Tag worker pools

Tags are key-value pairs you can apply to your worker pools for fine-grained access control. Tags provides a way to conditionally allow or deny policies based on whether a resource has a specific tag.

At the organization or project level, tag administrators create tags for resources across Google Cloud and manage them in Resource Manager.

Required roles

To get the permissions that you need to attach or detach tags, ask your administrator to grant you the following IAM roles on the Cloud Run worker pool:

• Cloud Run Admin (roles/run.admin)
• Tag User (roles/resourcemanager.tagUser)

To manage access on the tag value resource in Resource Manager, your account must also have the Tag User (roles/resourcemanager.tagUser) role granted for the tag value. The tag value is the resource that is attached to the Cloud Run worker pool.

For a list of IAM roles and permissions that are associated with Cloud Run, see Cloud Run IAM roles and Cloud Run IAM permissions. If your Cloud Run worker pool interfaces with Google Cloud APIs, such as Cloud Client Libraries, see the service identity configuration guide. For more information about granting roles, see deployment permissions and manage access.

Attach tags

Note that attaching a tag to your worker pool does not result in the creation of a new revision.

You can attach tags using the Google Cloud CLI.

gcloud resource-manager tags bindings create \
    --tag-value=TAG_VALUE \
    --parent=//run.googleapis.com/projects/PROJECT_ID/locations/REGION/workerpools/WORKER_POOL \
    --location=REGION

Detach a tag

Use the Google Cloud CLI to detach tags from your worker pool.

gcloud resource-manager tags bindings delete \
    --tag-value=TAG_VALUE \
    --parent=//run.googleapis.com/projects/PROJECT_ID/locations/REGION/workerpools/WORKER_POOL \
    --location=REGION