Manage tags for resources

This guide describes how to create and manage tags for Compute Engineresources. A tag is a key-value pair that can be attached to aGoogle Cloud resource. Tags are used for several purposes, including:

  • Conditionally allow or deny policies based on whether a resource has aspecific tag.
  • Define sources and targets in global networkfirewall policies and regionalnetwork firewall policies.
  • Organizing resources in a logical manner.

After creating a tag and granting appropriate access to both the tag and theresource, you can attach the tag as a key-value pair. You can attach exactlyone value to a resource for a given key. For example, if you attach theenvironment: development tag, then you cannot attach theenvironment: production orenvironment: test tags. Each resource can have amaximum of 50 key-value pairs attached.

To attach tags to resources, you must create a tag binding resource thatlinks the tag value to the Google Cloud resource. For more informationon tags and how they work, review theTags overview document.

Before you begin

Required roles

To get the permissions that you need to create and manage tags for Compute Engine resources, ask your administrator to grant you the following IAM roles on your organization or project:

For more information about granting roles, seeManage access to projects, folders, and organizations.

These predefined roles contain the permissions required to create and manage tags for Compute Engine resources. To see the exact permissions that are required, expand theRequired permissions section:

Required permissions

The following permissions are required to create and manage tags for Compute Engine resources:

  • View tags:
    • resourcemanager.tagKeys.get
    • resourcemanager.tagKeys.list
    • resourcemanager.tagValues.list
    • resourcemanager.tagValues.get
    • compute.instances.listTagBindings
    • compute.instances.listEffectiveTags
    • resourcemanager.projects.get
  • Create tags:
    • resourcemanager.tagKeys.create
    • resourcemanager.tagValues.create
    • resourcemanager.tagKeys.setIamPolicy
    • resourcemanager.tagValues.setIamPolicy
  • Manage tags:
    • resourcemanager.tagKeys.update
    • resourcemanager.tagValues.update
    • resourcemanager.tagKeys.delete
    • resourcemanager.tagValues.delete
    • resourcemanager.tagKeys.getIamPolicy
    • resourcemanager.tagValues.getIamPolicy
    • resourcemanager.tagKeys.setIamPolicy
    • resourcemanager.tagValues.setIamPolicy
  • Add or remove tags for a compute instance:
    • compute.instances.createTagBinding
    • compute.instances.deleteTagBinding
    • resourcemanager.tagValueBindings.create
    • resourcemanager.tagValueBindings.delete

You might also be able to get these permissions withcustom roles or otherpredefined roles.

Supported resources

Compute Engine supports tagging for the following resources:

  • Only after resource creation:

    • Managed instance groups (MIGs)
    • Health checks

  • Both during and after resource creation:

    • Virtual machine (VM) instances
    • Disks
    • Images
    • Snapshots
    • VPC networks
    • VPC subnetworks
    • VPC firewall rules
    • VPC routes
    • Cloud Routers

Adding tags to a resource

You can attach existing tags to certain resources. After the resource iscreated, attach tags to that resource by using the following instructions.

Console

Depending on the resource type, the exact steps might vary. Forexample, the following steps attach a tag to a VM:

  1. In the Google Cloud console, go to theVM instances page.

    Go to VM instances

  2. Select your project and clickContinue.

  3. In theName column, click the name of the VM for which you want to add tags.

  4. From theVM instance details page, complete the following steps:

    1. ClickEdit.
    2. In theBasic information section, clickManage tags and add thetags that you want for the instance.
    3. ClickSave.

gcloud

For information about how to use these flags, readAttaching tags to resourcesin the Resource Manager documentation.

For example, the following command attaches a tag to a VM:

gcloud resource-manager tags bindings create \    --location=LOCATION_NAME \    --tag-value=tagValues/TAGVALUE_ID \    --parent=FULL_RESOURCE_NAME

Replace the following:

  • LOCATION_NAME: thezonewhere the instance is located. For a global resource, omit the--location flag.
  • TAGVALUE_ID: the numeric ID of the tag value

  • FULL_RESOURCE_NAME: thefull resource nameof the target resource; in this example, the full resource name of the VMinstance:

    //compute.googleapis.com/projects/PROJECT_NUMBER/zones/ZONE/instances/INSTANCE_ID

    Replace the following:

    • PROJECT_NUMBER: the numeric ID of your projectthat contains the target resource
    • ZONE: the zone that contains the instance
    • INSTANCE_ID: theVM instance ID

REST

To attach a tag to a resource, you must first create a JSON representation of atag binding that includes the permanent ID or namespace name of the tag valueand the permanent ID of the resource. For more information about the format of atag binding, see thetagBindings reference.

To attach the tag to a zonal resource, such as a VM instance, usethetagBindings.create method with the regional endpoint where your resourceis located. For example:

POST https://LOCATION_NAME-cloudresourcemanager.googleapis.com/v3/tagBindings

The request body can be one of the following two options:

{  "parent": "FULL_RESOURCE_NAME",  "tagValue": "tagValue/TAGVALUE_ID"}
{  "parent": "FULL_RESOURCE_NAME",  "tagValueNamespacedName":TAGVALUE_NAMESPACED_NAME}

Replace the following:

  • LOCATION_NAME: the zonal or regionallocation of the resource.For a VM instance, specify the zone. For a global resource, omit theLOCATION_NAME- parameter

  • FULL_RESOURCE_NAME: thefull resource nameof the target resource; in this example, the full resource name of the VMinstance:

    //compute.googleapis.com/projects/PROJECT_NUMBER/zones/ZONE/instances/INSTANCE_ID

    Replace the following:

    • PROJECT_NUMBER: the numeric ID of your projectthat contains the target resource
    • ZONE: the zone that contains the instance
    • INSTANCE_ID: theVM instance ID

  • TAGVALUE_ID: the permanent ID of the tag value that isattached—for example:4567890123

  • TAGVALUE_NAMESPACED_NAME: the namespace name of the tagvalue that is attached and is of the format:parentNamespace/tagKeyShortName/tagValueShortName

Adding tags to a resource during resource creation

In certain scenarios, you might want to tag resources during resource creation,rather than after the resource is created.

Console

Depending on the resource type, the exact steps might vary.The following steps are for a VM:

  1. In the Google Cloud console, go to theVM instances page.

    Go to VM instances

  2. Select your project and clickContinue.

  3. ClickCreate instance.TheCreate an instance page appears and displays theMachine configuration pane.

  4. In the navigation menu, clickAdvanced. In theAdvanced pane that appears, do the following:

    1. Expand theManage tags and labelssection.
    2. ClickAdd tags.
    3. In theTags pane that opens, follow the instructions to add a tagto the instance.
    4. ClickSave.

  5. Specify other configuration options for your instance. For moreinformation, seeConfiguration options during instance creation.

  6. To create and start the VM, clickCreate.

gcloud

To attach a tag to a resource during resource creation, add the--resource-manager-tags flag with the respectivecreate command. Forexample, to attach a tag to a VM, use the following command:

  gcloud compute instances createINSTANCE_NAME \      --zone=ZONE \      --resource-manager-tags=tagKeys/TAGKEY_ID=tagValues/TAGVALUE_ID

Replace the following:

  • INSTANCE_NAME: the name of your VM instance
  • ZONE: the zone that contains the VM instance
  • TAGKEY_ID: the tag key number numeric ID
  • TAGVALUE_ID: the permanent numeric ID of the tag valuethat is attached—for example:4567890123

Specify multiple tags by separating the tags with a comma, for example,TAGKEY1=TAGVALUE1,TAGKEY2=TAGVALUE2.

REST

Make aPOST request to the following URL:

POST https://compute.googleapis.com/compute/v1/projects/PROJECT/zones/ZONE/instances

Include the following request JSON body:

{  "name":INSTANCE_NAME,  "params": {    "resourceManagerTags": {      "tagKeys/TAGKEY_ID": "tagValues/TAGVALUE_ID",    },  }  // other fields omitted}

Replace the following:

  • INSTANCE_NAME: the name of your VM instance
  • TAGKEY_ID: the tag key number numeric ID
  • TAGVALUE_ID: the permanent numeric ID of the tag valuethat is attached—for example:4567890123

Use tags with firewall rules

To securely enable network traffic to a specific Compute Engineinstance, you can apply a network tag or a secure tag to the instance. Then,you can create a firewall rule that targets that tag. This is helpful formanaging access to your instances at scale.

Note: Network tags are different from secure tags. For more information aboutthe differences between secure tags and network tags, seeComparison of secure tags and network tags.

For example, assume you have a compute instance that runs a web server, and youcreated a new web application that needs to be accessible to the public on thestandard HTTP port (80). You can use a network or secure tag to implement afirewall rule that grants HTTP access only to the compute instance that the webserver runs on.

For instructions on how to create tags for use in firewall policies,see the following:

  • To use network tags with VPC firewall rules, seeAdd network tags.
  • To use secure tags with hierarchical firewall policies, global and regionalnetwork firewall policies, or for use with sources connected usingVPC Network Peering, seeCreate and manage secure tags.

For information about whether to use service accounts ornetwork tags to define targets and sources for network ingress rules, seeFilter by service account versus network tag.

Detaching a tag from a resource

You can detach a tag from a resource by deleting the tag binding resource.

To review instructions on how to detach tags, seeDetaching a tag from a resourcein the Resource Manager documentation.

Console

Depending on the resource type, the exact steps might be a bit different. Forexample, the following steps detaches a tag from a VM instance:

  1. In the Google Cloud console, go to theVM instances page.

    Go to VM instances

  2. Select your project and clickContinue.

  3. In theName column, click the name of the instance for which you wantto remove tags.

  4. From theVM instance details page, complete the following steps:

    1. ClickEdit.
    2. For resource manager tags, in theBasic information section,clickManage Tags. Remove the tags that you want for the instance.You can only remove tags that were directly added to the instance.
    3. For network tags, in theNetworking section, remove the tag fromtheNetwork tags list.
    4. ClickSave.

gcloud

To detach a tag from a compute instance, use theresource-manager tags bindings delete command:

gcloud resource-manager tags bindings delete \    --location=LOCATION_NAME \    --tag-value=tagValues/TAGVALUE_ID \    --parent=FULL_RESOURCE_NAME

Replace the following:

  • LOCATION_NAME: thezonewhere the instance is located. For a global resource, omit the--location=LOCATION_NAME \ flag
  • TAGVALUE_ID: the numeric ID of the tag value

  • FULL_RESOURCE_NAME: thefull resource nameof the target resource; in this example, the full resource name of theinstance:

    //compute.googleapis.com/projects/PROJECT_NUMBER/zones/ZONE/instances/INSTANCE_ID

    Replace the following:

    • PROJECT_NUMBER: the numeric ID of your projectthat contains the target resource
    • ZONE: the zone that contains the instance
    • INSTANCE_ID: theinstance ID

To update or replace an existing tag binding to another one, detach the oldtag binding and attach the new one.

REST

To delete a tag binding attached to a resource, such as a compute instance,use thetagBindings.delete methodwith the regional endpoint where your resource is located.

DELETE https://LOCATION_NAME-cloudresourcemanager.googleapis.com/v3/{name=TAGBINDINGS_NAME}

Replace the following:

  • LOCATION_NAME: the zonal or regionallocation of the resource.For an instance, specify the zone. For a global resource, omit theLOCATION_NAME- parameter
  • TAGBINDINGS_NAME: the permanent ID of theTagBinding; for example:tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Fprojects%2F1234567890/tagValues/567890123456

Viewing tags attached to a resource

To review detailed instructions on how to list tags, seeListing all tags attached to a resourcein the Resource Manager documentation.

Console

Depending on the resource type, the exact steps might be a bit different. Forexample, the following steps show how to view tags for a VM instance:

  1. In the Google Cloud console, go to theVM instances page.

    Go to VM instances

  2. Select your project and clickContinue.

  3. In theName column, click the name of the instance for which you wantto view tags.

  4. From theVM instance details page, look for tags under theTagssection.

gcloud

To get a list of tag bindings directly attached to a resource, use thegcloud resource-manager tags bindings list command. If you add the--effective flag, you will also return a list of tags inherited by thisresource. For example:

gcloud resource-manager tags bindings list \    --location=LOCATION_NAME \    --parent=FULL_RESOURCE_NAME

Replace the following:

  • LOCATION_NAME: thezonewhere the instance is located. For a global resource, omit the--location=LOCATION_NAME \ flag

  • FULL_RESOURCE_NAME: thefull resource nameof the target resource; in this example, the full resource name of theinstance:

      //compute.googleapis.com/projects/PROJECT_NUMBER/zones/ZONE/instances/INSTANCE_ID

    Replace the following:

    • PROJECT_NUMBER: the numeric ID of your projectthat contains the target resource
    • ZONE: the zone that contains the instance
    • INSTANCE_ID: theinstance ID

If you add the--effective flag to thetags bindings list command, youalso return a list of all tags inherited by this resource.

The output is similar to the following:

namespacedTagKey: 961309089256/environmentnamespacedTagValue: 961309089256/environment/productiontagKey: tagKeys/417628178507tagValue: tagValues/247197504380inherited: true

If all tags evaluated on a resource are directly attached, theinheritedfield is false and is omitted.

REST

To list the tag bindings attached to a regional resource,such as Compute Engine instances, use thetagBindings.list methodwith the regional endpoint where your resource is located. For example:

GET https://LOCATION_NAME-cloudresourcemanager.googleapis.com/v3/tagBindings{    "parent": "FULL_RESOURCE_NAME"}

Replace the following:

  • LOCATION_NAME: the zonal or regionallocation of the resource.For an instance, specify the zone. For a global resource, omit theLOCATION_NAME- parameter

  • FULL_RESOURCE_NAME: thefull resource nameof the target resource; in this example, the full resource name of theinstance:

      //compute.googleapis.com/projects/PROJECT_NUMBER/zones/ZONE/instances/INSTANCE_ID

    Replace the following:

    • PROJECT_NUMBER: the numeric ID of your projectthat contains the target resource
    • ZONE: the zone that contains the instance
    • INSTANCE_ID: theinstance ID

What's next

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-02-19 UTC.