Create and manage tags

This page describes Cloud de Confiance by S3NS tags and how to use them with Pub/Sub. Tags can be applied to Pub/Sub topics, subscriptions, and snapshots. Support for applying tags to Pub/Sub schemas is planned.

About tags

A tag is a key-value pair that can attach to a resource within Cloud de Confiance by S3NS. You can use tags to conditionally allow or deny policies based on whether a resource has a specific tag. For example, you can conditionally grant Identity and Access Management (IAM) roles based on whether a resource has a specific tag. For more information about tags, see Tags overview.

Tags are attached to resources by creating a tag binding resource that links the value to the Cloud de Confiance by S3NS resource.

Required permissions

To get the permissions that you need to manage tags, ask your administrator to grant you the following IAM roles:

  • Tag Viewer (roles/resourcemanager.tagViewer) on the resources the tags are attached to
  • View and manage tags at the organization level: Organization Viewer (roles/resourcemanager.organizationViewer) on the organization
  • Create, update, and delete tag definitions: Tag Administrator (roles/resourcemanager.tagAdmin) on the resource you're creating, updating, or deleting tags for
  • Attach and remove tags from resources: Tag User (roles/resourcemanager.tagUser) on the tag value and the resources that you are attaching or removing the tag value to

For more information about granting roles, see Manage access to projects, folders, and organizations.

You might also be able to get the required permissions through custom roles or other predefined roles.

To attach tags to Pub/Sub topics, subscriptions, or snapshots, you need the Pub/Sub Editor role (roles/pubsub.editor).

Create tag keys and values

Before you can attach a tag, you need to create a tag and configure its value. To create tag keys and tag values, see Creating a tag and Adding a tag value.

Add tags to existing resources

To add a tag to existing topics, subscriptions, or snapshots, follow these steps:

gcloud

To attach a tag to a topic, subscription, or snapshot, you must create a tag binding resource by using the gcloud resource-manager tags bindings create command:

      gcloud resource-manager tags bindings create \
          --tag-value=TAGVALUE_NAME \
          --parent=RESOURCE_ID
      

Replace the following:

  • TAGVALUE_NAME: the permanent ID or namespaced name of the tag value that is attached—for example, tagValues/567890123456.
  • RESOURCE_ID: the full ID of the resource, including the API domain name to identify the type of resource (//pubsub.googleapis.com/). For example, to attach a tag to projects/7890123456/subscriptions/my-subscription, the full ID is //pubsub.googleapis.com/projects/7890123456/subscriptions/my-subscription.

List tags attached to resources

You can view a list of tag bindings directly attached to or inherited by the topic, subscription, or snapshot.

gcloud

To get a list of tag bindings attached to a resource, use the gcloud resource-manager tags bindings list command:

      gcloud resource-manager tags bindings list \
          --parent=RESOURCE_ID
      

Replace the following:

  • RESOURCE_ID: the full ID of the resource, including the API domain name to identify the type of resource (//pubsub.googleapis.com/). For example, to attach a tag to projects/7890123456/subscriptions/my-subscription, the full ID is //pubsub.googleapis.com/projects/7890123456/subscriptions/my-subscription.

You should get a response similar to the following:

name: tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Fprojects%2F7890123456/tagValues/567890123456
          tagValue: tagValues/567890123456
          resource: //pubsub.googleapis.com/projects/7890123456/subscriptions/my-subscription
      

Detach tags from resources

You can detach tags that have been directly attached to a topic, subscription, or snapshot. Inherited tags can be overridden by attaching a tag with the same key and a different value, but they can't be detached.

gcloud

To delete a tag binding, use the gcloud resource-manager tags bindings delete command:

      gcloud resource-manager tags bindings delete \
          --tag-value=TAGVALUE_NAME \
          --parent=RESOURCE_ID
      

Replace the following:

  • TAGVALUE_NAME: the permanent ID or namespaced name of the tag value that is attached—for example, tagValues/567890123456.
  • RESOURCE_ID: the full ID of the resource, including the API domain name to identify the type of resource (//pubsub.googleapis.com/). For example, to attach a tag to projects/7890123456/subscriptions/my-subscription, the full ID is //pubsub.googleapis.com/projects/7890123456/subscriptions/my-subscription.

Delete tag keys and values

When removing a tag key or value definition, ensure that the tag is detached from the topic, subscription, or snapshot. You must delete existing tag attachments, called tag bindings, before deleting the tag definition itself. To delete tag keys and tag values, see Deleting tags.

Identity and Access Management conditions and tags

You can use tags and IAM conditions to conditionally grant role bindings to users in your hierarchy. Changing or deleting the tag attached to a resource can remove user access to that resource if an IAM policy with conditional role bindings has been applied. For more information, see Identity and Access Management conditions and tags.

What's next