You can attach tags to the following Cloud VPN resources:
About tags
A tag is a key-value pair that can attach to a resource within Google Cloud. You can use tags to conditionally allow or deny policies based on whether a resource has a specific tag. For example, you can conditionally grant Identity and Access Management (IAM) roles based on whether a resource has a specific tag. For more information about tags, see Tags overview.
Tags are attached to resources by creating a tag binding resource that links the value to the Google Cloud resource.
Required permissions
To get the permissions that you need to manage tags, ask your administrator to grant you the following IAM roles:
- 
  
  
    
      Tag Viewer  (roles/resourcemanager.tagViewer) on the resources the tags are attached to
- 
            View and manage tags at the organization level:
              
  
  
    
      Organization Viewer  (roles/resourcemanager.organizationViewer) on the organization
- 
            Create, update, and delete tag definitions:
              
  
  
    
      Tag Administrator  (roles/resourcemanager.tagAdmin) on the resource you're creating, updating, or deleting tags for
- 
            Attach and remove tags from resources:
              
  
  
    
      Tag User  (roles/resourcemanager.tagUser) on the tag value and the resources that you are attaching or removing the tag value to
For more information about granting roles, see Manage access to projects, folders, and organizations.
You might also be able to get the required permissions through custom roles or other predefined roles.
To attach tags to Cloud VPN resources,
you need the
Compute Network Admin role (roles/compute.networkAdmin).
Create tag keys and values
Before you can attach a tag, you need to create a tag and configure its value. To create tag keys and tag values, see Creating a tag and Adding a tag value.
Add tags to existing resources
To add a tag to existing Cloud VPN resources, follow these steps:
Console
- Go to the Cloud VPN page in the Google Cloud console.
- Select the Cloud VPN resource for which you would like to attach a tag.
- Click Tags.
- If your organization doesn't appear in the Tags panel, click Select scope. Select your organization and click Open.
- Click Add tag.
- Select the key for the tag you want to attach from the list. You can filter the list by typing keywords.
- Select the value for the tag you want to attach from the list. You can filter the list by typing keywords.
- Click Save.
- In the Confirm dialog, click Confirm to attach the tag.
A notification confirms that your tags updated.
gcloud
To attach a tag to a Cloud VPN resource, you must create a
        tag binding resource by using the
        gcloud resource-manager tags bindings create command:
      gcloud resource-manager tags bindings create \
          --tag-value=TAGVALUE_NAME \
          --parent=RESOURCE_ID \
          --location=LOCATION
      Replace the following:
- TAGVALUE_NAME: the permanent ID or namespaced name of the tag value that is attached—for example,- tagValues/567890123456.
- 
  RESOURCE_ID: the full ID of the resource, including the API domain name to identify the type of resource (//compute.googleapis.com/). You must use the numeric IDs for the resources, not their names.For example: - The resource ID of a global resource, such as an
   external vpn gateway REST resource
   in projects/7890123456, is as follows://compute.googleapis.com/projects/7890123456/global/externalVpnGateways/4567891234
- The resource ID of a regional resource, such as an
   vpn tunnel REST resource
   in projects/7890123456, is as follows://compute.googleapis.com/projects/7890123456/regions/REGION/vpnTunnels/6789012345
 
- The resource ID of a global resource, such as an
   external vpn gateway REST resource
   in 
- LOCATION: the location of your resource. If you're attaching a tag to a global resource, such as a folder or a project, omit this flag. If you're attaching a tag to a regional or a zonal resource, you must specify the location—for example,- us-central1(region) or- us-central1-a(zone).
List tags attached to resources
You can view a list of tag bindings directly attached to or inherited by the Cloud VPN resource.
Console
- Go to the Cloud VPN page in the Google Cloud console.
- Select the resource to see its details. Tags are displayed in the Tags row.
gcloud
To get a list of tag bindings attached to a resource, use the
        gcloud resource-manager tags bindings list command:
      gcloud resource-manager tags bindings list \
          --parent=RESOURCE_ID \
          --location=LOCATION
      Replace the following:
- 
  RESOURCE_ID: the full ID of the resource, including the API domain name to identify the type of resource (//compute.googleapis.com/). You must use the numeric IDs for the resources, not their names.For example: - The resource ID of a global resource, such as an
   external vpn gateway REST resource
   in projects/7890123456, is as follows://compute.googleapis.com/projects/7890123456/global/externalVpnGateways/4567891234
- The resource ID of a regional resource, such as an
   vpn tunnel REST resource
   in projects/7890123456, is as follows://compute.googleapis.com/projects/7890123456/regions/REGION/vpnTunnels/6789012345
 
- The resource ID of a global resource, such as an
   external vpn gateway REST resource
   in 
- LOCATION: the location of your resource. If you're viewing a tag attached to a global resource, such as a folder or a project, omit this flag. If you're viewing a tag attached to a regional or a zonal resource, you must specify the location—for example,- us-central1(region) or- us-central1-a(zone).
You should get a response similar to the following:
name: tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Fprojects%2F7890123456/tagValues/567890123456
          tagValue: tagValues/567890123456
          resource: 
//compute.googleapis.com/projects/7890123456/global/externalVpnGateways/4567891234
      Detach tags from resources
You can detach tags that have been directly attached to a Cloud VPN resource. Inherited tags can be overridden by attaching a tag with the same key and a different value, but they can't be detached.
Console
- Go to the Cloud VPN page in the Google Cloud console.
- Select the Cloud VPN resource from which you want to remove a tag.
- Click Tags.
- In the Tags panel, next to the tag you want to detach, click Delete item.
- Click Save.
- In the Confirm dialog, click Confirm to detach the tag.
A notification confirms that your tags updated.
gcloud
To delete a tag binding, use the
        gcloud resource-manager tags bindings delete command:
      gcloud resource-manager tags bindings delete \
          --tag-value=TAGVALUE_NAME \
          --parent=RESOURCE_ID \
          --location=LOCATION
      Replace the following:
- TAGVALUE_NAME: the permanent ID or namespaced name of the tag value that is attached—for example,- tagValues/567890123456.
- 
  RESOURCE_ID: the full ID of the resource, including the API domain name to identify the type of resource (//compute.googleapis.com/). You must use the numeric IDs for the resources, not their names.For example: - The resource ID of a global resource, such as an
   external vpn gateway REST resource
   in projects/7890123456, is as follows://compute.googleapis.com/projects/7890123456/global/externalVpnGateways/4567891234
- The resource ID of a regional resource, such as an
   vpn tunnel REST resource
   in projects/7890123456, is as follows://compute.googleapis.com/projects/7890123456/regions/REGION/vpnTunnels/6789012345
 
- The resource ID of a global resource, such as an
   external vpn gateway REST resource
   in 
- LOCATION: the location of your resource. If you're attaching a tag to a global resource, such as a folder or a project, omit this flag. If you're attaching a tag to a regional or a zonal resource, you must specify the location—for example,- us-central1(region) or- us-central1-a(zone).
Delete tag keys and values
When removing a tag key or value definition, ensure that the tag is detached from the Cloud VPN resource. You must delete existing tag attachments, called tag bindings, before deleting the tag definition itself. To delete tag keys and tag values, see Deleting tags.
Identity and Access Management conditions and tags
You can use tags and IAM conditions to conditionally grant role bindings to users in your hierarchy. Changing or deleting the tag attached to a resource can remove user access to that resource if an IAM policy with conditional role bindings has been applied. For more information, see Identity and Access Management conditions and tags.
What's next
- See the other services that support tags.
- See Tags and access control to learn how to use tags with IAM.