.
    Console
    Contact Us Start free

    Tag repositories

    Use tags to group repositories and other resources across Google Cloud for reporting, auditing, and access control within your Google Cloud organization.

    To group repositories within Artifact Registry for automation and billing purposes, use labels . Tags and labels work independently of each other, and you can apply both to the same repository. For more information on the differences between tags and labels see Tags and labels .

    What are tags?

    Tags are key-value pairs you can apply to your resources for fine-grained access control.

    Project administrators create tags for resources across Google Cloud at the organization level and manage them in Resource Manager . When you attach a tag to a Artifact Registry repository, you can use the tag with IAM conditions to grant conditional access to the repository. You cannot attach tags to individual artifacts.

    Keep these restrictions in mind:

    • Organization policies can conditionally reference tags that are inherited from the parent project and higher, but they don't support tags that you directly attach to repositories.

    • Cloud Audit logs are not generated for attaching tags and viewing tag bindings on repositories.

    For more information about tags and conditional access control with tags, see Tags and access control .

    Required permissions

    The permissions you need depend on the action you need to perform.

    To gain these permissions, ask your administrator to grant the suggested role at the appropriate level of the resource hierarchy .

    View tags

    To view tag definitions and tags that are attached to resources, you need the Tag Viewerrole ( roles/resourcemanager.tagViewer ), or another role that includes the following permissions:

    Required permissions

    • resourcemanager.tagKeys.get
    • resourcemanager.tagKeys.list
    • resourcemanager.tagValues.list
    • resourcemanager.tagValues.get
    • listTagBindings for the appropriate resource type. For example, compute.instances.listTagBindings for viewing tags attached to Compute Engine instances.
    • listEffectiveTags
      • for the appropriate resource type. For example, compute.instances.listEffectiveTags for viewing all tags attached to or inherited by Compute Engine instances.

    To view tags at the organization level you need the Organization Viewerrole ( roles/resourcemanager.organizationViewer ) on the organization resource.

    Administer tags

    To create, update, and delete tag definitions, you need the Tag Administratorrole ( roles/resourcemanager.tagAdmin ), or another role that includes the following permissions:

    Required permissions

    • resourcemanager.tagKeys.create
    • resourcemanager.tagKeys.update
    • resourcemanager.tagKeys.delete
    • resourcemanager.tagKeys.list
    • resourcemanager.tagKeys.get
    • resourcemanager.tagKeys.getIamPolicy
    • resourcemanager.tagKeys.setIamPolicy
    • resourcemanager.tagValues.create
    • resourcemanager.tagValues.update
    • resourcemanager.tagValues.delete
    • resourcemanager.tagValues.list
    • resourcemanager.tagValues.get
    • resourcemanager.tagValues.getIamPolicy
    • resourcemanager.tagValues.setIamPolicy

    To administer tags at the organization level you need the Organization Viewerrole ( roles/resourcemanager.organizationViewer ) on the organization resource.

    Manage tags on resources

    To add and remove tags that are attached to resources, you need the Tag Userrole ( roles/resourcemanager.tagUser ), or another role with equivalent permissions, on both the tag value and the resources that you are attaching the tag value to . The Tag Userrole includes the following permissions:

    Required permissions

    • Permissions required for the resource you're attaching the tag value
      • Resource-specific createTagBinding permission, such as compute.instances.createTagBinding for Compute Engine instances.
      • Resource-specific deleteTagBinding permission, such as compute.instances.deleteTagBinding for Compute Engine instances.
    • Permissions required for the tag value:
      • resourcemanager.tagValueBindings.create
      • resourcemanager.tagValueBindings.delete
    • Permissions that let you view projects and tag definitions:
      • resourcemanager.tagValues.get
      • resourcemanager.tagValues.list
      • resourcemanager.tagKeys.get
      • resourcemanager.tagKeys.list
      • resourcemanager.projects.get

    Attaching tags to repositories

    After a project administrator creates tags , you can attach tags to a repository. Each tag has a key and a value. You tag a repository by binding a value to the repository.

    To attach a tag to a repository:

    Console

    1. Obtain the tag value to attach from your administrator.

      You can attach a tag value with one of these types of identifiers :

      • A namespaced name , such as 123456789012/env/dev
      • A permanent ID , such as tagValues/567890123456

    2. Open the Repositoriespage in the Google Cloud console.

      Open the Repositories page

    3. Select the repository you want to tag.

    4. In the Repository Detailssection, click Show more.

      Existing tags for the repository, including inherited tags, are shown.

    5. Click theEdit Edit tagsicon.

    6. In the Direct tagssection, click Select scope.

    7. Select your repository project.

    8. In the keyfield, type to filter the tag list, then select the tag key.

    9. In the Valuefield, type to filter the tag list, then select the tag value.

    10. Click Save.

    11. Click Confirm.

      The tag is attached to your repository.

    gcloud CLI

    1. Obtain the tag value to attach from your administrator.

      You can attach a tag value with one of these types of identifiers :

      • A namespaced name , such as 123456789012/env/dev
      • A permanent ID , such as tagValues/567890123456

    2. Attach the tag value with the following command:

       gcloud  
resource-manager  
tags  
bindings  
create  
 \ 
  
--tag-value = 
 TAG_VALUE 
  
 \ 
  
--parent = 
 REPOSITORY_ID 
  
 \ 
  
--location = 
 LOCATION

      Replace the following values:

      • TAG_VALUE is the permanent ID or namespaced name of the tag value to attach.

      • REPOSITORY_ID is the full ID of the repository, including the API domain name to identify the type of resource ( //artifactregistry.googleapis.com/ ). For example, //artifactregistry.googleapis.com/projects/my-project/locations/us-east1/repositories/my-repo

      • LOCATION is the location of the repository.

      Consider the following example:

      • Tag value: 815471563813/env/dev
      • Project: my-project
      • Repository: my-repo
      • Repository location: us-east1

      The following gcloud CLI command attaches the tag to the repository:

       gcloud  
resource-manager  
tags  
bindings  
create  
 \ 
  
--tag-value = 
 815471563813 
/env/dev  
 \ 
  
--parent = 
//artifactregistry.googleapis.com/projects/my-project/locations/us-east1/repositories/my-repo  
 \ 
  
--location = 
us-east1

    Listing tags attached to repositories

    You can list tags that are attached to a resource that you have permissions to access.

    Console

    1. Open the Repositoriespage in the Google Cloud console.

      Open the Repositories page

    2. Select the repository you want to view.

    3. In the Repository Detailssection, click Show more.

      The Tagslist shows all repository tags including direct tags, and inherited tags from higher in the resource hierarchy.

    gcloud CLI

    To list tags attached to a repository, run the following command:

     gcloud  
resource-manager  
tags  
bindings  
list  
 \ 
  
--parent = 
 REPOSITORY_ID 
  
 \ 
  
--location = 
 LOCATION

    The command only lists tags directly attached to the specified resource, so it doesn't return tags inherited from the parent project or higher. You can list tags inherited from the parent project by specifying a project instead of a repository with the --parent flag.

    For example, this command lists tags attached to the repository my-repo in the project my-project and the location us-east1 :

     gcloud  
resource-manager  
tags  
bindings  
list  
 \ 
  
--parent = 
//artifactregistry.googleapis.com/projects/my-project/locations/us-east1/repositories/my-repo  
 \ 
  
--location = 
us-east1

    This command lists tags attached to the project number 7890123456 :

     gcloud  
resource-manager  
tags  
bindings  
list  
 \ 
  
--parent = 
//cloudresourcemanager.googleapis.com/projects/7890123456  
 \

    Detaching tags from repositories

    You can detach a tag that is directly attached to a repository. If you need to remove a tag that is inherited from the parent project or another part of the resource hierarchy, a project administrator must detach it from the resource where the tag is attached.

    To remove a tag that is attached to a repository:

    Console

    1. Obtain the tag value you want to remove. If you don't know the tag value, list tags attached to the repository.

    2. Open the Repositoriespage in the Google Cloud console.

      Open the Repositories page

    3. Select the repository.

    4. In the Repository Detailssection, click Show more.

      Existing tags for the repository, including inherited tags, are shown.

    5. Click theEdit Edit tagsicon.

    6. In the Direct tagssection, locate the tag you want to remove.

    7. Click the deleteicon next to the tag you want to remove.

    8. Click Save.

    9. Click Confirm.

      The tag is removed from your repository.

    gcloud CLI

    1. Obtain the tag value you want to remove. If you don't know the tag value, list tags attached to the repository.

    2. Detach the tag value with the following command:

       gcloud  
resource-manager  
tags  
bindings  
delete  
 \ 
  
--tag-value = 
 TAG_VALUE 
  
 \ 
  
--parent = 
 REPOSITORY_ID 
  
 \ 
  
--location = 
 LOCATION

      Replace the following values:

      • TAG_VALUE tag value to detach.

      • REPOSITORY_ID is the full ID of the repository, including the API domain name to identify the type of resource ( //artifactregistry.googleapis.com/ ). For example, //artifactregistry.googleapis.com/projects/my-project/my-repo

      • LOCATION is the location of the repository.

      Consider the following example:

      • Tag value: 815471563813/env/dev
      • Project: my-project
      • Repository: my-repo
      • Repository location: us-east1

      The following gcloud CLI command detaches the tag from the repository:

       gcloud  
resource-manager  
tags  
bindings  
delete  
 \ 
  
--tag-value = 
 815471563813 
/env/dev  
 \ 
  
--parent = 
//artifactregistry.googleapis.com/projects/my-project/locations/us-east1/repositories/my-repo  
 \ 
  
--location = 
us-east1

    What's next
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: