By Harshal Rane.jun 25, 2022
There are two types of tags in GCP One are Netwerkags and others are Resource tags. Networkingags are used to enforce firewall rules for the source. In this blog we will concentrate more on the tags of the sources.
The Google Cloud Resource-Hierarchy is a way to organize your sources in the right tree-like structure so that they can be easily managed. The GCP -Resource hierarchy consists of the main components below. Let’s understand the primary details before we go to the tags.
1) Organization: The Source Organization is the root junction in the Google Cloud Resource hierarchy and is the hierarchical super node of projects.
2) Folder: folder sources offer an extra grouping mechanism and insulating boundaries between projects. They can become sub -organizations with the organization.
3) Project: The Project Source is the organizing entity at the basic level. Organizations and folders can contain multiple projects. A project is required to use Google Cloud and forms the basis for creating, engaging and using all Google Cloud Services, managing APIs, strengthening invoicing, adding and relaxing collabers and managing permissions.
4) Sources: The sources are current GCP services such as Compute Engine, Storage Buckets, SQL database etc.
What are Resource tags in GCP?
Resource tags in GCP are in fact a tag consisting of a key and value pair to identify the source between the resources of other organization. These tags are resources at organism level, so it is mandatory to use this function. Tags can be added to the GCP folder, projects directly from the console or gcloud assignments.
For example, if we make a tag, say “environment” and confirm it to the folder name “DEV”, the projects and sources that come under that folder will automatically inherit that tag. The architectural diagram below explains various scenarios about how we can use the tags. We can add multiple tags to a folder and each tag can have multiple values such as [environment = dev and environment = prod ]. We can decide which tag value we can use per folder.
How to make and add tags
Make tags
- Navigate to the organization of console.cloud.google.com and select your
Organization
- Now go to the IAM & Admint section and go to the tags -setie and click Make Tag
- Give a good tag name and tag description according to the Environments/project name, so it will be easier to endorse the purpose of making the tag for other users.
- Finally, we can add multiple values to Single Tag, so that according to the requirements we can use a single tag with multiple values.
Assign permission to users to add tags
- Eleven tags are made, your cicck on that tag name to see more details and to further manage access to the tags.
- Resource Tags has numbers of roles and permissions, we can play a role according to the requirements. Best Practice is to offer tag admin to only admin who will make the tags and offers a tag user role to use who will add that tag to the source.
NOTE: Users will not be on usesse -tags without the IAM permissions, so make sure the correct permissions are provided
- Resource Manager
-> Tag Administrator
-> Tag User
-> Tag Viewer
Link tags to projects and folders
- Tags add to sources Naviger to the IAM & Admin → Resource Manager section.
- Here you can select the source, such as adding folder or project and tag. Adding tag option is hidden on the right side of the right side “Show info panel” and go from the tabs given to the tags field.
- Selecting the correct tag value such as tag can have multiple values, below is the structure of the tag:
org-id/environment/staging → This is for Environment as staging
org-id/environment/prod → This is for Environment as production
- Again, all sources in these tagged projects and folder will inherit the tag.
How to use tags to better manage the organization and sources
IAM on tag -based conditional access
Geef IAM -toegang tot per tag en waarde, met behulp van voorwaarden gebaseerde IAM -toegang, kunnen we gebruikers toegang geven op basis van tag, hieronder is voorbeeld voorbeeld voorbeeld voorbeeld voorbeeld voorbeeld voorbeeld voorbeeld voorbeeld voorbeeld voorbeeld voorbeeld voorbeeld voorbeeld voorbeeldeerdeischeische manier voorbeeld
resource.matchTag(“org-id/environment”, “staging”) &&
resource.type == “compute.googleapis.com/Instance”
Tags to enforce the policy of the organization
- Tags can also be used to maintain the enforcement policy for the projects, folders and inherited sources.
- We can use Resource tags in Polycy Conditions for, for example.
We have a folder named “QA” where we have or have a policy to block the key creation of the service account. But we have the requirement to make service accounts key for one of the project with the hereditary or policy of the “QA” folder will block this operation. Here we can use the Resource tag on the project where we need the Service Batterunt key and exclude that project from ORM or policy using enforcement conditions in org polycy. Only catching here is that we first have to add the Resource tag to the project before this condition is added. Click on this link for more information
Summary
GCP You recently launched this function. But resource tags can be used on very limited sources of the GCP hierarchy, it is a great addition to resource management, because we can control access and security of the tags and it is easy to process if we are dealing with large large business accounts.
References Link
Gitub
https://github.com/Harshalrane23
To ask?
If you have any questions, I would like to read them in the comments. Follow me on medium or LinkedIn.
The original article published on medium.
