Tag services

Tags are key-value pairs you can apply to your services for fine-grained access control. Tag administrators create tags for resources across Google Cloud at the organization or project level and manage them in Resource Manager. Tags provides a way to conditionally allow or deny policies based on whether a resource has a specific tag.

Tags attached to Cloud Run services should not be confused with Cloud Run traffic tags that allow to route traffic to specific Cloud Run revisions.

Required roles

To get the permissions that you need to attach or detach tags, ask your administrator to grant you the following IAM roles on the Cloud Run service:

To manage access on the tag value resource in Resource Manager, your account must also have the Tag User (roles/resourcemanager.tagUser) role granted for the tag value. The tag value is the resource that is attached to the Cloud Run service.

For a list of IAM roles and permissions that are associated with Cloud Run, see Cloud Run IAM roles and Cloud Run IAM permissions. If your Cloud Run service interfaces with Google Cloud APIs, such as Cloud Client Libraries, see the service identity configuration guide. For more information about granting roles, see deployment permissions and manage access.

Attaching tags

Note that attaching a tag to your service does not result in the creation of a new revision.

You can attach or detach tags using the Google Cloud console or the gcloud command line.

Console

  1. Go to Cloud Run

  2. Check the checkbox at the left of the service you are setting the tag on.

  3. Click Tags above the services list to display the tags pane.

    Set tag

  4. If your organization doesn't appear in the Tags panel, click Select scope. Select your organization and click Open.

  5. To attach a new tag to the service, click Add Tag and select one of the tag keys in the key dropdown menu, and select a value from the value dropdown menu.

  6. Click Save then confirm your changes if prompted.

gcloud

You can update tags for a service using the command:

gcloud resource-manager tags bindings create \
    --tag-value=TAG_VALUE \
    --parent=//run.googleapis.com/projects/PROJECT_ID/locations/REGION/services/SERVICE \
    --location=REGION

To update more than one tag, supply a comma delimited list of key/value pairs.

Replace

  • TAG_VALUE with the value for the key: you can use these different types of identifiers: a permanent ID such as tagValues/12345678901, a namespaced value such as 123456789012/env/prod or a short name such as prod
  • PROJECT_ID with project ID of your Google Cloud project
  • REGION with region your Cloud Run service is deployed to
  • SERVICE with name of your Cloud Run service

Detaching a tag

You can use the console or the command line to detach tags from your service.

Console

  1. Go to Cloud Run

  2. Check the checkbox at the left of the service you are detaching the tag from.

  3. Click Tags above the services list to display the tags pane.

  4. Locate the tag you want to detach.

  5. Hover your cursor to the right of the Value dropdown menu for the tag to display the trash icon, and click the trash icon.

  6. Click Save and confirm your changes if prompted.

gcloud

To detach a tag from a service:

gcloud resource-manager tags bindings delete \
    --tag-value=TAG_VALUE \
    --parent=//run.googleapis.com/projects/PROJECT_ID/locations/REGION/services/SERVICE \
    --location=REGION

To detach more than one tag, supply a comma delimited list of key/value pairs.

Replace

  • TAG_VALUE with the value for the key: you can use these different types of identifiers: a permanent ID such as tagValues/12345678901, a namespaced value such as 123456789012/env/prod or a short name such as prod
  • PROJECT_ID with project ID of your Google Cloud project
  • REGION with region your Cloud Run service is deployed to
  • SERVICE with name of your Cloud Run service