Services that support tags

Tags provide a way to create annotations for resources, and in some cases conditionally allow or deny policies based on whether a resource has a specific tag. The resources and policies used by each service leverage tags in different ways. For more information about tags, see the Tags overview.

Some services, such as Identity and Access Management (IAM), are policy engines that support references by tags. If you can attach a tag to a service resource, and the policy engine service supports that resource, you can then leverage the conditional enforcement of policies to better control your resource hierarchy. Each policy engine service lists the resources it supports in the Policy engine services section.

Resources not listed as explicitly supported by policy engine services can't be targeted directly for conditional enforcement of policies. Instead, the parent project, folder, or organization resource should be tagged to provide conditional control.

Review the appropriate section below when attaching tags to your service resources. For more information, see Creating and managing tags.

Policy engine services

The following services include policies that can include tags. Referencing tags in these policies allows you to finely tune the way they operate on supported resources in your Google Cloud resource hierarchy.

Google Cloud service Resource types
Identity and Access Management (IAM)
Organization Policy Service
Virtual Private Cloud (VPC)

The following sections describe how you can use tags with policy engine services.

Identity and Access Management

You can conditionally grant IAM roles or conditionally deny IAM permissions based on whether a resource has a specific tag.

Resources inherit tag values from their parent organization, folders, and project. As a result, you can use tags to manage access to any Google Cloud resource.

For more information about using tags with IAM to help control access to your Google Cloud resources, see Tags and access control.

Organization Policy Service

You can use organization policies with tags to control how your organization policy constraints are applied on certain resources. Organization policies can be conditionally enforced by tags that are attached to the following resources:

  • Google Cloud organization, folder, and project resources
  • Cloud Storage buckets

Organization policies can't be conditionally enforced by tags attached to resources not explicitly listed above. However, organization policy constraints that operate on IAM allow policies, such as the domain restricted sharing constraint, can be conditionally enforced with tags on any supported service resource.

For more information, see Setting an organization policy with tags.

Virtual Private Cloud

You can use tags to define sources and targets in network firewall policies and regional firewall policies. You can also attach tags to Compute Engine VM instances to represent different functions in a network. For more information, see Resource Manager tags for firewalls.

The following VPC resources can have tags attached to them for use in IAM policies:

For more information, see Create and manage tags for Virtual Private Cloud resources.

Supported service resources

You can attach tags to the following types of Google Cloud resources:

Google Cloud service Resource types
AlloyDB for PostgreSQL
Artifact Registry
BigQuery
Bigtable
Cloud Data Fusion
Cloud Billing
Cloud Deploy
Cloud Domains
  • Registrations
Identity and Access Management
Cloud Key Management Service (Cloud KMS)
Cloud Load Balancing
Cloud Logging
Cloud Run
Spanner
Cloud SQL
Cloud Storage
Compute Engine
Datastore
Datastream
Filestore
Firestore
Google Kubernetes Engine (GKE)
Managed Service for Microsoft Active Directory (Managed Microsoft AD)
Memorystore for Redis
Resource Manager
VPC
Secret Manager