Control access with tags

This page describes how to use tags to manage resources in Cloud Data Fusion.

About tags

A tag is a key-value pair that can attach to a resource within Google Cloud. You can use tags to conditionally allow or deny policies based on whether a resource has a specific tag. For example, you can conditionally grant Identity and Access Management (IAM) roles based on whether a resource has a specific tag. For more information about tags, see Tags overview.

Tags are attached to resources by creating a tag binding resource that links the value to the Google Cloud resource.

Before you begin

To get permissions for the following use cases, ask your administrator to grant the suggested role at the appropriate level of the resource hierarchy. For more information about IAM in Cloud Data Fusion, see Access control with IAM.

Required roles and permissions

To get the permissions that you need to use tags to manage resources in Cloud Data Fusion, ask your administrator to grant you the following IAM roles on the Cloud Data Fusion Service Account, and Compute Engine default service account or custom service account:

  • To view tag definitions and tags that are attached to resources: Tag Viewer (roles/resourcemanager.tagViewer)
  • To create, update, and delete tag definitions: Tag Administrator (roles/resourcemanager.tagAdmin)
  • To administer tags at the organization level: Organization Viewer (roles/resourcemanager.organizationViewer) - on the organization resource
  • To add and remove tags that are attached to resources: Tag User (roles/resourcemanager.tagUser) - on both the tag value and the resources that you attach the tag value to
  • To attach tags to Cloud Data Fusion instances: Cloud Data Fusion Admin (roles/datafusion.admin)

For more information about granting roles, see Manage access to projects, folders, and organizations.

These predefined roles contain the permissions required to use tags to manage resources in Cloud Data Fusion. To see the exact permissions that are required, expand the Required permissions section:

Required permissions

The following permissions are required to use tags to manage resources in Cloud Data Fusion:

  • resourcemanager.tagKeys.get
  • resourcemanager.tagKeys.list
  • resourcemanager.tagValues.get
  • resourcemanager.tagValues.list
  • listTagBindings for the appropriate resource type. For example, for viewing tags attached to Cloud Data Fusion instances: datafusion.instances.listTagBindings
  • listEffectiveTags for the appropriate resource type. For example, for viewing all tags attached to or inherited by Cloud Data Fusion instances: datafusion.instances.listEffectiveTags

You might also be able to get these permissions with custom roles or other predefined roles.

Create tag keys and values

Before you can attach a tag, you need to create a tag and configure its value. To create tag keys and tag values, see Create a tag and Add tag values.

Attach a tag to a resource

After the tag has been created, attach it to a resource.

gcloud

To attach a tag to an instance, you must create a tag binding resource by using the create command:

gcloud resource-manager tags bindings create \
  --tag-value=TAGVALUE_NAME \
  --parent=RESOURCE_ID \
  --location=LOCATION

Replace the following:

  • TAGVALUE_NAME: the permanent ID or namespace name of the tag value that is attached—for example, tagValues/567890123456.
  • RESOURCE_ID: the full ID of the resource, including the API domain name, identifying the type of resource (//datafusion.googleapis.com/). For example, to attach a tag to an instance in projects/7890123456 located in us-central1, use the following resource ID: //datafusion.googleapis.com/projects/7890123456/locations/us-central1/instances/instance-ID.
  • LOCATION: the location of your resource. For example: us-central1.

A notification confirms that your tags are created.

List tags attached to a resource

You can view a list of tag bindings directly attached to or inherited by the resource.

gcloud

To get a list of tag bindings attached to a resource, use the list command:

gcloud resource-manager tags bindings list \
  --parent=RESOURCE_ID \
  --location=LOCATION

Replace the following:

  • RESOURCE_ID: the full ID of the resource, including the API domain name, identifying the type of resource (//datafusion.googleapis.com/). For example, to list tags in an instance in projects/7890123456 located in us-central1, use the following resource ID: //datafusion.googleapis.com/projects/7890123456/locations/us-central1/instances/instance-ID.
  • LOCATION: the location of your resource. For example: us-central1.

The response comes in the following form:

tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Fprojects%2F7890123456/tagValues/567890123456
  tagValue: tagValues/567890123456
  resource: //datafusion.googleapis.com/projects/7890123456/locations/us-central1/instances/instance-ID

Detach tags from a resource

You can detach tags that have been directly attached to a resource. Inherited tags can be overridden by attaching a tag with the same key and a different value, but they can't be detached. Before you can delete a tag, you must detach its key and values from every resource to which it is attached.

gcloud

To delete a tag binding, use the delete command:

gcloud resource-manager tags bindings delete \
  --tag-value=TAGVALUE_NAME \
  --parent=RESOURCE_ID \
  --location=LOCATION

Replace the following:

  • TAGVALUE_NAME: the permanent ID or namespace name of the tag value that is attached—for example, tagValues/567890123456.
  • RESOURCE_ID: the full ID of the resource, including the API domain name, identifying the type of resource (//datafusion.googleapis.com/). For example, to attach a tag to an instance in projects/7890123456 located in us-central1, use the following resource ID: //datafusion.googleapis.com/projects/7890123456/locations/us-central1/instances/instance-ID.
  • LOCATION: the location of your resource. For example: us-central1.

A notification confirms that your tags are updated.

Delete tag keys and values

When removing a tag key or value definition, ensure that the tag is detached from the resource. You must delete existing tag attachments, called tag bindings, before deleting the tag definition itself. To delete tag keys and tag values, see Deleting tags.

Identity and Access Management conditions and tags

You can use tags and IAM conditions to conditionally grant role bindings to users in your hierarchy. Changing or deleting the tag attached to a resource can remove user access to that resource if an IAM policy with conditional role bindings has been applied. For more information, see Identity and Access Management conditions and tags.

What's next