Tags are key-value pairs you can apply to your jobs for fine-grained access control. Tag administrators create tags for resources across Google Cloud at the organization or project level and manage them in Resource Manager. Tags provides a way to conditionally allow or deny policies based on whether a resource has a specific tag.
Required Identity and Access Management roles
You must have the
- Cloud Run Admin role on the Cloud Run job
- Tag User role on the tag value and the Cloud Run job
Attaching tags
Attach tags using the Google Cloud CLI.
Command line
Update tags for a job using the command:
gcloud resource-manager tags bindings create \
--tag-value=TAG_VALUE \
--parent=//run.googleapis.com/projects/PROJECT_ID/locations/REGION/jobs/JOB \
--location=REGION
To update more than one tag, supply a comma delimited list of key/value pairs.
Replace
- TAG_VALUE with the value for the key. You can use these
different types of identifiers: a permanent ID such as
tagValues/12345678901, a namespaced value such as123456789012/env/prodor a short name such asprod - PROJECT_ID with project ID of your Google Cloud project
- REGION with region your Cloud Run job is deployed to
- JOB with name of your Cloud Run job
Detaching a tag
Use the Google Cloud CLI to detach tags from your job.
Command line
To detach a tag from a job:
gcloud resource-manager tags bindings delete \
--tag-value=TAG_VALUE \
--parent=//run.googleapis.com/projects/PROJECT_ID/locations/REGION/jobs/JOB \
--location=REGION
To detach more than one tag, supply a comma delimited list of key/value pairs.
Replace
- TAG_VALUE with the value for the key: you can use these
different types of identifiers: a permanent ID such as
tagValues/12345678901, a namespaced value such as123456789012/env/prodor a short name such asprod - PROJECT_ID with project ID of your Google Cloud project
- REGION with region your Cloud Run job is deployed to
- JOB with name of your Cloud Run job