Tag jobs

Tags are key-value pairs you can apply to your jobs for fine-grained access control. Tag administrators create tags for resources across Google Cloud at the organization or project level and manage them in Resource Manager. Tags provides a way to conditionally allow or deny policies based on whether a resource has a specific tag.

Required roles

To get the permissions that you need to attach or detach tags, ask your administrator to grant you the following IAM roles on the Cloud Run job:

Cloud Run Admin (roles/run.admin)
Tag User (roles/resourcemanager.tagUser)

In order to manage access on the tag value resource in Resource Manager, your account must also have the Tag User (roles/resourcemanager.tagUser) role granted for the tag value. The tag value is the resource that is attached to the Cloud Run job.

For a list of IAM roles and permissions that are associated with Cloud Run, see Cloud Run IAM roles and Cloud Run IAM permissions. If your Cloud Run job interfaces with Google Cloud APIs, such as Cloud Client Libraries, see the service identity configuration guide. For more information about granting roles, see deployment permissions and manage access.

Attaching tags

Attach tags using the Google Cloud CLI.

Command line

Update tags for a job using the command:

gcloud resource-manager tags bindings create \
    --tag-value=TAG_VALUE \
    --parent=//run.googleapis.com/projects/PROJECT_ID/locations/REGION/jobs/JOB \
    --location=REGION

To update more than one tag, supply a comma delimited list of key/value pairs.

Replace

TAG_VALUE with the value for the key. You can use these different types of identifiers: a permanent ID such as tagValues/12345678901, a namespaced value such as 123456789012/env/prod or a short name such as prod
PROJECT_ID with project ID of your Google Cloud project
REGION with region your Cloud Run job is deployed to
JOB with name of your Cloud Run job

Detaching a tag

Use the Google Cloud CLI to detach tags from your job.

Command line

To detach a tag from a job:

gcloud resource-manager tags bindings delete \
    --tag-value=TAG_VALUE \
    --parent=//run.googleapis.com/projects/PROJECT_ID/locations/REGION/jobs/JOB \
    --location=REGION

To detach more than one tag, supply a comma delimited list of key/value pairs.

Replace

TAG_VALUE with the value for the key: you can use these different types of identifiers: a permanent ID such as tagValues/12345678901, a namespaced value such as 123456789012/env/prod or a short name such as prod
PROJECT_ID with project ID of your Google Cloud project
REGION with region your Cloud Run job is deployed to
JOB with name of your Cloud Run job