where TAGKEY_NAME
is the permanent ID or namespaced
name of the tag key for which you want to display information.
For example: tagKeys/123456789012
You should get a response similar to the following:
name: tagKeys/123456789012 short_name: env namespaced_name: 12345678901/env parent: organizations/12345678901
API
To display the information related to a given tag key, use the tagKeys.get method:
GET https://cloudresourcemanager.googleapis.com/v3/{name=TAGKEY_NAME}
Where TAGKEY_NAME
is the permanent ID of the tag key
for which you want to display information.
For example: tagKeys/123456789012
Adding tag values
Once you have created a tag key, you can then add accepted values for the key.
The tag value's shortName
can have a maximum length of 63 characters. The
permitted character set for the shortName
includes upper-and lower-case
alphanumerics (no internationalization), hyphens, underscores and periods.
The shortName
must begin and end with an alphanumeric character. Once
the shortName
has been created, it cannot be changed, and must be unique
within the same namespace.
Console
To create a new tag value, do the following:
Open the Tags page in the Cloud Console.
Select the Project picker at the top of the page.
From the Organization picker, select your organization.
In the list of tags, click the tag to which you want to add a new value.
Click
Add value.In the Tag value box, enter the display name of your tag value. This becomes part of the namespaced name of your tag.
In the Tag value description box, enter a description of your tag value.
Click Save.
gcloud
To create a new tag value, use the gcloud alpha resource-manager tags keys
create
command. You must specify the key under which this value is created:
gcloud alpha resource-manager tags values create TAGVALUE_SHORTNAME \ --parent=TAGKEY_NAME
Where:
TAGVALUE_SHORTNAME
is the short name of the new tag value. For example:prod
TAGKEY_NAME
is the permanent ID or namespaced name of the parent tag key. For example:tagKeys/4567890123
You should get a response similar to the following:
Creating tag value prod in tag key 12345678901/env... <blocking wait until creation completes> name: tagValues/7890123456 short_name: prod namespaced_name: 12345678901/env/prod parent: tagKeys/123456789012
API
To create a new tag value, create a JSON representation of the value. For more information about the format of a tag value, see the TagValue reference.
Then, use the tagValues.create method:
POST https://cloudresourcemanager.googleapis.com/v3/tagValues/ -d
Request JSON body:
{ "parent": TAGKEY_NAME, "shortName": SHORT_NAME, "description": DESCRIPTION, }
Where:
TAGKEY_NAME
is the permanent ID of the parent tag key. For example:tagKeys/4567890123
SHORT_NAME
is the display name for your tag value. For example:env
DESCRIPTION
is a description of the value, and no longer than 256 characters.
After you have created the value, you can find the unique human-readable display
name called the namespacedName
that is namespaced within its parent
organization, and a globally unique permanent ID called the name
.
Retrieving tag values
You can find information about a particular tag value using the permanent ID or namespaced name that is displayed when you created it.
Console
To view a created tag, do the following:
Open the Tags page in the Cloud Console.
Select the Project picker at the top of the page.
From the Organization picker, select your organization.
All tags you have created in this organization appear in the list. Click on the tag for which you want to see tag values.
gcloud
To display the information related to a given tag value, use the
gcloud alpha resource-manager tags values describe
command:
gcloud alpha resource-manager tags values describe TAGVALUE_NAME
Where TAGVALUE_NAME
is the namespaced name of the
tag value. For example: 1234567890/env/prod
You should get a response similar to the following:
short_name: prod namespaced_name: 1234567890/env/prod parent: tagKeys/123456789012
API
To display the information related to a given tag value, use the tagValues.get method:
GET https://cloudresourcemanager.googleapis.com/v3/{name=TAGVALUE_NAME}
Where TAGVALUE_NAME
is the permanent ID of the tag
value. For example: tagValues/4567890123
When referencing tags using the gcloud
command-line tool, you can use either the
namespaced name or the permanent ID for tag keys and values. Calls to the API
should only use the permanent ID. See
Tag definitions and identifiers
for more information about the types of identifiers a tag uses.
Updating existing tags
You can modify an existing tag by updating the key or values associated with it. You can update a tag description, but not the short name.
Console
To update a tag key's description, do the following:
Open the Tags page in the Cloud Console.
Select the Project picker at the top of the page.
From the Organization picker, select your organization.
Click
Actions next to the tag key you want to update, then click View details.Click
Edit next to Description near the top of the screen.Update the description of the tag key.
Click Save.
gcloud
To modify a tag key description, use the
gcloud alpha resource-manager tags keys update
command:
gcloud alpha resource-manager tags keys update TAGKEY_NAME \ --description=NEW_DESCRIPTION
Where:
TAGKEY_NAME
is the permanent ID or namespaced name of the key to be updated. For example:tagKeys/123456789012
NEW_DESCRIPTION
is a string of no more than 256 characters to use as the new description.
You should get a response similar to the following:
name: tagKeys/123456789012 short_name: env namespaced_name: 12345678901/env description: "new description" parent: organizations/12345678901
API
To modify a tag key description, use the tagKeys.patch method:
PATCH https://cloudresourcemanager.googleapis.com/v3/{tagKey.name=TAGKEY_NAME} -d
Request JSON body:
{ "description": DESCRIPTION, }
Where:
TAGKEY_NAME
is the permanent ID of the tag key. For example:tagKeys/123456789012
DESCRIPTION
is a description of the key, and no longer than 256 characters.
You can also change the description of tag values.
Console
To update a tag value's description, do the following:
Open the Tags page in the Cloud Console.
Select the Project picker at the top of the page.
From the Organization picker, select your organization.
Click
Actions next to the tag key for the value you want to update, then click View details.Click
Actions next to the tag value you want to update, then click View details.Click
Edit next to Description near the top of the screen.Update the description of the tag value.
Click Save.
gcloud
To modify a tag value description, use the
gcloud alpha resource-manager tags values update
command:
gcloud alpha resource-manager tags values update TAGVALUE_NAME \ --description="NEW_DESCRIPTION"
Where:
TAGVALUE_NAME
is the permanent ID or namespaced name of the tag value to be updated. For example:tagValues/4567890123
NEW_DESCRIPTION
is a string of no more than 256 characters to use as the new description.
You should get a response similar to the following:
short_name: prod namespaced_name: 12345678901/env/prod parent: tagKeys/123456789012 description: "new description"
API
To modify a tag key description, use the tagValues.patch command:
PATCH https://cloudresourcemanager.googleapis.com/v3/{tagKey.name=TAGVALUE_NAME} -d
Request JSON body:
{ "description": DESCRIPTION, }
Where:
TAGVALUE_NAME
is the permanent ID name of the tag value. For example:tagValues/4567890123
DESCRIPTION
is a description of the key, and no longer than 256 characters.
Listing tag keys
You can list all tag keys associated with a particular organization using the
Cloud Console, the gcloud
tool, or with a call to the API.
Console
To view all tags:
Open the Tags page in the Cloud Console.
Select the Project picker at the top of the page.
From the Organization picker, select your organization.
All tags you have created in this organization appear in the list.
gcloud
To return a list of all tag keys attached to an organization resource, use
the gcloud alpha resource-manager tags keys list
command:
gcloud alpha resource-manager tags keys list --parent=ORGANIZATION_ID
Where ORGANIZATION_ID
is the ID of the organization
for which you want to find attached tag keys.
- An organization ID should be provided in the format
organizations<var>ORGANIZATION_ID
. For example:organizations/12345678901
. To learn how to get your organization ID, see Creating and managing organizations.
You should get a response similar to the following:
NAME SHORT_NAME DESCRIPTION tagKeys/123456789012 env description of tag key
API
To return a list of all tag keys for a given resource, use the tagKeys.list method, with the parent resource specified in the query:
GET https://cloudresourcemanager.googleapis.com/v3/tagKeys { "parent": "RESOURCE_ID" }
Where RESOURCE_ID
is the ID of the resource for which you want to
find attached tag keys. For example: organizations/12345678901
List tag values
You can list all tag values associated with a particular tag key using the
Cloud Console, the gcloud
tool, or with a call to the API.
Console
To view all tag values attached to a tag key, do the following:
Open the Tags page in the Cloud Console.
Select the Project picker at the top of the page.
From the Organization picker, select your organization.
Click
Actions next to the tag key containing the tag values you want to find, then click View details.All tag values you have created under this tag key appear in the list.
gcloud
To return a list of all tag values attached to a key, use the
gcloud alpha resource-manager tags values list
command:
gcloud alpha resource-manager tags values list --parent=TAGKEY_NAME
Where TAGKEY_NAME
is the permanent ID or namespaced
name of the tag key for which you want to find attached values.
For example: tagKeys/123456789012
You should get a response similar to the following:
short_name: prod namespaced_name: 12345678901/env/prod parent: tagKeys/123456789012 description: "new description"
API
To return a list of all tag values attached to a key, use the tagValues.list method, with the parent tag key specified in the query:
GET https://cloudresourcemanager.googleapis.com/v3/tagValues { "parent": "TAGKEY_NAME" }
Where TAGKEY_NAME
is the permanent ID name of the
tag key. For example: tagKeys/123456789012
Managing access to tags
You can give users specific access to manage tags and attach tag values to resources using the Cloud Console. See Required permissions for a list of the roles related to tags, and the permissions they contain.
Tag keys
To manage access for users on a tag key, do the following:
Open the Tags page in the Cloud Console.
Select the Project picker at the top of the page.
From the Organization picker, select your organization.
Click the checkbox next to the tag for which you want to manage access.
Click
Manage access.To add a role to a member, click
Add member.In the New members text box, enter the email address of the member you want to grant a new role.
Select a role from the Select a role dropdown menu. If you want to add more than one role, click
Add another role.If you want to send a notification, click the checkbox next to Send notification email.
Click Save.
To edit a member's role, click
Edit next to the member you want to edit.You can change any roles that are assigned to the members on this tag by clicking on the Role dropdown menu and choosing a new role.
If you want to add more roles, click
Add another role.To delete a role from this member on this tag, click
Delete role next to the role you want to delete.Click Save.
To delete a member's role, click
Delete role next to the role you want to delete.- Click Remove.
Tag values
To manage access for users on a tag value, do the following:
Open the Tags page in the Cloud Console.
Select the Project picker at the top of the page.
From the Organization picker, select your organization.
Click
Actions next to the tag key for the value for which you want to manage access, then click View details.Click
Manage access.To add a role to a member, click
Add member.In the New members text box, enter the email address of the member you want to grant a new role.
Select a role from the Select a role dropdown menu. If you want to add more than one role, click
Add another role.If you want to send a notification, click the checkbox next to Send notification email.
Click Save.
To edit a member's role, click
Edit next to the member you want to edit.You can change any roles that are assigned to the members on this tag by clicking on the Role dropdown menu and choosing a new role.
If you want to add more roles, click
Add another role.To delete a role from this member on this tag, click
Delete role next to the role you want to delete.Click Save.
To delete a member's role, click
Delete role next to the role you want to delete.- Click Remove.
Attaching tags to resources
After a tag is created and appropriate
access is granted to both the tag and the resource, the
tag can be attached to a Google Cloud resource as a key-value pair. Exactly one
value can be attached to a resource for a given key. For example, if
env: dev
is attached, then env: prod
or
env: test
cannot be attached.
Each resource can have a maximum of 50 key-value pairs attached.
Tags are attached to resources by creating a tag binding resource that links the value to the Google Cloud resource.
Console
To attach a tag to a resource, do the following:
Open the Manage resources page in the Cloud Console.
Click on the organization, folder, or project to which you want to attach a tag.
In the info panel that appears, click the Tags tab.
Click the Add Tag bindings radio button.
In the Tag value box, enter the namespaced name of the tag value you want to attach. For example,
4567890123/Environment/Test
.If you want to attach more tag values, click
Add value, and enter the namespaced name for each tag value.Click Save bindings.
The new tag appears under the Tags column on the Manage resources page.
gcloud
To attach a tag to a resource, you must create a tag binding resource by
using the gcloud alpha resource-manager tags bindings create
command:
gcloud alpha resource-manager tags bindings create \ --tag-value=TAGVALUE_NAME \ --parent=RESOURCE_ID --location=LOCATION
Where:
TAGVALUE_NAME
is the permanent ID or namespaced name of the tag value to be attached. For example:tagValues/4567890123
RESOURCE_ID
is the full ID of the resource, including the API domain name to idenitfy the type of resource (//cloudresourcemanager.googleapis.com/
). For example, to attach a tag toprojects/7890123456
,the full ID would be://cloudresourcemanager.googleapis.com/projects/7890123456
LOCATION
is the location of your resource. If you are attaching a tag to a global resource, such as a folder or a project, you should omit this flag. If you are attaching a tag to a regional resource, you must specify the location. For example:us-central1
No regional resources currently support tags.
API
To attach a tag to a resource, you must first create a JSON representation of a tag binding that includes the permanent IDs of the tag value and the resource. For more information about the format of a tag binding, see the TagBinding reference.
If you are attaching the tag to a global resource such as an organization, use the tagBindings.create method with the global endpoint hostname:
POST https://cloudresourcemanager.googleapis.com/v3/tagBindings
If you are attaching the tag to a regional resource, use the
tagBindings.create
method with the regional endpoint wheren your resource
is located. No regional resources currently support tags.
POST https://LOCATION-cloudresourcemanager.googleapis.com/v3/tagBindings
Request JSON body:
{ "parent": RESOURCE_ID, "tagValue": TAGVALUE_NAME, }
Where:
TAGBINDING_NAME
is the name of your tag binding. For example:tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Fprojects%2F7890123456/tagValues/4567890123
RESOURCE_ID
is the ID of the resource that you are attaching this tag value to. For example:projects/7890123456
.TAGVALUE_NAME
is the permanent ID of the tag value that is attached. For example:tagValues/4567890123
LOCATION
is the regional endpoint for your resource. For example:us-central1
Listing all tags attached to a resource
You can get a list of all tags attached to a resource. The following examples provide a list of tag bindings attached directly to the resource, but won't return any tags that have been inherited from parent resources.
Console
To see all tags that are attached to a resource, do the following:
Open the Manage resources page in the Cloud Console.
Find your organization, folder, or project in the list of resources.
The tags attached to the resource appear under the Tags column.
gcloud
To get a list of tag bindings attached to a resource, use the
gcloud alpha resource-manager tags bindings list
command:
gcloud alpha resource-manager tags bindings list \ --parent=RESOURCE_ID \ --location=LOCATION
Where:
RESOURCE_ID
is the full ID of the resource. For example://cloudresourcemanager.googleapis.com/projects/7890123456
LOCATION
is the location of your resource. If you are listing the tags attached to a global resource, such as a folder or a project, you should omit this flag. If you are attaching a tag to a regional resource, you must specify the location. For example:us-central1
No regional resources currently support tags.
You should get a response similar to the following:
name: tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Fprojects%2F7890123456/tagValues/567890123456 tagValue: tagValues/567890123456 resource: //cloudresourcemanager.googleapis.com/projects/7890123456
API
To get a list of tag bindings attached to a global resource such as an organization, use the tagBindings.list method, specifying the parent resource in the query:
GET https://cloudresourcemanager.googleapis.com/v3/tagBindings { "parent": "RESOURCE_ID" }
If you want to list the tag bindings attached to a regional resource, use
the tagBindings.list
method with the regional endpoint where your resource
is located. No regional resources currently support tags.
GET https://LOCATION-cloudresourcemanager.googleapis.com/v3/tagBindings { "parent": "RESOURCE_ID" }
Where:
RESOURCE_ID
is the full ID of the resource. For example://cloudresourcemanager.googleapis.com/projects/7890123456
LOCATION
is the regional endpoint for your resource. For example:us-central1
If successful, the response body should include a list of TagBinding
objects. For example:
name: tagBindings/cloudresourcemanager.googleapis.com/projects/7890123456/567890123456 tagValue: tagValues/567890123456 resource: //cloudresourcemanager.googleapis.com/projects/7890123456
Detaching a tag from a resource
You can detach a tag from a resource by deleting the tag binding resource.
Console
To detach a tag from a resource, do the following:
Open the Manage resources page in the Cloud Console.
Click on the organization, folder, or project from which you want to detach a tag.
In the info panel that appears, click the Tags tab.
Click the Remove Tag bindings radio button.
In the Tag value box, enter the namespaced name of the tag value you want to remove. For example,
4567890123/Environment/Test
.Click Save bindings.
You can find the updated list of attached tags under the Tags column on the Manage resources page.
gcloud
To delete a tag binding, use the
gcloud alpha resource-manager tags bindings delete
command:
gcloud alpha resource-manager tags bindings delete \ --tag-value=TAGVALUE_NAME \ --parent=RESOURCE_ID \ --location=LOCATION
Where:
TAGVALUE_NAME
is the permanent ID or namespaced name of the tag value that is attached. For example:tagValues/567890123456
RESOURCE_ID
is the full ID of the resource. For example://cloudresourcemanager.googleapis.com/projects/7890123456
LOCATION
is the location of your resource. If you are deleting a tag binding attached to a global resource, such as a folder or a project, you should omit this flag. If you are deleting a tag binding attached to a regional resource, you must specify the location. For example:us-central1
No regional resources currently support tags.
API
To delete a tag binding attached to a global resource such as an organization, use the tagBindings.delete method:
DELETE https://cloudresourcemanager.googleapis.com/v3/{name=TAGBINDINGS_NAME}
If you want to delete a tag binding attached to a regional resource, use the
tagBindings.delete
method with the regional endpoint where your resource
is located. No regional resources currently support tags.
DELETE https://LOCATION-cloudresourcemanager.googleapis.com/v3/{name=TAGBINDINGS_NAME}
Where:
TAGBINDINGS_NAME
is the permanent ID of the TagBinding. For example:tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Fprojects%2F1234567890/tagValues/567890123456
LOCATION
is the regional endpoint for your resource. For example:us-central1
Deleting tags
To delete a tag, you must delete each of its defining components. First, you must delete any tag bindings that attach this tag to resources in your hierarchy. For instructions on deleting tag bindings, see Detaching a tag from a resource.
Once there are no more tag bindings for the tag values you want to delete, you can delete the values.
Console
To delete a tag value, do the following:
Open the Tags page in the Cloud Console.
Select the Project picker at the top of the page.
From the Organization picker, select your organization.
Click
Actions next to the tag key containing the tag value you want to delete, then click View details.In the list of tag values associated with this tag key, click the tag value you want to delete.
Click the checkbox next to the tag value you want to delete, then click
Delete values.Click Confirm.
gcloud
To delete a tag value, use the gcloud alpha resource-manager tag values delete
command:
gcloud alpha resource-manager tags values delete TAGVALUE_NAME
Where TAGVALUE_NAME
is the permanent ID or
namespaced name of the tag value you want to delete.
For example: tagValues/567890123456
API
To delete a tag value, use the tagValues.delete method:
DELETE https://cloudresourcemanager.googleapis.com/v3/{name=TAGVALUE_NAME}
Where TAGVALUE_NAME
is the permanent ID of the tag
value you want to delete.
For example: tagValues/567890123456
Once all tag values associated with a key have been deleted, you can then delete the key.
Console
To delete a tag key, do the following:
Open the Tags page in the Cloud Console.
Select the Project picker at the top of the page.
From the Organization picker, select your organization.
Click the checkbox next to the tag key you want to delete.
Click
Delete tags.Click Confirm.
gcloud
To delete a tag key, use the gcloud alpha resource-manager tags keys delete
command:
gcloud alpha resource-manager tags keys delete TAGKEYS_NAME
Where TAGKEYS_NAME
is the permanent ID or
namespaced name of the tag key you want to delete.
For example: tagKeys/123456789012
API
To delete a tag key, use the tagKeys.delete method:
DELETE https://cloudresourcemanager.googleapis.com/v3/{name=TAGKEYS_NAME}
Where TAGKEYS_NAME
is the permanent ID of the tag
key you want to delete. For example: tagKeys/123456789012
Policies and tags
You can use tags with policies that support them to conditionally enforce those policies. You can make the presence or absence of a tag value the condition for that policy.
For example, you can conditionally grant Identity and Access Management (IAM) roles based on whether a resource has a specific tag.
For more information about using tags with IAM to help control access to your Google Cloud resources, see Tags and access control.
You can also use organization policies with tags to control how your organization policy constraints are applied. For more information, see Setting an organization policy with tags.
Requiring tags on resources
You can use tags and Identity and Access Management conditions to make tagging mandatory for resources in your hierarchy. This process will make the resources unusable until you attach a particular tag to it. For example, you may want to require that your developers assign a cost center to a resource before they can use it.
Create a tag that you can use to associate resources with something that will identify whether the resources have had proper governance applied. For example, you could create a tag with the key
costCenter
and values0001
,0002
, and so forth, to associate the resources with the various cost centers at your company.Create an organization-level custom role that allows users to add tags to the resources you want to require tags on. This will give these permissions to the specified members anywhere in your organization.
For example, a custom role that allows users to add tags to projects would include the following permissions:
resourcemanager.projects.get
resourcemanager.resourceTagBindings.create
resourcemanager.resourceTagBindings.delete
resourcemanager.resourceTagBindings.list
When creating projects for your developers, assign them this custom role on the project.
Assign any other roles to your developers that include the permissions for them to perform any desired actions inside of that project. When you grant roles to users on the project, the roles should always be conditionally granted to require the attachment of the
costCenter
tag.resource.hasTagKey('12345678901/costCenter')
Now, any time a project is created, your developers must attach the costCenter
tag to it before they're able to perform the actions in it that are granted by
the IAM policy.
Troubleshooting known issues
Condition expression fails
If you run one of the add-iam-policy-binding
commands using gcloud
command-line tool,
and the IAM policy on that resource contains conditional role
bindings for that role, the gcloud
tool tool prompts you to choose one
of the condition expressions that exists in the policy. If you choose a
condition expression that contains a comma, the command fails. To work around
this issue, use the --condition
flag to specify a condition expression on the
command line.
Validate only disabled for creating tag keys and values
When you call the Resource Manager API directly, you can use the validate_only
field to validate requests but not carry them out. This field is disabled for
the methods that create tag keys and tag values, and an error will be returned
instead.