Tag tables, views, and datasets
This document describes how to use tags to conditionally apply Identity and Access Management (IAM) policies to BigQuery tables, views, and datasets.
You can also use tags to conditionally deny access with IAM policies to BigQuery tables, views, and datasets (Preview). For more information, see Deny policies.
A tag is a key-value pair that you can attach directly to a table, view, or
dataset or a key-value pair that a table, view, or dataset can
inherit from other
Google Cloud resources. You can conditionally apply policies based on
whether a resource has a specific tag. For example, you might conditionally
grant the BigQuery Data Viewer role to a principal on any dataset with the
environment:dev tag.
For more information about using tags across the Google Cloud resource hierarchy, see Tags overview.
To grant permissions to many related BigQuery resources at the same time, including resources that don't exist yet, consider using IAM Conditions.
Limitations
- Table tags aren't supported on BigQuery Omni tables, tables in hidden datasets, or temporary tables. Dataset tags aren't supported on BigQuery Omni datasets. Additionally, cross-region queries in BigQuery Omni don't use tags during access control checks of tables in other regions. 
- You can attach a maximum of 50 tags to a table or dataset. 
- All tables referenced in a wildcard query must have exactly the same set of tag keys and values. 
- Users with conditional access to a dataset or table cannot modify permissions for that resource through the Google Cloud console. Permission modifications are only supported through the bq tool and the BigQuery API. 
- Some services outside of BigQuery cannot properly verify IAM tag conditions. If the tag condition is positive, meaning that a user is granted a role on a resource only if that resource has a particular tag, then access is denied to the resource regardless of what tags are attached to it. If the tag condition is negative, meaning that a user is granted a role on a resource only if that resource doesn't have a particular tag, then the tag condition is not checked. - For example, Data Catalog cannot verify IAM tag conditions on BigQuery datasets and tables. Suppose there is a conditional IAM policy that gives an intern the BigQuery Data Viewer role on datasets with the - employee_type=interntag. Since this is a positive tag condition, the intern cannot view datasets by searching in Data Catalog even if those datasets do have the- employee_type=interntag. If the tag condition was changed to a negative one, so that the intern could only view datasets that did not have the- employee_type=interntag, then the check would be skipped entirely and the intern could view the datasets that they couldn't normally access in BigQuery.
Required roles
You need to grant IAM roles that give users the necessary permissions to perform each task in this document.
Both of the following predefined IAM roles include all of the necessary BigQuery permissions:
- BigQuery Data Owner (roles/bigquery.dataOwner)
- BigQuery Admin (roles/bigquery.admin)
The Resource Manager permissions for adding and removing tags are included in the
Tag User role
(roles/resourcemanager.tagUser).
Required permissions
To use tags in BigQuery, you need the following permissions:
| Operation | BigQuery interfaces (API, CLI, console) and Terraform | Cloud Resource Manager API or gcloud | 
|---|---|---|
| Attach a tag to a table or view | 
 | 
 | 
| Remove a tag from a table or view | 
 | 
 | 
| Attach a tag to a dataset | 
 | 
 | 
| Remove a tag from a dataset | 
 | 
 | 
To list tag keys and key values in the Google Cloud console, you need the following permissions:
- To list the tag keys that are associated with a parent organization or project, you need the - resourcemanager.tagKeys.listpermission at the tag key's parent level and the- resourcemanager.tagKeys.getpermission for each tag key. To view the list of tag keys in the BigQuery console, click the dataset name and then click Edit details, or click the table or view name and then click Details > Edit details.
- To list the tag values of keys that are associated with a parent organization or project, you need the - resourcemanager.tagValues.listpermission at the tag value parent level and the- resourcemanager.tagValues.getpermission for each tag value. To view the list of tag key values in the BigQuery console, click the dataset name and then click Edit details, or click the table or view name and then click Details > Edit details.
To use tags in Cloud Resource Manager API or gcloud, you need the following permissions:
- To list the tags attached to a
table or view with the Cloud Resource Manager API or the gcloud CLI, you
need the bigquery.tables.listTagBindingsIAM permission.
- To list the effective tags for
a table or view, you need the bigquery.tables.listEffectiveTagsIAM permission.
- To list the tags attached to a
dataset with the Cloud Resource Manager API or the gcloud CLI,
you need the bigquery.datasets.listTagBindingsIAM permission.
- To list the effective tags for
a dataset, you need the bigquery.datasets.listEffectiveTagsIAM permission.
Create tag keys and values
You can create a tag before you attach it to a BigQuery resource, or you can create a tag manually when you create the resource using the Google Cloud console.
For information about creating tag keys and tag values, see Creating a tag and Adding tag values in the Resource Manager documentation.
Tag datasets
The following sections describe how to attach tags to new and existing datasets, list tags attached to a dataset, and detach tags from a dataset.
Attach tags when you create a new dataset
After you create a tag, you can attach it to a new BigQuery dataset. You can attach only one tag value to a dataset for any given tag key. You can attach a maximum of 50 tags to a dataset.
Console
- In the Google Cloud console, go to the BigQuery page. 
- In the left pane, click Explorer:  - If you don't see the left pane, click Expand left pane to open the pane. 
- In the Explorer pane, select the project where you want to create your dataset. 
- Click View actions > Create dataset. 
- Enter the information for your new dataset. For more details, see Create datasets. 
- Expand the Tags section. - To apply an existing tag, do the following: - Click the drop-down arrow beside Select scope and choose Current scope—Select current organization or Select current project. - Alternatively, click Select scope to search for a resource or to see a list of current resources. 
- For Key 1 and Value 1, choose the appropriate values from the lists. 
 
- To manually enter a new tag, do the following: - Click the drop-down arrow beside Select a scope and choose Manually enter IDs > Organization, Project, or Tags. 
- If you're creating a tag for your project or organization, in the dialog, enter the - PROJECT_IDor the- ORGANIZATION_ID, and then click Save.
- For Key 1 and Value 1, choose the appropriate values from the lists. 
 
- Optional: To add additional tags to the table, click Add tag and follow the previous steps. 
 
- Click Create dataset. 
SQL
Use the
CREATE SCHEMA statement.
- In the Google Cloud console, go to the BigQuery page. 
- In the query editor, enter the following statement: - CREATE SCHEMA PROJECT_ID.DATASET_ID OPTIONS ( tags = [('TAG_KEY_1', 'TAG_VALUE_1'), ('TAG_KEY_2', 'TAG_VALUE_2')];) - Replace the following: - PROJECT_ID: your project ID.
- DATASET_ID: the ID of the dataset that you're creating.
- TAG_KEY_1: the namespaced key name that you want to set as the first tag on the dataset, for example,- 'my-project/env'or- '556741164180/department'.
- TAG_VALUE_1: the short name for the tag's value, for example,- 'prod'or- 'sales'.
- TAG_KEY_2: the namespaced key name for the second tag.
- TAG_VALUE_2: the short name for the second tag's value.
 
- Click Run. 
For more information about how to run queries, see Run an interactive query.
bq
Use the
bq mk --dataset command
with the --add_tags flag:
bq mk --dataset \ --add_tags=TAG \ PROJECT_ID:DATASET_ID
Replace the following:
- TAG: the tag that you are attaching to the new dataset. Multiple tags are separated by commas. For example,- 556741164180/env:prod,myProject/department:sales. Each tag must have the namespaced key name and value short name.
- PROJECT_ID: the ID of the project where you are creating a dataset.
- DATASET_ID: the ID of the new dataset.
Terraform
Use the
google_bigquery_dataset resource.
To authenticate to BigQuery, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
The following example creates a dataset named my_dataset, then attaches
tags to it by populating the resource_tags field:
To apply your Terraform configuration in a Google Cloud project, complete the steps in the following sections.
Prepare Cloud Shell
- Launch Cloud Shell.
- 
    Set the default Google Cloud project where you want to apply your Terraform configurations. You only need to run this command once per project, and you can run it in any directory. export GOOGLE_CLOUD_PROJECT=PROJECT_ID Environment variables are overridden if you set explicit values in the Terraform configuration file. 
Prepare the directory
Each Terraform configuration file must have its own directory (also called a root module).
- 
    In Cloud Shell, create a directory and a new
    file within that directory. The filename must have the
    .tfextension—for examplemain.tf. In this tutorial, the file is referred to asmain.tf.mkdir DIRECTORY && cd DIRECTORY && touch main.tf 
- 
    If you are following a tutorial, you can copy the sample code in each section or step. Copy the sample code into the newly created main.tf.Optionally, copy the code from GitHub. This is recommended when the Terraform snippet is part of an end-to-end solution. 
- Review and modify the sample parameters to apply to your environment.
- Save your changes.
- 
    Initialize Terraform. You only need to do this once per directory.
    terraform init Optionally, to use the latest Google provider version, include the -upgradeoption:terraform init -upgrade 
Apply the changes
- 
    Review the configuration and verify that the resources that Terraform is going to create or
    update match your expectations:
    terraform plan Make corrections to the configuration as necessary. 
- 
    Apply the Terraform configuration by running the following command and entering yesat the prompt:terraform apply Wait until Terraform displays the "Apply complete!" message. 
- Open your Google Cloud project to view the results. In the Google Cloud console, navigate to your resources in the UI to make sure that Terraform has created or updated them.
API
Call the
datasets.insert method
and add your tags to the resource_tags field.
Attach tags to an existing dataset
After you create a tag, you can attach it to an existing dataset. You can attach only one tag value to a dataset for any given tag key.
Console
- In the Google Cloud console, go to the BigQuery page. 
- In the left pane, click Explorer:  
- In the Explorer pane, expand your project, click Datasets, and then select a dataset. 
- In the Dataset info section, click Edit details. 
- Expand the Tags section. - To apply an existing tag, do the following: - Click the drop-down arrow beside Select scope and choose Current scope—Select current organization or Select current project. - Alternatively, click Select scope to search for a resource or to see a list of current resources. 
- For Key 1 and Value 1, choose the appropriate values from the lists. 
 
- To manually enter a new tag, do the following: - Click the drop-down arrow beside Select a scope and choose Manually enter IDs > Organization, Project, or Tags. 
- If you're creating a tag for your project or organization, in the dialog, enter the - PROJECT_IDor the- ORGANIZATION_ID, and then click Save.
- For Key 1 and Value 1, choose the appropriate values from the lists. 
 
- Optional: To add additional tags to the table, click Add tag and follow the previous steps. 
 
- Click Save. 
SQL
Use the
ALTER SCHEMA SET OPTIONS statement.
The following example overwrites all tags for an existing dataset.
- In the Google Cloud console, go to the BigQuery page. 
- In the query editor, enter the following statement: - ALTER SCHEMA PROJECT_ID.DATASET_ID SET OPTIONS ( tags = [('TAG_KEY_1', 'TAG_VALUE_1'), ('TAG_KEY_2', 'TAG_VALUE_2')];) - Replace the following: - PROJECT_ID: your project ID.
- DATASET_ID: the ID of the dataset that contains the table.
- TABLE_ID: the name of the table you're tagging.
- TAG_KEY_1: the namespaced key name that you want to set as the first tag on the table, for example,- 'my-project/env'or- '556741164180/department'.
- TAG_VALUE_1: the short name for the tag's value, for example,- 'prod'or- 'sales'.
- TAG_KEY_2: the namespaced key name for the second tag.
- TAG_VALUE_2: the short name for the second tag's value.
 
- Click Run. 
For more information about how to run queries, see Run an interactive query.
The following example uses the += operator to attach tags to a dataset
without overwriting existing tags. If an existing tag has the same key, that
tag is overwritten.
- In the Google Cloud console, go to the BigQuery page. 
- In the query editor, enter the following statement: - ALTER SCHEMA PROJECT_ID.DATASET_ID SET OPTIONS ( tags += [('TAG_KEY_1', 'TAG_VALUE_1'), ('TAG_KEY_2', 'TAG_VALUE_2')];) - Replace the following: - PROJECT_ID: your project ID.
- DATASET_ID: the ID of the dataset that contains the table.
- TABLE_ID: the name of the table you're tagging.
- TAG_KEY_1: the namespaced key name that you want to set as the first tag on the table, for example,- 'my-project/env'or- '556741164180/department'.
- TAG_VALUE_1: the short name for the tag's value, for example,- 'prod'or- 'sales'.
- TAG_KEY_2: the namespaced key name for the second tag.
- TAG_VALUE_2: the short name for the second tag's value.
 
- Click Run. 
For more information about how to run queries, see Run an interactive query.
bq
Use the
bq update command
with the --add_tags flag:
bq update \ --add_tags=TAG \ PROJECT_ID:DATASET_ID
Replace the following:
- TAG: the tag that you are attaching to the dataset. Multiple tags are separated by commas. For example,- 556741164180/env:prod,myProject/department:sales. Each tag must have the namespaced key name and value short name.
- PROJECT_ID: the ID of the project where the existing dataset is located.
- DATASET_ID: the ID of the existing dataset.
gcloud
To attach a tag to a dataset using the command line, create a
tag binding resource by using the
gcloud resource-manager tags bindings create command:
gcloud resource-manager tags bindings create \
    --tag-value=TAG_VALUE_NAME \
    --parent=RESOURCE_ID \
    --location=LOCATION
Replace the following:
- TAG_VALUE_NAME: the permanent ID or namespaced name of the tag value to be attached, such as- tagValues/4567890123or- 1234567/my_tag_key/my_tag_value.
- RESOURCE_ID: the full ID of the dataset, including the API domain name (- //bigquery.googleapis.com/) to identify the type of resource. For example,- //bigquery.googleapis.com/projects/my_project/datasets/my_dataset.
- LOCATION: the location of your dataset.
Terraform
Add tags to the dataset's resource_tags field, and then apply the
updated configuration using the google_bigquery_dataset resource. For
more information, see the Terraform example in
Attach tags when you create a new dataset.
API
Call the
datasets.get method
to get the dataset resource, including the resource_tags field. Add your
tags to the resource_tags field and pass the updated dataset resource
back using the
datasets.update method.
List tags attached to a dataset
The following steps provide a list of tag bindings attached directly to a dataset. These methods don't return tags that are inherited from parent resources.
Console
- In the Google Cloud console, go to the BigQuery page. 
- In the left pane, click Explorer:  
- In the Explorer pane, expand your project, click Datasets, and then select a dataset. - The tags appear in the Dataset info section. 
bq
To list tags attached to a dataset, use the
bq show command.
bq show PROJECT_ID:DATASET_ID
Replace the following:
- PROJECT_ID: the ID of the project containing your dataset.
- DATASET_ID: the ID of the dataset for which you want to list the tags.
gcloud
To get a list of tag bindings attached to a resource, use the
gcloud resource-manager tags bindings list command:
gcloud resource-manager tags bindings list \
    --parent=RESOURCE_ID \
    --location=LOCATION
Replace the following:
- RESOURCE_ID: the full ID of the dataset, including the API domain name (- //bigquery.googleapis.com/) to identify the type of resource. For example,- //bigquery.googleapis.com/projects/my_project/datasets/my_dataset.
- LOCATION: the location of your dataset.
The output is similar to the following:
name: tagBindings/%2F%2Fbigquery.googleapis.com%2Fprojects%2Fmy_project%2Fdatasets%2Fmy_dataset/tagValues/4567890123 parent: //bigquery.googleapis.com/projects/my_project/datasets/my_dataset tagValue: tagValues/4567890123
Terraform
Use the terraform state show command to list the attributes of the
dataset, including the resource_tags field. Run this command
in the directory where the dataset's Terraform configuration file has been
run.
terraform state show google_bigquery_dataset.default
API
Call the
datasets.get method
to get the dataset resource. The dataset resource includes tags attached to
the dataset in the resource_tags field.
Views
Use the
INFORMATION_SCHEMA.SCHEMATA_OPTIONS view.
For example, the following query shows all tags attached to all datasets
in a region. This query returns a table with columns including schema_name
(the dataset names), option_name (always 'tags'),
object_type (always ARRAY<STRUCT<STRING, STRING>>), and option_value,
which contains arrays of STRUCT objects representing tags associated with
each dataset. For datasets without assigned tags, the option_value column
returns an empty array.
SELECT * from region-REGION.INFORMATION_SCHEMA.SCHEMATA_OPTIONS WHERE option_name='tags'
Replace the following:
- REGION: the region where your datasets are located.
Detach tags from a dataset
You can detach a tag from a resource by deleting the tag binding resource. If you're deleting a tag, you must detach it from the dataset before you delete it. For more information, see Deleting tags.
Console
- In the Google Cloud console, go to the BigQuery page. 
- In the left pane, click Explorer:  
- In the Explorer pane, expand your project, click Datasets, and then select a dataset. 
- In the Dataset info section, click Edit details. 
- In the Tags section, click Delete item next to the tag you want to delete. 
- Click Save. 
SQL
Use the
ALTER SCHEMA SET OPTIONS statement.
The following example detaches tags from a dataset using the -= operator. To
detach all tags from a dataset, you can specify tags=NULL or tags=[].
- In the Google Cloud console, go to the BigQuery page. 
- In the query editor, enter the following statement: - ALTER TABLE PROJECT_ID.DATASET_ID.TABLE_ID SET OPTIONS ( tags -= [('TAG_KEY_1', 'TAG_VALUE_1'), ('TAG_KEY_2', 'TAG_VALUE_2')];) - Replace the following: - PROJECT_ID: your project ID.
- DATASET_ID: the ID of the dataset that contains the table.
- TABLE_ID: the name of the table that you're detaching the tags from.
- TAG_KEY_1: the namespaced key name of the first tag you want to detach, for example,- 'my-project/env'or- '556741164180/department'.
- TAG_VALUE_1: the short name of the value for the tag you want to detach, for example,- 'prod'or- 'sales'.
- TAG_KEY_2: the namespaced key name for the second tag you're detaching.
- TAG_VALUE_2: the short name for the value of the second tag you're detaching.
 
- Click Run. 
For more information about how to run queries, see Run an interactive query.
bq
Use the
bq update command
with the --remove_tags flag:
bq update \ --remove_tags=REMOVED_TAG \ PROJECT_ID:DATASET_ID
Replace the following:
- REMOVED_TAG: the tag that you are removing from the dataset. Multiple tags are separated by commas. Only accepts keys without value pairs. For example,- 556741164180/env,myProject/department. Each tag must have the namespaced key name.
- PROJECT_ID: the ID of the project that contains your dataset.
- DATASET_ID: the ID of the dataset to detach tags from.
Alternatively, if you want to remove all tags from a dataset, use the
bq update command
with the --clear_all_tags flag:
bq update \ --clear_all_tags PROJECT_ID:DATASET_ID
gcloud
To detach a tag from a dataset using the command line, delete the tag
binding by using the
gcloud resource-manager tags bindings delete command:
gcloud resource-manager tags bindings delete \
    --tag-value=TAG_VALUE_NAME \
    --parent=RESOURCE_ID \
    --location=LOCATION
Replace the following:
- TAG_VALUE_NAME: the permanent ID or namespaced name of the tag value to be detached, such as- tagValues/4567890123or- 1234567/my_tag_key/my_tag_value.
- RESOURCE_ID: the full ID of the dataset, including the API domain name (- //bigquery.googleapis.com/) to identify the type of resource. For example,- //bigquery.googleapis.com/projects/my_project/datasets/my_dataset.
- LOCATION: the location of your dataset.
Terraform
Remove your tags from the dataset's resource_tags field, and then apply
the updated configuration using the google_bigquery_dataset resource.
API
Call the
datasets.get method
to get the dataset resource, including the resource_tags field. Remove
your tags from the resource_tags field and pass the updated dataset
resource back using the
datasets.update method.
Tag tables
The following sections describe how to attach tags to new and existing tables, list tags attached to a table, and detach tags from a table.
Attach tags when you create a new table
After you create a tag, you can attach it to a new table. You can attach only one tag value to a table for any given tag key. You can attach a maximum of 50 tags to a table.
Console
- In the Google Cloud console, go to the BigQuery page. 
- In the left pane, click Explorer:  
- In the Explorer pane, expand your project, click Datasets, and then select a dataset. 
- In the Dataset info section, click Create table. 
- Enter the information for your new table. For more details, see Create and use tables. 
- Expand the Tags section. - To apply an existing tag, do the following: - Click the drop-down arrow beside Select scope and choose Current scope—Select current organization or Select current project. - Alternatively, click Select scope to search for a resource or to see a list of current resources. 
- For Key 1 and Value 1, choose the appropriate values from the lists. 
 
- To manually enter a new tag, do the following: - Click the drop-down arrow beside Select a scope and choose Manually enter IDs > Organization, Project, or Tags. 
- If you're creating a tag for your project or organization, in the dialog, enter the - PROJECT_IDor the- ORGANIZATION_ID, and then click Save.
- For Key 1 and Value 1, choose the appropriate values from the lists. 
 
- Optional: To add additional tags to the table, click Add tag and follow the previous steps. 
 
- Click Create table. 
SQL
Use the
CREATE TABLE statement.
- In the Google Cloud console, go to the BigQuery page. 
- In the query editor, enter the following statement: - CREATE TABLE PROJECT_ID.DATASET_ID.TABLE_ID OPTIONS ( tags = [('TAG_KEY_1', 'TAG_VALUE_1'), ('TAG_KEY_2', 'TAG_VALUE_2')];) - Replace the following: - PROJECT_ID: your project ID.
- DATASET_ID: the ID of the dataset where you're creating the table.
- TABLE_ID: the name of the new table.
- TAG_KEY_1: the namespaced key name that you want to set as the first tag on the table, for example,- 'my-project/env'or- '556741164180/department'.
- TAG_VALUE_1: the short name for the tag's value, for example,- 'prod'or- 'sales'.
- TAG_KEY_2: the namespaced key name for the second tag.
- TAG_VALUE_2: the short name for the second tag's value.
 
- Click Run. 
For more information about how to run queries, see Run an interactive query.
bq
Use the
bq mk --table command
with the --add_tags flag:
bq mk --table \ --schema=SCHEMA \ --add_tags=TAG \ PROJECT_ID:DATASET_ID.TABLE_ID
Replace the following:
- SCHEMA: the inline schema definition.
- TAG: the tag that you are attaching to the new table. Multiple tags are separated by commas. For example,- 556741164180/env:prod,myProject/department:sales. Each tag must have the namespaced key name and value short name.
- PROJECT_ID: the ID of the project where you are creating a table.
- DATASET_ID: the ID of the dataset where you are creating a table.
- TABLE_ID: the ID of the new table.
Terraform
Use the
google_bigquery_table
resource.
To authenticate to BigQuery, set up Application Default Credentials. For more information, see Set up authentication for client libraries.
The following example creates a table named mytable, then attaches
tags to it by populating the resource_tags field:
To apply your Terraform configuration in a Google Cloud project, complete the steps in the following sections.
Prepare Cloud Shell
- Launch Cloud Shell.
- 
    Set the default Google Cloud project where you want to apply your Terraform configurations. You only need to run this command once per project, and you can run it in any directory. export GOOGLE_CLOUD_PROJECT=PROJECT_ID Environment variables are overridden if you set explicit values in the Terraform configuration file. 
Prepare the directory
Each Terraform configuration file must have its own directory (also called a root module).
- 
    In Cloud Shell, create a directory and a new
    file within that directory. The filename must have the
    .tfextension—for examplemain.tf. In this tutorial, the file is referred to asmain.tf.mkdir DIRECTORY && cd DIRECTORY && touch main.tf 
- 
    If you are following a tutorial, you can copy the sample code in each section or step. Copy the sample code into the newly created main.tf.Optionally, copy the code from GitHub. This is recommended when the Terraform snippet is part of an end-to-end solution. 
- Review and modify the sample parameters to apply to your environment.
- Save your changes.
- 
    Initialize Terraform. You only need to do this once per directory.
    terraform init Optionally, to use the latest Google provider version, include the -upgradeoption:terraform init -upgrade 
Apply the changes
- 
    Review the configuration and verify that the resources that Terraform is going to create or
    update match your expectations:
    terraform plan Make corrections to the configuration as necessary. 
- 
    Apply the Terraform configuration by running the following command and entering yesat the prompt:terraform apply Wait until Terraform displays the "Apply complete!" message. 
- Open your Google Cloud project to view the results. In the Google Cloud console, navigate to your resources in the UI to make sure that Terraform has created or updated them.
API
Call the
tables.insert method
with a defined table resource.
Include the tags in the resource_tags field.
Attach tags to an existing table
After you create a tag, you can attach it to an existing table. You can attach only one tag value to a table for any given tag key.
Console
- In the Google Cloud console, go to the BigQuery page. 
- In the left pane, click Explorer:  
- In the Explorer pane, expand your project, and then click Datasets. 
- Click Overview > Tables, and then select a table. 
- Click the Details tab, and then click Edit details. 
- Expand the Tags section. - To apply an existing tag, do the following: - Click the drop-down arrow beside Select scope and choose Current scope—Select current organization or Select current project. - Alternatively, click Select scope to search for a resource or to see a list of current resources. 
- For Key 1 and Value 1, choose the appropriate values from the lists. 
 
- To manually enter a new tag, do the following: - Click the drop-down arrow beside Select a scope and choose Manually enter IDs > Organization, Project, or Tags. 
- If you're creating a tag for your project or organization, in the dialog, enter the - PROJECT_IDor the- ORGANIZATION_ID, and then click Save.
- For Key 1 and Value 1, choose the appropriate values from the lists. 
 
- Optional: To add additional tags to the table, click Add tag and follow the previous steps. 
 
- Click Save. 
SQL
Use the
ALTER TABLE SET OPTIONS statement.
The following example overwrites all tags for an existing table.
- In the Google Cloud console, go to the BigQuery page. 
- In the query editor, enter the following statement: - ALTER TABLE PROJECT_ID.DATASET_ID.TABLE_ID SET OPTIONS ( tags = [('TAG_KEY_1', 'TAG_VALUE_1'), ('TAG_KEY_2', 'TAG_VALUE_2')];) - Replace the following: - PROJECT_ID: your project ID.
- DATASET_ID: the ID of the dataset that contains the table.
- TABLE_ID: the name of the table you're tagging.
- TAG_KEY_1: the namespaced key name that you want to set as the first tag on the table, for example,- 'my-project/env'or- '556741164180/department'.
- TAG_VALUE_1: the short name for the tag's value, for example,- 'prod'or- 'sales'.
- TAG_KEY_2: the namespaced key name for the second tag.
- TAG_VALUE_2: the short name for the second tag's value.
 
- Click Run. 
For more information about how to run queries, see Run an interactive query.
The following example uses the += operator to attach a tag to a table
without overwriting existing tags. If an existing tag has the same key, that
tag is overwritten.
- In the Google Cloud console, go to the BigQuery page. 
- In the query editor, enter the following statement: - ALTER TABLE PROJECT_ID.DATASET_ID.TABLE_ID SET OPTIONS ( tags += [('TAG_KEY_1', 'TAG_VALUE_1'), ('TAG_KEY_2', 'TAG_VALUE_2')];) - Replace the following: - PROJECT_ID: your project ID.
- DATASET_ID: the ID of the dataset that contains the table.
- TABLE_ID: the name of the table you're tagging.
- TAG_KEY_1: the namespaced key name that you want to set as the first tag on the table, for example,- 'my-project/env'or- '556741164180/department'.
- TAG_VALUE_1: the short name for the tag's value, for example,- 'prod'or- 'sales'.
- TAG_KEY_2: the namespaced key name for the second tag.
- TAG_VALUE_2: the short name for the second tag's value.
 
- Click Run. 
For more information about how to run queries, see Run an interactive query.
bq
Use the
bq update command
with the --add_tags flag:
bq update \ --add_tags=TAG \ PROJECT_ID:DATASET_ID.TABLE_ID
Replace the following:
- TAG: the tag that you are attaching to the table. Multiple tags are separated by commas. For example,- 556741164180/env:prod,myProject/department:sales. Each tag must have the namespaced key name and value short name.
- PROJECT_ID: the ID of the project that contains your table.
- DATASET_ID: the ID of the dataset that contains your table.
- TABLE_ID: the ID of the table that you are updating.
gcloud
To attach a tag to a table using the command line, create a
tag binding resource by using the
gcloud resource-manager tags bindings create command:
gcloud resource-manager tags bindings create \
    --tag-value=TAG_VALUE_NAME \
    --parent=RESOURCE_ID \
    --location=LOCATION
Replace the following:
- TAG_VALUE_NAME: the permanent ID or namespaced name of the tag value to be attached, such as- tagValues/4567890123or- 1234567/my_tag_key/my_tag_value.
- RESOURCE_ID: the full ID of the table, including the API domain name (- //bigquery.googleapis.com/) to identify the type of resource. For example,- //bigquery.googleapis.com/projects/my_project/datasets/my_dataset/tables/my_table
- LOCATION: the location of your table.
Terraform
Add tags to the table's resource_tags field, and then apply the
updated configuration using the google_bigquery_table resource. For
more information, see the Terraform example in
Attach tags when you create a new table.
API
Call the
tables.update method
with a defined table resource.
Include the tags in the resource_tags field.
List tags attached to a table
You can list tags that are attached directly to a table. This process doesn't list tags that are inherited from parent resources.
Console
- In the Google Cloud console, go to the BigQuery page. 
- In the left pane, click Explorer:  
- In the Explorer pane, expand your project, and then click Datasets. 
- Click Overview > Tables, and then select a table. - The tags are visible in the Details tab. 
bq
Use the
bq show command
and look for the tags column. If there are no tags on the table, the
tags column isn't displayed.
bq show \ PROJECT_ID:DATASET_ID.TABLE_ID
Replace the following:
- PROJECT_ID: the ID of the project that contains your table.
- DATASET_ID: the ID of the dataset that contains your table.
- TABLE_ID: the ID of your table.
gcloud
To get a list of tag bindings attached to a resource, use the
gcloud resource-manager tags bindings list command:
gcloud resource-manager tags bindings list \
    --parent=RESOURCE_ID \
    --location=LOCATION
Replace the following:
- RESOURCE_ID: the full ID of the table, including the API domain name (- //bigquery.googleapis.com/) to identify the type of resource. For example,- //bigquery.googleapis.com/projects/my_project/datasets/my_dataset/tables/my_table.
- LOCATION: the location of your dataset.
The output is similar to the following:
name: tagBindings/%2F%2Fbigquery.googleapis.com%2Fprojects%2Fmy_project%2Fdatasets%2Fmy_dataset/tagValues/4567890123 parent: //bigquery.googleapis.com/projects/my_project/datasets/my_dataset tagValue: tagValues/4567890123
Terraform
Use the terraform state show command to list the attributes of the
table, including the resource_tags field. Run this command
in the directory where the table's Terraform configuration file has been
run.
terraform state show google_bigquery_table.default
API
Call the
tables.get method
with a defined table resource,
and look for the resource_tags field.
Views
Use the
INFORMATION_SCHEMA.TABLE_OPTIONS view.
For example, the following query shows all tags attached to all tables in a
dataset. This query returns a table with columns including schema_name
(the dataset name), option_name (always 'tags'),
object_type (always ARRAY<STRUCT<STRING, STRING>>), and option_value,
which contains arrays of STRUCT objects representing tags associated with
each dataset. For tables without assigned tags, the option_value column
returns an empty array.
SELECT * from DATASET_ID.INFORMATION_SCHEMA.TABLE_OPTIONS WHERE option_name='tags'
Replace DATASET_ID with the ID of the dataset
that contains your table.
Detach tags from a table
You can remove a tag association from a table by deleting the tag binding. If you're deleting a tag, you must detach it from the table before you delete it. For more information, see Deleting tags.
Console
- In the Google Cloud console, go to the BigQuery page. 
- In the left pane, click Explorer:  
- In the Explorer pane, expand your project, and then click Datasets. 
- Click Overview > Tables, and then select a table. 
- Click the Details tab, and then click Edit details. 
- In the Tags section, click Delete item next to the tag you want to delete. 
- Click Save. 
SQL
Use the
ALTER TABLE SET OPTIONS statement.
The following example detaches tags from a table using the -= operator. To
detach all tags from a table, you can specify tags=NULL or tags=[].
- In the Google Cloud console, go to the BigQuery page. 
- In the query editor, enter the following statement: - ALTER TABLE PROJECT_ID.DATASET_ID.TABLE_ID SET OPTIONS ( tags -= [('TAG_KEY_1', 'TAG_VALUE_1'), ('TAG_KEY_2', 'TAG_VALUE_2')];) - Replace the following: - PROJECT_ID: your project ID.
- DATASET_ID: the ID of the dataset that contains the table.
- TABLE_ID: the name of the table that you're detaching the tags from.
- TAG_KEY_1: the namespaced key name of the first tag you want to detach, for example,- 'my-project/env'or- '556741164180/department'.
- TAG_VALUE_1: the short name of the value for the tag you want to detach, for example,- 'prod'or- 'sales'.
- TAG_KEY_2: the namespaced key name for the second tag you're detaching.
- TAG_VALUE_2: the short name for the value of the second tag you're detaching.
 
- Click Run. 
For more information about how to run queries, see Run an interactive query.
bq
To remove some tags from a table, use the
bq update command
with the --remove_tags flag:
bq update \ --remove_tags=TAG_KEYS \ PROJECT_ID:DATASET_ID.TABLE_ID
Replace the following:
- TAG_KEYS: the tag keys that you are detaching from the table, separated by commas. For example,- 556741164180/env,myProject/department. Each tag key must have the namespaced key name.
- PROJECT_ID: the ID of the project that contains your table.
- DATASET_ID: the ID of the dataset that contains your table.
- TABLE_ID: the ID of the table that you are updating.
To remove all tags from a table, use the
bq update command
with the --clear_all_tags flag:
bq update \ --clear_all_tags \ PROJECT_ID:DATASET_ID.TABLE_ID
gcloud
To remove a tag association from a table using the command line, delete the
tag binding by using the
gcloud resource-manager tags bindings delete command:
gcloud resource-manager tags bindings delete \
    --tag-value=TAG_VALUE_NAME \
    --parent=RESOURCE_ID \
    --location=LOCATION
Replace the following:
- TAG_VALUE_NAME: the permanent ID or namespaced name of the tag value to be deleted, such as- tagValues/4567890123or- 1234567/my_tag_key/my_tag_value.
- RESOURCE_ID: the full ID of the table, including the API domain name (- //bigquery.googleapis.com/) to identify the type of resource. For example,- //bigquery.googleapis.com/projects/my_project/datasets/my_dataset/tables/my_table.
- LOCATION: the location of your dataset.
Terraform
Remove your tags from the table's resource_tags field, and then apply
the updated configuration using the google_bigquery_table resource.
API
Call the
tables.update method
with a defined table resource,
and remove the tags in the resource_tags field. To remove all tags, remove
the resource_tags field.
Tag other table-like resources
You can similarly tag BigQuery views, materialized views, clones, and snapshots.
Delete tags
You can't delete a tag if it's referenced by a table, view, or dataset. You should detach all existing tag binding resources before deleting the tag key or value itself. To delete tag keys and tag values, see Deleting tags.
Example
Suppose you are an administrator of an organization. Your
data analysts are all members of the group analysts@example.com, which has the
BigQuery Data Viewer IAM role on the project userData. A data
analyst intern is hired, and according to the company policy they should only
have permission to view the anonymousData dataset in the userData project.
You can control their access using tags.
- Create a tag with the key - employee_typeand the value- intern:  
- In the Google Cloud console, go to the IAM page. 
- Locate the row that contains the intern whose dataset access you want to restrict, and click Edit principal in that row. 
- From the Role menu, select BigQuery Data Viewer. 
- Click Add condition. 
- In the Title and Description fields, enter values that describe the IAM tag condition that you want to create. 
- On the Condition builder tab, click Add. 
- In the Condition type menu, select Resource, then select Tag. 
- In the Operator menu, select has value. 
- In the Value path field, enter the tag value path in the form - ORGANIZATION/TAG_KEY/TAG_VALUE. For example,- example.org/employee_type/intern.  - This IAM tag condition restricts the intern's access to datasets that have the - interntag.
- To save the tag condition, click Save. 
- To save any changes that you made in the Edit permissions pane, click Save. 
- To attach the - interntag value to the- anonymousDatadataset, use the command line to run the- gcloud resource-manager tags bindings createcommand. For example:- gcloud resource-manager tags bindings create \ --tag-value=tagValues/4567890123 \ --parent=//bigquery.googleapis.com/projects/userData/datasets/anonymousData \ --location=US
What's next
- For an overview of tags in Google Cloud, see Tags overview.
- For more information about how to use tags, see Creating and managing tags.
- For information about how to control access to BigQuery resources with IAM Conditions, see Control access with IAM Conditions.