Stay organized with collections
Save and categorize content based on your preferences.
Tags are key-value pairs you can apply to your services for fine-grained access
control. Tag administrators create tags for resources across
Google Cloud at the organization or project level and manage them in
Resource Manager.
Tags provides a way to conditionally allow or deny
policies based on whether a resource has a specific tag.
Tags attached to Cloud Run services should not be confused
with Cloud Run traffic tags
that allow to route traffic to specific Cloud Run revisions.
Required roles
To get the permissions that
you need to attach or detach tags,
ask your administrator to grant you the
following IAM roles on the Cloud Run service:
To manage access on the tag value resource in Resource Manager, your
account must also have the
Tag User (roles/resourcemanager.tagUser) role
granted for the tag value.
The tag value is the resource that is attached to the Cloud Run
service.
Check the checkbox at the left of the service you are setting the tag
on.
Click Tags above the services list to display the tags pane.
If your organization doesn't appear in the Tags panel, click
Select scope. Select your organization and click
Open.
To attach a new tag to the service, click Add Tag and select one of the
tag keys in the key dropdown menu, and select a value from the
value dropdown menu.
Click Save then confirm your changes if prompted.
gcloud
You can update tags for a service using the command:
To update more than one tag, supply a comma delimited list of key/value
pairs.
Replace
TAG_VALUE with the value for the key: you can use these
different types of identifiers: a permanent ID such as tagValues/12345678901,
a namespaced value such as 123456789012/env/prod or a short name such as prod
PROJECT_ID with project ID of your Google Cloud project
REGION with region your Cloud Run service is deployed to
SERVICE with name of your Cloud Run service
Detaching a tag
You can use the console or the command line to detach tags from your service.
To detach more than one tag, supply a comma delimited list of key/value
pairs.
Replace
TAG_VALUE with the value for the key: you can use these
different types of identifiers: a permanent ID such as tagValues/12345678901,
a namespaced value such as 123456789012/env/prod or a short name such as prod
PROJECT_ID with project ID of your Google Cloud project
REGION with region your Cloud Run service is deployed to
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Tag services\n\nTags are key-value pairs you can apply to your services for fine-grained access\ncontrol. Tag administrators create tags for resources across\nGoogle Cloud at the organization or project level and manage them in\n[Resource Manager](/resource-manager/docs/tags/tags-creating-and-managing).\nTags provides a way to conditionally allow or deny\npolicies based on whether a resource has a specific tag.\n\nTags *attached* to Cloud Run services should not be confused\nwith Cloud Run [traffic tags](/run/docs/rollouts-rollbacks-traffic-migration#tags)\nthat allow to route traffic to specific Cloud Run revisions.\n| **Note:** In contrast to tags, [labels](/run/docs/configuring/services/labels) are used to identify resources for billing-related reasons, filtering logs, and so forth.\n\nRequired roles\n--------------\n\n\nTo get the permissions that\nyou need to attach or detach tags,\n\nask your administrator to grant you the\nfollowing IAM roles on the Cloud Run service:\n\n- [Cloud Run Admin](/iam/docs/roles-permissions/run#run.admin) (`roles/run.admin`)\n- [Tag User](/iam/docs/roles-permissions/resourcemanager#resourcemanager.tagUser) (`roles/resourcemanager.tagUser`)\n\n\nTo manage access on the tag value resource in Resource Manager, your\naccount must also have the\n[Tag User](/iam/docs/understanding-roles#resourcemanager.tagUser) (`roles/resourcemanager.tagUser`) role\n[granted for the tag value](/resource-manager/docs/tags/tags-creating-and-managing#managing_access).\nThe tag value is the resource that is attached to the Cloud Run\nservice.\n\nFor a list of IAM roles and permissions that are associated with\nCloud Run, see\n[Cloud Run IAM roles](/run/docs/reference/iam/roles)\nand [Cloud Run IAM permissions](/run/docs/reference/iam/permissions).\nIf your Cloud Run service interfaces with\nGoogle Cloud APIs, such as Cloud Client Libraries, see the\n[service identity configuration guide](/run/docs/configuring/services/service-identity).\nFor more information about granting roles, see\n[deployment permissions](/run/docs/reference/iam/roles#additional-configuration)\nand [manage access](/iam/docs/granting-changing-revoking-access).\n\nAttaching tags\n--------------\n\nNote that attaching a tag to your service *does not* result in the creation\nof a new revision.\n\nYou can attach or detach tags using the Google Cloud console or the gcloud\ncommand line. \n\n### Console\n\n1. [Go to Cloud Run](https://console.cloud.google.com/run)\n\n2. Check the checkbox at the left of the service you are setting the tag\n on.\n\n3. Click **Tags** above the services list to display the tags pane.\n\n4. If your organization doesn't appear in the **Tags** panel, click\n **Select scope** . Select your organization and click\n **Open**.\n\n5. To attach a new tag to the service, click **Add Tag** and select one of the\n tag keys in the key dropdown menu, and select a value from the\n value dropdown menu.\n\n6. Click **Save** then confirm your changes if prompted.\n\n### gcloud\n\nYou can update tags for a service using the command: \n\n```bash\ngcloud resource-manager tags bindings create \\\n --tag-value=TAG_VALUE \\\n --parent=//run.googleapis.com/projects/PROJECT_ID/locations/REGION/services/SERVICE \\\n --location=REGION\n```\n\nTo update more than one tag, supply a comma delimited list of key/value\npairs.\n\nReplace\n\n- \u003cvar translate=\"no\"\u003eTAG_VALUE\u003c/var\u003e with the value for the key: you can use these different types of identifiers: a permanent ID such as `tagValues/12345678901`, a namespaced value such as `123456789012/env/prod` or a short name such as `prod`\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with project ID of your Google Cloud project\n- \u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e with region your Cloud Run service is deployed to\n- \u003cvar translate=\"no\"\u003eSERVICE\u003c/var\u003e with name of your Cloud Run service\n\nDetaching a tag\n---------------\n\nYou can use the console or the command line to detach tags from your service. \n\n### Console\n\n1. [Go to Cloud Run](https://console.cloud.google.com/run)\n\n2. Check the checkbox at the left of the service you are detaching the tag\n from.\n\n3. Click **Tags** above the services list to display the tags pane.\n\n4. Locate the tag you want to detach.\n\n5. Hover your cursor to the right of the *Value* dropdown menu for the tag to\n display the trash icon, and click the trash icon.\n\n6. Click **Save** and confirm your changes if prompted.\n\n### gcloud\n\nTo detach a tag from a service: \n\n```bash\ngcloud resource-manager tags bindings delete \\\n --tag-value=TAG_VALUE \\\n --parent=//run.googleapis.com/projects/PROJECT_ID/locations/REGION/services/SERVICE \\\n --location=REGION\n```\n\nTo detach more than one tag, supply a comma delimited list of key/value\npairs.\n\nReplace\n\n- \u003cvar translate=\"no\"\u003eTAG_VALUE\u003c/var\u003e with the value for the key: you can use these different types of identifiers: a permanent ID such as `tagValues/12345678901`, a namespaced value such as `123456789012/env/prod` or a short name such as `prod`\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with project ID of your Google Cloud project\n- \u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e with region your Cloud Run service is deployed to\n- \u003cvar translate=\"no\"\u003eSERVICE\u003c/var\u003e with name of your Cloud Run service"]]