Enforcing Labels and Tags Across Your GCP Resources

Labels and tags are the best way to organize and track your GCP resources. In this post, we'll outline the common ways to create tags and ensure tagging compliance.

Patrick Londa
Jan 27, 2022
 min read
Share this post

More and more companies are turning to cloud computing environments like Google Cloud Platform (GCP), AWS, and Azure. While having distributed cloud resources comes with many advantages, it also comes with a challenge of organization. How do you categorize and gain visibility across all of your resources?

For GCP, labels and tags are the two main ways to bring some organization and clarity to cloud infrastructure. And if you want to have a standard practice across your organization, it’s worth enforcing certain mandatory tags.

When you implement effective GCP tagging and labeling policies, it makes tracking resources significantly easier and facilitates reporting on cloud expenses.

How Do GCP Tags Differ From GCP Labels?

Like tags, labels are key-pair values used to categorize related GCP resources. You can use them on items like virtual machines (VMs) and project folders. In addition, developers can create specific label categories to identify resources dedicated to development, staging, and production environments. That makes it easier for other users to locate resources when working in a specific development stage.

Many organizations use labels to track and report on how much they’re spending on individual components. If you export billing data to BigQuery for example, the labels you’ve added to your resources make reporting much more valuable.

The main difference between tags and labels is that you can use tags to set conditions on policies and dictate communication between different networks. Labels are just annotations on resources.

What Are Mandatory Tags in GCP?

If your organization wants to standardize your tagging and labeling practice, you can essentially set up mandatory tags using a combination of tags and policies. For example, you could make the presence or absence of a tag value the key condition for assigning user permissions to a resource.

If your organization wanted to ensure that every resource had a tag for costCenter, then setting this up as a mandatory tag would ensure that the resource cannot be accessed by developers before this tag is applied.

Methods for Creating Tags in GCP

Admins can enforce the use of mandatory tags through GCP policies by adding a condition that adds tags upon the creation of a new resource. Anyone wishing to administer tags in GCP, including creation and deletion, must have the proper access. Users looking to manage tags in GCP must have access to a Tag Administrator or another role with the appropriate permissions.

Here are the different methods for creating a tag:

Creating a GCP Tag Using the API

Set up a JSON object representing your key:

"shortName": SHORT_NAME,
"description": DESCRIPTION,

Use the tagKeys.create method:

POST https://cloudresourcemanager.googleapis.com/v3/tagKeys/ -d

Creating a GCP Tag using the Console

  • Open Cloud Console, then open the Tags page.
  • Navigate to Project picker at the top of the page.
  • Choose your specific organization from within Organization picker, then click the + Create tag.
  • Enter a display name for your tag key in the Tag name box.
  • Enter a description of your key within the Tag description box.
  • Enter a display name for your tag value in the Tag value box.
  • Click Create tag.

Creating a GCP Tag Using the GCloud CLI

First, if you haven't already, install the GCloud CLI tool. You can then issue the following command to create a tag key:

gcloud alpha resource-manager tags keys create SHORT_NAME \

Making Tags Mandatory with Roles

Now that we know the various ways to create a tag, we need to make it mandatory. We can do this by only granting roles to users on a project if the tag we want to be mandatory is present and attached to the project’s resources.

The condition would look something like this:


Once this condition is set up, tags will be mandatory for creating resources in that project.

gcp logo
slack logo
Blink Automation: Find Untagged GCP Resources and Send Report to Slack
GCP + Slack
Get Started

Find Untagged and Unlabelled GCP Resources

Even with this condition set up, it can be helpful to run checks to ensure that there aren’t any resources that exist without the needed tags. To locate any untagged resources, you can issuing the following command in the GCloud CLI:

gcloud compute instances list --filter="-tags:*"

To locate any unlabelled resources, you can issue the following command in the GCloud CLI console:

gcloud compute instances list --filter="-labels:*"

Best Practices for Tagging GCP Resources

Make sure you have clear guidelines that outline the naming and enforcement of GCP tags. In addition, using scripting tools and automation can aid your team in setting up templates to attach the appropriate GCP tags to any resources within your environments.

Automating Mandatory Label Checks with Blink:

So now you know how to mandate tags for your GCP resources. If you want to do the same for labels, there’s an easier way than learning each step. Blink is a low-code platform that comes with pre-built automations so you can run manual checks like this in a few clicks.

Get started with Blink today.

Automate your security operations everywhere.

Blink is secure, decentralized, and cloud-native. 
Get modern cloud and security operations today.

Get a Demo