Tag Cloud Workstations resources
This document describes how to use tags to conditionally applyIdentity and Access Management (IAM)policies to Cloud Workstations clusters.
A tag is a key-value pair that you can attach directly to a Cloud Workstationscluster. A Cloud Workstations cluster can alsoinherit a tag from otherGoogle Cloud resources. You can conditionally apply policies based onwhether a resource has a specific tag. For example, you might conditionallygrant the Cloud Workstations Creator role to a principal on any Cloud Workstationscluster withenvironment:dev tag.
For more information about using tags across the Google Cloudresource hierarchy, seeTags overview.
Before you begin
You need to grant IAM roles that give users the necessarypermissions to perform each task in thisdocument. You also need to create tag keys and values to attach to resources.
Required roles
The following roles provide the necessary permissions to tagCloud Workstations resources:
Attach a tag to a Cloud Workstations cluster
To get the permissions that you need to attach a tag to a Cloud Workstations cluster, ask your administrator to grant you the following IAM roles:
- To create Cloud Workstations cluster:Cloud Workstations Admin (
roles/workstations.admin) on your project - To create tags:Tag Administrator (
roles/resourcemanager.tagAdmin) on your project - To manage tags:Tag User (
roles/resourcemanager.tagUser) on the tag value and Cloud Workstations cluster
For more information about granting roles, seeManage access to projects, folders, and organizations.
These predefined roles contain the permissions required to attach a tag to a Cloud Workstations cluster. To see the exact permissions that are required, expand theRequired permissions section:
Required permissions
The following permissions are required to attach a tag to a Cloud Workstations cluster:
workstations.workstationClusters.createTagBindingon the clusterresourcemanager.tagValueBindings.createon the tag valueworkstations.workstationClusters.createon the cluster to attach a tag when creating a clusterworkstations.workstationClusters.updateon the cluster to attach a tag when updating a cluster
You might also be able to get these permissions withcustom roles or otherpredefined roles.
Remove a tag from a Cloud Workstations cluster
To get the permissions that you need to remove a tag from a Cloud Workstations cluster, ask your administrator to grant you the following IAM roles:
- To remove a tag from a Cloud Workstations cluster:Cloud Workstations Admin (
roles/workstations.admin) on your project - To manage tags:Tag User (
roles/resourcemanager.tagUser) on the tag value andCloud Workstations cluster - To delete tags:Tag Administrator (
roles/resourcemanager.tagAdmin) on your project
These predefined roles contain the permissions required to remove a tag from a Cloud Workstations cluster. To see the exact permissions that are required, expand theRequired permissions section:
Required permissions
The following permissions are required to remove a tag from a Cloud Workstations cluster:
workstations.workstationClusters.deleteTagBindingon the clusterresourcemanager.tagValueBindings.deleteon the tag valueworkstations.workstationClusters.updateon the cluster to remove a tag when updating a cluster
List tags attached to a Cloud Workstations cluster
To get the permissions that you need to list tags attached to a Cloud Workstations cluster, ask your administrator to grant you the following IAM roles:
- To list tags attached to a Cloud Workstations cluster:Cloud Workstations Admin (
roles/workstations.admin) on your project - To list tags:Tag Viewer (
roles/resourcemanager.tagViewer) on the tag value andCloud Workstations cluster
These predefined roles contain the permissions required to list tags attached to a Cloud Workstations cluster. To see the exact permissions that are required, expand theRequired permissions section:
Required permissions
The following permissions are required to list tags attached to a Cloud Workstations cluster:
resourcemanager.tagKeys.liston the tag key's parentresourcemanager.tagKeys.geton the tag keyresourcemanager.tagValues.liston the tag value parentresourcemanager.tagValues.geton the tag valueworkstations.workstationClusters.listTagBindingson the clusterworkstations.workstationClusters.listEffectiveTagson the cluster
Create tag keys and values
Before you can attach a tag, you need to create a tag and configure its value.To create tag keys and tag values, seeCreating a tagandAdding tag values.
Tag Cloud Workstations clusters
The following sections describe how to attach tags to new and existing Cloud Workstations clusters,list tags attached to a Cloud Workstations cluster, and detach tags from a Cloud Workstations cluster.
Attach tags when you create a new Cloud Workstations cluster
After you create a tag, you can attach it to a new Cloud Workstations cluster.For each tag key, you can attach one tag value to a Cloud Workstations cluster.For each Cloud Workstations cluster, you can attach at most 50 tags.
Console
In the Google Cloud console, go to theCloud Workstations page.
Click on theCluster management section.
Click onCreate.
Enter the information for your new Cloud Workstations cluster.For more details, seeCreate a workstation cluster.
In theTags section, select the tags that you want to add to thenew Cloud Workstations cluster.
ClickCreate.
gcloud
Use thegcloud workstations clusters create commandwith the--tags flag:
gcloudworkstationsclusterscreateWORKSTATIONS_CLUSTER_NAME\--region=LOCATION\--tags=TAG\--project=WORKSTATIONS_PROJECT_ID
Replace the following:
WORKSTATIONS_CLUSTER_NAME: the name of your Cloud Workstations cluster.LOCATION: the region for your cluster.TAG: the tag that you are attaching to the newCloud Workstations cluster. Multiple tags are separated by commas. For example,556741164180/env:prod,myProject/department:sales. Each tag must havethenamespaced key name and value short name.WORKSTATIONS_PROJECT_ID: the ID of your workstation project.
API
Call theworkstationClusters.create method.Include the tags in thetags field ofWorkstationCluster.
Attach tags to an existing Cloud Workstations cluster
After you create a tag, you can attach it to an existing Cloud Workstations cluster.For each tag key, you can attach one tag value to a Cloud Workstations cluster.For each Cloud Workstations cluster, you can attach at most 50 tags.
Console
In the Google Cloud console, go to theCloud Workstations page.
Click on theCluster management section.
Click on the Cloud Workstations cluster that you want to attach the tag to.
ClickEdit.
In theTags section, select the tags that you want to add to theCloud Workstations cluster.
ClickSave.
gcloud
To attach a tag to a Cloud Workstations cluster using the command line, create atag binding resource by using thegcloud resource-manager tags bindings create command:
gcloud resource-manager tags bindings create \ --tag-value=TAGVALUE_NAME \ --parent=RESOURCE_ID \ --location=LOCATION
Replace the following:
TAGVALUE_NAME: the permanent ID or namespaced name of the tag value to be attached, such astagValues/4567890123or1234567/my_tag_key/my_tag_value.RESOURCE_ID: the full ID of the Cloud Workstations cluster, including the API domain name (//workstations.googleapis.com/) to identify the type of resource. For example,//workstations.googleapis.com/projects/my_project/locations/us-central1/workstationClusters/my_clusterLOCATION: the region of the Cloud Workstations cluster.
API
Call theworkstationClusters.patch method.Include the tags in thetags field ofWorkstationCluster.
List tags attached to a Cloud Workstations cluster
You can list tags that are attached directly to a Cloud Workstations cluster. This processdoesn't list tags that are inherited from parent resources.
Console
In the Google Cloud console, go to theCloud Workstations page.
Click on theCluster management section.
Click on the Cloud Workstations cluster that you want to list the tags for.
The tags are visible in theTags section.
gcloud
To get a list of tag bindings attached to a resource, use thegcloud resource-manager tags bindings list command:
gcloud resource-manager tags bindings list \ --parent=RESOURCE_ID \ --location=LOCATION
Replace the following:
RESOURCE_ID: the full ID of the Cloud Workstations cluster,including the API domain name (//workstations.googleapis.com/) toidentify the type of resource. For example,//workstations.googleapis.com/projects/my_project/locations/us-central1/workstationClusters/my_cluster.LOCATION: the region of the Cloud Workstations cluster.
API
Call thev3.tagBindings.list method.Include the Cloud Workstations cluster in the parent field. Forexample,//cloudresourcemanager.googleapis.com/projects/my-project/regions/us-central1/workstationClusters/my-cluster.
Detach tags from a Cloud Workstations cluster
You can remove a tag association from a Cloud Workstations cluster by deleting the tag binding.If you need to delete a tag, you should take the following steps to detach the tag from yourCloud Workstations cluster first.
Console
In the Google Cloud console, go to theCloud Workstations page.
Click on theCluster management section.
Click on the Cloud Workstations cluster that you want to detach the tag from.
ClickEdit.
In theTags section, remove the tags that you want to detach fromthe Cloud Workstations cluster.
ClickSave.
gcloud
To remove a tag association from a Cloud Workstations cluster using the command line, delete thetag binding by using thegcloud resource-manager tags bindings delete command:
gcloud resource-manager tags bindings delete \ --tag-value=TAGVALUE_NAME \ --parent=RESOURCE_ID \ --location=LOCATION
Replace the following:
TAGVALUE_NAME: the permanent ID or namespaced name of the tag value to be attached, such astagValues/4567890123or1234567/my_tag_key/my_tag_value.RESOURCE_ID: the full ID of the Cloud Workstations cluster, including the API domain name (//workstations.googleapis.com/) to identify the type of resource. For example,//workstations.googleapis.com/projects/my_project/locations/us-central1/workstationClusters/my_clusterLOCATION: the region of the Cloud Workstations cluster.
API
Call theworkstationClusters.patch method.Remove the tags in thetags field ofWorkstationCluster.
What's next
- For an overview of tags in Google Cloud, seeTags overview.
- For more information about how to use tags, seeCreating and managingtags.
- For information about how to control access to Cloud Workstationsresources with IAM Conditions, seeAccess control with IAM Conditions.
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.