How to Enforce Labels and Tags Across Your GCP Resources
Learn how to enforce labels and tags across your GCP resources for better organization and cost tracking. Optimize cloud management with our guide.
Learn how to enforce labels and tags across your GCP resources for better organization and cost tracking. Optimize cloud management with our guide.
More and more companies are turning to cloud computing environments like Google Cloud Platform (GCP), AWS, and Azure. While having distributed cloud resources comes with many advantages, it also comes with a challenge of organization. How do you categorize and gain visibility across all of your resources?
For GCP, labels and tags are the two main ways to bring some organization and clarity to cloud infrastructure. And if you want to have a standard practice across your organization, it’s worth enforcing certain mandatory tags.
When you implement effective GCP tagging and labeling policies, it makes tracking resources significantly easier and facilitates reporting on cloud expenses.
Like tags, labels are key-pair values used to categorize related GCP resources. You can use them on items like virtual machines (VMs) and project folders. In addition, developers can create specific label categories to identify resources dedicated to development, staging, and production environments. That makes it easier for other users to locate resources when working in a specific development stage.
Many organizations use labels to track and report on how much they’re spending on individual components. If you export billing data to BigQuery for example, the labels you’ve added to your resources make reporting much more valuable.
The main difference between tags and labels is that you can use tags to set conditions on policies and dictate communication between different networks. Labels are just annotations on resources.
If your organization wants to standardize your tagging and labeling practice, you can essentially set up mandatory tags using a combination of tags and policies. For example, you could make the presence or absence of a tag value the key condition for assigning user permissions to a resource.
If your organization wanted to ensure that every resource had a tag for costCenter, then setting this up as a mandatory tag would ensure that the resource cannot be accessed by developers before this tag is applied.
Admins can enforce the use of mandatory tags through GCP policies by adding a condition that adds tags upon the creation of a new resource. Anyone wishing to administer tags in GCP, including creation and deletion, must have the proper access. Users looking to manage tags in GCP must have access to a Tag Administrator or another role with the appropriate permissions.
Here are the different methods for creating a tag:
Set up a JSON object representing your key:
Use the tagKeys.create method:
First, if you haven't already, install the GCloud CLI tool. You can then issue the following command to create a tag key:
Now that we know the various ways to create a tag, we need to make it mandatory. We can do this by only granting roles to users on a project if the tag we want to be mandatory is present and attached to the project’s resources.
The condition would look something like this:
resource.hasTagKey('123456789012/SHORT_NAME')
Once this condition is set up, tags will be mandatory for creating resources in that project.
Even with this condition set up, it can be helpful to run checks to ensure that there aren’t any resources that exist without the needed tags. To locate any untagged resources, you can issuing the following command in the GCloud CLI:
To locate any unlabelled resources, you can issue the following command in the GCloud CLI console:
Make sure you have clear guidelines that outline the naming and enforcement of GCP tags. In addition, using scripting tools and automation can aid your team in setting up templates to attach the appropriate GCP tags to any resources within your environments.
So now you know how to mandate tags for your GCP resources. If you want to do the same for labels, there’s an easier way than learning each step. Blink is a low-code platform that comes with pre-built automations so you can run manual checks like this in a few clicks.
Blink is secure, decentralized, and cloud-native. Get modern cloud and security operations today.