Data Catalog is deprecated and will be discontinued on January 30, 2026. For steps to transition your Data Catalog users, workloads, and content to Dataplex Universal Catalog, seeTransition from Data Catalog to Dataplex Universal Catalog.
Stay organized with collectionsSave and categorize content based on your preferences.
This document describes how to grant the Data CatalogtagTemplateUserrole to
principals. You can do this after you create a Data Catalog tag template in yourresource project. This enables them to create metadata, that is, use
your template to tag data resources. For more information, seeAttaching tags to Google Cloud resources.
The next section shows how to grant thetagTemplateUserrole.
Grant thetagTemplateUserrole
Console
Console
To grant the Data CatalogtagTemplateUserrole to a principal
on a project, do the following:
Go to IAMin the Google Cloud console and click the edit
(edit) button at the right of the
principal's listing.
In theEdit permissionsdialog, clickaddADD ANOTHER ROLE, then click theSelect a roledrop-down list.
In thefilter_listFilterbox, insertData Catalog TagTemplate Userto display this role, then select it and
clickSAVE.
importcom.google.cloud.datacatalog.v1.DataCatalogClient;importcom.google.cloud.datacatalog.v1.TagTemplateName;importcom.google.iam.v1.Binding;importcom.google.iam.v1.Policy;importcom.google.iam.v1.SetIamPolicyRequest;importjava.io.IOException;// Sample to grant tag access on templatepublicclassGrantTagTemplateUserRole{publicstaticvoidmain(String[]args)throwsIOException{// TODO(developer): Replace these variables before running the sample.StringprojectId="my-project";StringtagTemplateId="my_tag_template";grantTagTemplateUserRole(projectId,tagTemplateId);}publicstaticvoidgrantTagTemplateUserRole(StringprojectId,StringtemplateId)throwsIOException{// Currently, Data Catalog stores metadata in the us-central1 region.Stringlocation="us-central1";// Format the Template name.StringtemplateName=TagTemplateName.newBuilder().setProject(projectId).setLocation(location).setTagTemplate(templateId).build().toString();// Initialize client that will be used to send requests. This client only needs to be created// once, and can be reused for multiple requests. After completing all of your requests, call// the "close" method on the client to safely clean up any remaining background resources.try(DataCatalogClientdataCatalogClient=DataCatalogClient.create()){// Create a Binding to add the Tag Template User role and member to the policy.Bindingbinding=Binding.newBuilder().setRole("roles/datacatalog.tagTemplateUser").addMembers("group:example-analyst-group@google.com").build();// Create a Policy object to update Template's IAM policy by adding the new binding.PolicypolicyUpdate=Policy.newBuilder().addBindings(binding).build();SetIamPolicyRequestrequest=SetIamPolicyRequest.newBuilder().setPolicy(policyUpdate).setResource(templateName).build();// Update Template's policy.dataCatalogClient.setIamPolicy(request);System.out.println("Role successfully granted");}}}
// Import the Google Cloud client library.const{DataCatalogClient}=require('@google-cloud/datacatalog').v1;constdatacatalog=newDataCatalogClient();asyncfunctiongrantTagTemplateUserRole(){// Grant the tagTemplateUser role to a member of the project./*** TODO(developer): Uncomment the following lines before running the sample.*/// const projectId = 'my_project'; // Google Cloud Platform project// const templateId = 'my_existing_template';// const memberId = 'my_member_id'constlocation='us-central1';// Format the Template name.consttemplateName=datacatalog.tagTemplatePath(projectId,location,templateId);// Retrieve Template's current IAM Policy.const[getPolicyResponse]=awaitdatacatalog.getIamPolicy({resource:templateName,});constpolicy=getPolicyResponse;// Add Tag Template User role and member to the policy.policy.bindings.push({role:'roles/datacatalog.tagTemplateUser',members:[memberId],});constrequest={resource:templateName,policy:policy,};// Update Template's policy.const[updatePolicyResponse]=awaitdatacatalog.setIamPolicy(request);updatePolicyResponse.bindings.forEach(binding=>{console.log(`Role:${binding.role}, Members:${binding.members}`);});}grantTagTemplateUserRole();
fromgoogle.cloudimportdatacatalog_v1fromgoogle.iam.v1importiam_policy_pb2asiam_policyfromgoogle.iam.v1importpolicy_pb2datacatalog=datacatalog_v1.DataCatalogClient()# TODO: Set these values before running the sample.project_id="project_id"tag_template_id="existing_tag_template_id"# For a full list of values a member can have, see:# https://cloud.google.com/iam/docs/reference/rest/v1/Policy?hl=en#bindingmember_id="user:super-cool.test-user@gmail.com"# For all regions available, see:# https://cloud.google.com/data-catalog/docs/concepts/regionslocation="us-central1"# Format the Template name.template_name=datacatalog_v1.DataCatalogClient.tag_template_path(project_id,location,tag_template_id)# Retrieve Template's current IAM Policy.policy=datacatalog.get_iam_policy(resource=template_name)# Add Tag Template User role and member to the policy.binding=policy_pb2.Binding()binding.role="roles/datacatalog.tagTemplateUser"binding.members.append(member_id)policy.bindings.append(binding)set_policy_request=iam_policy.SetIamPolicyRequest(resource=template_name,policy=policy)# Update Template's policy.policy=datacatalog.set_iam_policy(set_policy_request)forbindinginpolicy.bindings:formemberinbinding.members:print(f"Member:{member}, Role:{binding.role}")
REST & CMD LINE
REST
If you do not have access to Cloud Client libraries for your language or
want to test the API using REST requests, see the following examples
and refer to theData Catalog REST APIdocumentation.
Before using any of the request data,
make the following replacements:
project-id: Google Cloud project ID
template-id: the tag template ID
HTTP method and URL:
POST https://datacatalog.googleapis.com/v1/projects/project-id/locations/region/tagTemplates/template-id:setIamPolicy
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eThis document provides instructions on how to grant the Data Catalog \u003ccode\u003etagTemplateUser\u003c/code\u003e role to principals, enabling them to use a tag template to tag data resources with metadata.\u003c/p\u003e\n"],["\u003cp\u003eGranting the \u003ccode\u003etagTemplateUser\u003c/code\u003e role can be achieved through the Google Cloud console by adding the role to a principal's permissions.\u003c/p\u003e\n"],["\u003cp\u003ePrincipals may require additional roles to write metadata to resources they don't own, beyond just the \u003ccode\u003etagTemplateUser\u003c/code\u003e role, such as roles for writing to BigQuery and Pub/Sub.\u003c/p\u003e\n"],["\u003cp\u003eCode samples are given for Java, Node.js, and Python to allow for programmatic assignment of this role, as well as REST API and CLI examples.\u003c/p\u003e\n"],["\u003cp\u003eThe necessary authentication to the Data Catalog for programmatic assignment of this role requires the use of the Application Default Credentials.\u003c/p\u003e\n"]]],[],null,[]]
