By Harshal Rane.Jun 25, 2022
There are two types of tags in GCP one is Network tags and other is Resource tags. Network tags are used in enforcing firewall rules to the resource. In this blog, we will more focus on the Resources tags.
The Google Cloud resource hierarchy is a way to organise your resources into a proper tree-like structure so they can be easily managed. The GCP resource hierarchy consists of below main components. Let’s understand the primary details before moving to the tags.
1) Organization: The Organization resource is the root node in the Google Cloud resource hierarchy and is the hierarchical super node of projects.
2) Folder: Folder resources provide an additional grouping mechanism and isolation boundaries between projects. They can be seen as sub-organizations within the Organization.
3) Project: The project resource is the base-level organising entity. Organisations and folders may contain multiple projects. A project is required to use Google Cloud, and forms the basis for creating, enabling, and using all Google Cloud services, managing APIs, enabling billing, adding and removing collaborators, and managing permissions.
4) Resources: The Resources are actual GCP services like Compute Engine, Storage buckets, SQL Database etc.
What are Resource tags in GCP?
Resource tags in GCP are basically a tag consisting of a Key and value pair to identify the resource amongst other organisation’s resources. These tags are organisation-level resources so having the organisation created is mandatory to use this feature. Tags can be added to GCP Folder, Projects directly from the console or gcloud commands.
For e.g. if we create a tag, say “environment”, and attach it to the folder name “dev”, the projects and resources coming under that folder will automatically inherit that tag. The below architecture diagram explains various scenarios of how we can use the tags. We can add multiple tags to a folder, and each tag can have multiple values like [environment = dev and environment = prod ]. We can decide which tag value we can use as per folder.
How to create and attach tags
Create tags
- Navigate to Organisation from console.cloud.google.com and select your
organization.
- Now go to the IAM & Admin section and move to the tags section and click on create tag
- Provide a good tag name and tag description as per environments/project name, so it will be easier to understand the purpose of creating the tag for other users.
- Lastly we can add multiple values to single tag, so that we can use single tag with multiple values as per the requirements.
Assign Permission to Users for attaching Tags
- Once tags are created you can click on that tag name to see more details and further manage the access to the tags.
- Resource tags has its own set of roles and permissions , we can provide role as per the requirements . Best practice will be to provide tag admin to only admin who will be creating the tags and provide tag user role to user who is going to attach that tag to the resource.
Note: Users will not be able to use these tags without the IAM permissions so make sure proper permissions are provided
- Resource Manager
-> Tag Administrator
-> Tag User
-> Tag Viewer
Attaching tags to Projects and Folders
- To attach tags to resources navigate to the IAM & Admin section → Resource Manager.
- Here you can select the Resource such as Folder or Project and attach tag to it. Adding tag option is hidden at right hand side top “show info panel” and from the given tabs go to tags field.
- Selecting the right tags value as on Tag can have multiple values, below is structure of the tag:
org-id/environment/staging → This is for Environment as staging
org-id/environment/prod → This is for Environment as production
- Again all the resources inside this tagged projects and folder will inherit the tag.
How to use tags to better manage the Organisation and Resources
IAM tag based conditional Access
Provide IAM access as per the tag and value, Using conditions based IAM access, we can provide users access based on tag, below is sample example
resource.matchTag(“org-id/environment”, “staging”) &&
resource.type == “compute.googleapis.com/Instance”
Tags to enforce Organisation policies
- Tags can also be used to enforce Organisation policies to the projects, folders and inherited resources.
- We can use Resource tags in Org policy conditions for eg.
We have a folder named “QA” where we have Org policy set to block Service account key creation. But we have a requirement to create Service account key for one of the project then the inherited org policy from the “QA” folder will block this operation. Here we can use the resource tag on the project where we require the Service account key and exclude that project from org policy using enforce conditions in Org Policy . Only catch here is we have to add the resource tag to the project first before adding this condition. click this link for more details
Summary
GCP has recently launched this feature. But Resource tags can be used on very limited resources of GCP hierarchy, Its a great addition to Resource management as we can control access and security from the Tags and its easy to handle when we are dealing with large enterprise accounts.
References link
- https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing
- https://cloud.google.com/resource-manager/docs/organization-policy/tags-organization-policy#setting_an_organization_policy_with_tags
GitHub
https://github.com/HarshalRane23
Questions?
If you have any questions, I’ll be happy to read them in the comments. Follow me on medium or LinkedIn.
The original article published on Medium.