Attach and manage tags on Cloud SQL instances
This page describes how to attach, detach, and list tags on Cloud SQLinstances. For an overview of tags on Cloud SQL, seeAccess control with Google Cloud tags.
Before you begin
Tags are managed through the Resource Manager. You need the followingCloud SQL IAM permissions to view and set tags onCloud SQL instances:
cloudsql.instances.createTagBindingcloudsql.instances.deleteTagBindingcloudsql.instances.listTagBindingsresourcemanager.tagUser
Thecloudsql permissions are inherited through thecloudsql.admin IAMrole. Theresourcemanager.tagUser is required to tag and instance during instance creation
Create a Cloud SQL instance with a tag
To create an instance with a tag attached, use the--tags flag when creating the instance.This combines the tags with organization policies, custom organization policies, and IAM conditions togive more customization to instance creation policies.
For example, the following command creates an instance in thegcloud CLI with the 1234 tag with a value of 5678[gcloud sql instances create tags-instance --tags=tagKeys/1234=tagValues/5678]
Attach tags to Cloud SQL instances
Once you'vecreated and defineda tag using Resource Manager, you can attach the tag directly to yourCloud SQL instance.
For example:
- The tag value is
815471563813/environment/development.815471563813is the organization ID.environmentis the tag key.developmentis the tag value.
- Your project name is
my-project. - Your instance name is
my-instance. - Your instance is in
us-central1.
Thegcloud resource-manager tags bindings create command attaches the tag to a resource, in this case,my-instance:
gcloudresource-managertagsbindingscreate\--tag-value=815471563813/environment/development\--parent=//sqladmin.googleapis.com/projects/my-project/instances/my-instance\--location=us-central1Detach tags from Cloud SQL instances
Thegcloud resource-manager tags bindings delete command detaches the tag frommy-instance:
gcloudresource-managertagsbindingsdelete\--tag-value=815471563813/environment/development\--parent=//sqladmin.googleapis.com/projects/my-project/instances/my-instance\--location=us-central1List tags on Cloud SQL instances
Thegcloud resource-manager tags bindings list command lists all tags directly attached tomy-instance,except tags thatmy-instance has inherited:
gcloudresource-managertagsbindingslist\--parent=//sqladmin.googleapis.com/projects/my-project/instances/my-instance\--location=us-central1What's next
- For an overview of tags on Cloud SQL, seeAccess control with Google Cloud tags
- For more detailed instructions, seeAttach tags to resources.
- Learn aboutIAM conditionals.
- Learn how touse IAM conditionals with Cloud SQL.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-12-17 UTC.