Attach and manage tags on Cloud SQL instances

This page describes how to attach, detach, and list tags on Cloud SQL instances. For an overview of tags on Cloud SQL, see Access control with Google Cloud tags.

Before you begin

Tags are managed through the Resource Manager. You need the following Cloud SQL IAM permissions to view and set tags on Cloud SQL instances:

  • cloudsql.instances.createTagBinding
  • cloudsql.instances.deleteTagBinding
  • cloudsql.instances.listTagBindings

These permissions are inherited through the cloudsql.admin IAM role.

Attach tags to Cloud SQL instances

Once you've created and defined a tag using Resource Manager, you can attach the tag directly to your Cloud SQL instance.

For example:

  • The tag value is 815471563813/environment/development.
    • 815471563813 is the organization ID.
    • environment is the tag key.
    • development is the tag value.
  • Your project name is my-project.
  • Your instance name is my-instance.
  • Your instance is in us-central1.

The gcloud resource-manager tags bindings create command attaches the tag to a resource, in this case, my-instance:

gcloud resource-manager tags bindings create \
--tag-value=815471563813/environment/development \
--parent=//sqladmin.googleapis.com/projects/my-project/instances/my-instance \
--location=us-central1

Detach tags from Cloud SQL instances

The gcloud resource-manager tags bindings delete command detaches the tag from my-instance:

gcloud resource-manager tags bindings delete \
--tag-value=815471563813/environment/development \
--parent=//sqladmin.googleapis.com/projects/my-project/instances/my-instance \
--location=us-central1

List tags on Cloud SQL instances

The gcloud resource-manager tags bindings list command lists all tags directly attached to my-instance, except tags that my-instance has inherited:

gcloud resource-manager tags bindings list \
    --parent=//sqladmin.googleapis.com/projects/my-project/instances/my-instance \
    --location=us-central1

What's next