Tag services

Stay organized with collections Save and categorize content based on your preferences.

Tags are key-value pairs you can apply to your services for fine-grained access control. Organization administrators create tags for resources across Google Cloud at the organization level and manage them in Resource Manager. Tags provides a way to conditionally allow or deny policies based on whether a resource has a specific tag.

Tags attached to Cloud Run services should not be confused with Cloud Run traffic tags that allow to route traffic to specific Cloud Run revisions.

Tags are only available in the context of a Google Cloud organization.

Required Identity and Access Management roles

You must have the

  • Cloud Run Admin role on the Cloud Run service
  • Tag User role on the tag value and the Cloud Run service

Attaching tags

Note that attaching a tag to your service does not result in the creation of a new revision.

You can attach or detach tags using the Google Cloud console or the gcloud command line.

Console

  1. Go to Cloud Run

  2. Check the checkbox at the left of the service you are setting the tag on.

  3. Click Tags above the services list to display the tags pane.

    Set tag

  4. To attach a new tag to the service, click Add Tag and select one of the tag keys in the key dropdown menu, and select a value from the value dropdown menu.

  5. Click Save then confirm your changes if prompted.

Command line

You can update tags for a service using the command:

gcloud resource-manager tags bindings create \
    --tag-value=TAG_VALUE \
    --parent=//run.googleapis.com/projects/PROJECT_ID/locations/REGION/services/SERVICE \
    --location=REGION

To update more than one tag, supply a comma delimited list of key/value pairs.

Replace

  • TAG_VALUE with the value for the key: you can use these different types of identifiers: a permanent ID such as tagValues/12345678901, a namespaced value such as 123456789012/env/prod or a short name such as prod
  • PROJECT_ID with project ID of your Google Cloud project
  • REGION with region your Cloud Run service is deployed to
  • SERVICE with name of your Cloud Run service

Detaching a tag

You can use the console or the command line to detach tags from your service.

Console

  1. Go to Cloud Run

  2. Check the checkbox at the left of the service you are detaching the tag from.

  3. Click Tags above the services list to display the tags pane.

  4. Locate the tag you want to detach.

  5. Hover your cursor to the right of the Value dropdown menu for the tag to display the trash icon, and click the trash icon.

  6. Click Save and confirm your changes if prompted.

Command line

To detach a tag from a service:

gcloud resource-manager tags bindings delete \
    --tag-value=TAG_VALUE \
    --parent=//run.googleapis.com/projects/PROJECT_ID/locations/REGION/services/SERVICE \
    --location=REGION

To detach more than one tag, supply a comma delimited list of key/value pairs.

Replace

  • TAG_VALUE with the value for the key: you can use these different types of identifiers: a permanent ID such as tagValues/12345678901, a namespaced value such as 123456789012/env/prod or a short name such as prod
  • PROJECT_ID with project ID of your Google Cloud project
  • REGION with region your Cloud Run service is deployed to
  • SERVICE with name of your Cloud Run service