Tags provide a way to create annotations for resources, and in some cases conditionally allow or deny policies based on whether a resource has a specific tag. The resources and policies used by each service leverage tags in different ways. For more information about tags, see the Tags overview.
Some services, such as Identity and Access Management (IAM), are policy engines that support references by tags. If you can attach a tag to a service resource, and the policy engine service supports that resource, you can then leverage the conditional enforcement of policies to better control your resource hierarchy. Each policy engine service lists the resources it supports in the Policy engine services section.
Resources not listed as explicitly supported by policy engine services can't be targeted directly for conditional enforcement of policies. Instead, the parent project, folder, or organization resource should be tagged to provide conditional control.
Review the appropriate section below when attaching tags to your service resources. For more information, see Creating and managing tags.
Policy engine services
The following services include policies that can include tags. Referencing tags in these policies allows you to finely tune the way they operate on supported resources in your Google Cloud resource hierarchy.
| Google Cloud service | Resource types |
|---|---|
| Identity and Access Management (IAM) | |
| Organization Policy Service | |
| Virtual Private Cloud (VPC) |
The following sections describe how you can use tags with policy engine services.
Identity and Access Management
You can conditionally grant IAM roles or conditionally deny IAM permissions based on whether a resource has a specific tag.
Resources inherit tag values from their parent organization, folders, and project. As a result, you can use tags to manage access to any Google Cloud resource.
For more information about using tags with IAM to help control access to your Google Cloud resources, see Tags and access control.
Organization Policy Service
You can use organization policies with tags to control how your organization policy constraints are applied on certain resources. Organization policies can be conditionally enforced by tags that are attached to the following resources:
- Google Cloud organization, folder, and project resources
- Cloud Storage buckets
Organization policies can't be conditionally enforced by tags attached to resources not explicitly listed above. However, organization policy constraints that operate on IAM allow policies, such as the domain restricted sharing constraint, can be conditionally enforced with tags on any supported service resource.
For more information, see Setting an organization policy with tags.
Virtual Private Cloud
You can use tags to define sources and targets in network firewall policies and regional firewall policies. You can also attach tags to Compute Engine VM instances to represent different functions in a network. For more information, see Resource Manager tags for firewalls.
The following VPC resources can have tags attached to them for use in IAM policies:
For more information, see Create and manage tags for Virtual Private Cloud resources.
Supported service resources
You can attach tags to the following types of Google Cloud resources:
| Google Cloud service | Resource types |
|---|---|
| AlloyDB for PostgreSQL | |
| Artifact Registry | |
| BigQuery | |
| Bigtable | |
| Cloud Billing | |
| Cloud Domains |
|
| Cloud Key Management Service (Cloud KMS) | |
| Cloud Load Balancing | |
| Cloud Run | |
| Spanner | |
| Cloud SQL | |
| Cloud Storage | |
| Compute Engine | |
| Datastore | |
| Datastream | |
| Filestore |
|
| Firestore | |
| Google Kubernetes Engine (GKE) | |
| Managed Service for Microsoft Active Directory (Managed Microsoft AD) | |
| Memorystore for Redis | |
| Resource Manager | |
| VPC |