Create and manage tags for VPC resources
VPC networks use the following resources that support Resource Manager tags:
- Networks
- Subnetworks
- Routes
- VPC firewall rules
- Global network firewall policies
- Regional network firewall policies
Resource Manager tags are different from network tags. In this document, the term tags is used to refer to Resource Manager tags.
For a list of all services that support tags, see Services that support tags.
For information about using tags in firewall policy rules, see Tags for firewalls.
About tags
A tag is a key-value pair that can attach to a resource within Google Cloud. You can use tags to conditionally allow or deny policies based on whether a resource has a specific tag. For example, you can conditionally grant Identity and Access Management (IAM) roles based on whether a resource has a specific tag. For more information about tags, see Tags overview.
Tags are attached to resources by creating a tag binding resource that links the value to the Google Cloud resource.
To group VPC resources within Virtual Private Cloud for automation and billing purposes, use labels. Tags and labels work independently of each other, and you can apply both to resources.Required permissions
The permissions you need depend on the action you need to perform.
To gain these permissions, ask your administrator to grant the suggested role at the appropriate level of the resource hierarchy.
View tags
To view tag definitions and tags that are attached to resources, you need the
Tag Viewer role (roles/resourcemanager.tagViewer
), or another role that
includes the following permissions:
Required permissions
resourcemanager.tagKeys.get
resourcemanager.tagKeys.list
resourcemanager.tagValues.list
resourcemanager.tagValues.get
listTagBindings
for the appropriate resource type. For example,compute.instances.listTagBindings
for viewing tags attached to Compute Engine instances.listEffectiveTags
for the appropriate resource type.
For example,
compute.instances.listEffectiveTags
for viewing
all tags attached to or inherited by Compute Engine instances.
To view tags at the organization level you need the Organization Viewer role
(roles/resourcemanager.organizationViewer
) on the organization resource.
Administer tags
To create, update, and delete tag definitions, you need the
Tag Administrator role (roles/resourcemanager.tagAdmin
), or another role
that includes the following permissions:
Required permissions
resourcemanager.tagKeys.create
resourcemanager.tagKeys.update
resourcemanager.tagKeys.delete
resourcemanager.tagKeys.list
resourcemanager.tagKeys.get
resourcemanager.tagKeys.getIamPolicy
resourcemanager.tagKeys.setIamPolicy
resourcemanager.tagValues.create
resourcemanager.tagValues.update
resourcemanager.tagValues.delete
resourcemanager.tagValues.list
resourcemanager.tagValues.get
resourcemanager.tagValues.getIamPolicy
resourcemanager.tagValues.setIamPolicy
To administer tags at the organization level you need the
Organization Viewer role (roles/resourcemanager.organizationViewer
) on the
organization resource.
Manage tags on resources
To add and remove tags that are attached to resources, you need the Tag User
role (roles/resourcemanager.tagUser
), or another role with equivalent
permissions, on both the tag value and the resources that you are attaching
the tag value to. The Tag User role includes the following permissions:
Required permissions
- Permissions required for the resource you're attaching the tag value
- Resource-specific
createTagBinding
permission, such ascompute.instances.createTagBinding
for Compute Engine instances. - Resource-specific
deleteTagBinding
permission, such ascompute.instances.deleteTagBinding
for Compute Engine instances. - Permissions required for the tag value:
resourcemanager.tagValueBindings.create
resourcemanager.tagValueBindings.delete
- Permissions that let you view projects and tag definitions:
resourcemanager.tagValues.get
resourcemanager.tagValues.list
resourcemanager.tagKeys.get
resourcemanager.tagKeys.list
resourcemanager.projects.get
To attach tags to VPC resources, you
need the Compute Network Admin
role (roles/compute.networkAdmin
).
Create tag keys and values
Before you can attach a tag, you need to create a tag and configure its value. To create tag keys and tag values, see Creating a tag and Adding a tag value.
Attach a tag to a VPC resource
After the tag has been created, you must attach it to a VPC resource.
gcloud
To attach a tag to a VPC resource, you must create a
tag binding resource by using the
gcloud resource-manager tags bindings create
command:
gcloud resource-manager tags bindings create \ --tag-value=TAGVALUE_NAME \ --parent=RESOURCE_ID \ --location=LOCATION
Replace the following:
TAGVALUE_NAME
: the permanent ID or namespaced name of the tag value that is attached—for example,tagValues/567890123456
.-
RESOURCE_ID
is the full ID of the resource, including the API domain name to identify the type of resource (//compute.googleapis.com/
). You must use the numeric IDs for resources, not their names. For example, a subnet ID has a format similar to this://compute.googleapis.com/projects/123/regions/us-central1/subnetworks/456
. A network ID has a format similar to this://compute.googleapis.com/projects/123/global/networks/789
LOCATION
: the location of your resource. If you're attaching a tag to a global resource, such as a folder or a project, omit this flag. If you're attaching a tag to a regional or a zonal resource, you must specify the location—for example,us-central1
(region) orus-central1-a
(zone).
List tags attached to a VPC resource
You can view a list of tag bindings directly attached to or inherited by the VPC resource.
gcloud
To get a list of tag bindings attached to a resource, use the
gcloud resource-manager tags bindings list
command:
gcloud resource-manager tags bindings list \ --parent=RESOURCE_ID \ --location=LOCATION
Replace the following:
-
RESOURCE_ID
is the full ID of the resource, including the API domain name to identify the type of resource (//compute.googleapis.com/
). You must use the numeric IDs for resources, not their names. For example, a subnet ID has a format similar to this://compute.googleapis.com/projects/123/regions/us-central1/subnetworks/456
. A network ID has a format similar to this://compute.googleapis.com/projects/123/global/networks/789
LOCATION
: the location of your resource. If you're viewing a tag attached to a global resource, such as a folder or a project, omit this flag. If you're viewing a tag attached to a regional or a zonal resource, you must specify the location—for example,us-central1
(region) orus-central1-a
(zone).
You should get a response similar to the following:
name: tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Fprojects%2F7890123456/tagValues/567890123456 tagValue: tagValues/567890123456 resource: //compute.googleapis.com/projects/7890123456/subnetworks/subnetwork-ID
Detach tags from a VPC resource
You can detach tags that have been directly attached to a VPC resource. Inherited tags can be overridden by attaching a tag with the same key and a different value, but they can't be detached. Before you can delete a tag, you must detach its key and values from every resource to which it is attached.
gcloud
To delete a tag binding, use the
gcloud resource-manager tags bindings delete
command:
gcloud resource-manager tags bindings delete \ --tag-value=TAGVALUE_NAME \ --parent=RESOURCE_ID \ --location=LOCATION
Replace the following:
TAGVALUE_NAME
: the permanent ID or namespaced name of the tag value that is attached—for example,tagValues/567890123456
.-
RESOURCE_ID
is the full ID of the resource, including the API domain name to identify the type of resource (//compute.googleapis.com/
). You must use the numeric IDs for resources, not their names. For example, a subnet ID has a format similar to this://compute.googleapis.com/projects/123/regions/us-central1/subnetworks/456
. A network ID has a format similar to this://compute.googleapis.com/projects/123/global/networks/789
LOCATION
: the location of your resource. If you're attaching a tag to a global resource, such as a folder or a project, omit this flag. If you're attaching a tag to a regional or a zonal resource, you must specify the location—for example,us-central1
(region) orus-central1-a
(zone).
Delete tag keys and values
When removing a tag key or value definition, ensure that the tag is detached from the VPC resource. You must delete existing tag attachments, called tag bindings, before deleting the tag definition itself. To delete tag keys and tag values, see Deleting tags.
Identity and Access Management conditions and tags
You can use tags and IAM conditions to conditionally grant role bindings to users in your hierarchy. Changing or deleting the tag attached to a resource can remove user access to that resource if an IAM policy with conditional role bindings has been applied. For more information, see Identity and Access Management conditions and tags.
What's next
- See the other services that support tags.
- See Tags and access control to learn how to use tags with IAM.