This page describes Google Cloud tags and how to use them withCloud SQL. To add tags to your Cloud SQL instances usinggcloud now, seeAttach and manage tags on Cloud SQL instances. To add tags to your Cloud SQLinstances using the Google Cloud console now, seeCreate and manage tags on your instance.

Overview

Google Cloudtags are a way to organize your Cloud SQL resources.

Tags are applied at higher levels of theresource hierarchyacross Google Cloud. Cloud SQL and other instances inherit the tags.They are managed usingResource Manager.You can add a reference to tags inIAM policy bindingsto grant conditional access to resources.

Tags are different fromlabels,which are another way to organize and filter your instances. Tags and labelswork independently of each other, and you can use both on the same instance. Formore information about using labels in Cloud SQL, seeLabel instances.

What are tags?

Tags are key-value pairs you can apply to your resources for fine-grained accesscontrol.

A tag key could be a property, such asenvironment, and the tag value could bean attribute, such asdevelopment orproduction. A tag can have only onevalue for a given key on a particular resource.

Tags are created at the Organization level. Tags are attached to resources, suchas a project or a Cloud SQL instance, through theResource Manager, which is usedacross Google Cloud.

Grant permissions based on conditional tag bindings

Once a tag is attached to or inherited by a Cloud SQL instance,you canuse the tagwith IAM Conditions to grant access to Cloud SQLresources conditionally. IAM Conditions let you imposefine-grain access control to Cloud SQL instances. To useIAM Conditions, you reference the tags in IAMpolicy bindings. For more information on how to use tags to grant conditionalaccess to Cloud SQL instances, seeUse IAM conditions.

If you add tag-based bindings to an instance, then you can grant access to Cloud SQL resources conditionally. Based on this conditional access, youcan see all backups of the active instance as well as thefinal backups of instances that are deletedand have the same name. However, after you delete an instance with tag bindings,you can't see any backups related to the instance name. This is because youdeleted the instance and the tags can no longer be determined.

Restrictions

Tags have the following restrictions:

• Organization policiescan conditionally reference tags inherited from the Project level and above,but don't support tags that are directly attached to Cloud SQLinstances.
• Cloud Audit logs show the creation and deletionof tags, but entries are not generated for attaching tags and viewing tagbindings on Cloud SQL instances.

What's next

• Learn how tocreate and manage tags on your instanceusing Resource Manager.
• See specificgcloud commands for Cloud SQL inManage tags on Cloud SQL.
• Learn aboutIAM conditions.
• Learn how touse IAM conditions with Cloud SQL.