Tags are key-value pairs you can apply to your services for fine-grained access control. Tag administrators create tags for resources across Google Cloud at the organization or project level and manage them in Resource Manager. Tags provides a way to conditionally allow or deny policies based on whether a resource has a specific tag.
Tags attached to Cloud Run services should not be confused with Cloud Run traffic tags that allow to route traffic to specific Cloud Run revisions.
Required roles
To get the permissions that you need to attach or detach tags, ask your administrator to grant you the following IAM roles on the Cloud Run service:
-
Cloud Run Admin (
roles/run.admin
) -
Tag User (
roles/resourcemanager.tagUser
)
In order to manage access on the tag value resource in Resource Manager, your
account must also have the
Tag User (roles/resourcemanager.tagUser
) role
granted for the tag value.
The tag value is the resource that is attached to the Cloud Run
service.
For a list of IAM roles and permissions that are associated with Cloud Run, see Cloud Run IAM roles and Cloud Run IAM permissions. If your Cloud Run service interfaces with Google Cloud APIs, such as Cloud Client Libraries, see the service identity configuration guide. For more information about granting roles, see deployment permissions and manage access.
Attaching tags
Note that attaching a tag to your service does not result in the creation of a new revision.
You can attach or detach tags using the Google Cloud console or the gcloud command line.
Console
Check the checkbox at the left of the service you are setting the tag on.
Click Tags above the services list to display the tags pane.
If your organization doesn't appear in the Tags panel, click Select scope. Select your organization and click Open.
To attach a new tag to the service, click Add Tag and select one of the tag keys in the key dropdown menu, and select a value from the value dropdown menu.
Click Save then confirm your changes if prompted.
gcloud
You can update tags for a service using the command:
gcloud resource-manager tags bindings create \ --tag-value=TAG_VALUE \ --parent=//run.googleapis.com/projects/PROJECT_ID/locations/REGION/services/SERVICE \ --location=REGION
To update more than one tag, supply a comma delimited list of key/value pairs.
Replace
- TAG_VALUE with the value for the key: you can use these
different types of identifiers: a permanent ID such as
tagValues/12345678901
, a namespaced value such as123456789012/env/prod
or a short name such asprod
- PROJECT_ID with project ID of your Google Cloud project
- REGION with region your Cloud Run service is deployed to
- SERVICE with name of your Cloud Run service
Detaching a tag
You can use the console or the command line to detach tags from your service.
Console
Check the checkbox at the left of the service you are detaching the tag from.
Click Tags above the services list to display the tags pane.
Locate the tag you want to detach.
Hover your cursor to the right of the Value dropdown menu for the tag to display the trash icon, and click the trash icon.
Click Save and confirm your changes if prompted.
gcloud
To detach a tag from a service:
gcloud resource-manager tags bindings delete \ --tag-value=TAG_VALUE \ --parent=//run.googleapis.com/projects/PROJECT_ID/locations/REGION/services/SERVICE \ --location=REGION
To detach more than one tag, supply a comma delimited list of key/value pairs.
Replace
- TAG_VALUE with the value for the key: you can use these
different types of identifiers: a permanent ID such as
tagValues/12345678901
, a namespaced value such as123456789012/env/prod
or a short name such asprod
- PROJECT_ID with project ID of your Google Cloud project
- REGION with region your Cloud Run service is deployed to
- SERVICE with name of your Cloud Run service