Working with tags
Use tags to organize, track usage costs, and even manage access to your resources and service IDs. You can tag related resources and view them throughout your account by filtering by tags from your resource list.
To see a full list of tags in your account, go to Manage > Account in the IBM Cloud® console, and select Tags.
You can apply user tags to organize your resources and service IDs and easily find them later. User tags can also help you with identifying specific team usage or cost allocation. By creating access management tags, you can control access to your resources and service IDs without requiring updates to your IAM policies.
Tag types
There are three types of tags: service, user, and access management.
- User tags
- User tags are added to resources or service IDs by an authorized user in the account. Add user tags to your resources to organize, track, and manage costs for related resources. When you use a consistent tagging schema to identify which resources are tied to specific teams, you can group and filter by those tags when you analyze costs within your exported usage report.
Consider using a project to organize and track resources across accounts. Resources that are created by deploying a project automatically have service tags attached with the project ID and configuration ID. This way, you don't have to manage tagging related resources maually.
- Service tags
- Service tags are attached by services. No users are authorized to attach or detach service tags on a resource, even if they have access to manage tags on the resource.
Resources that are created by deploying a project are automatically tagged with the project ID and configuration ID, which is available on your usage report. Use projects to help you track spending for projects. For more information, see Tracking usage and spend for projects.
- Access management tags
- Access management tags are used to manage access to resources. They can be created in advance for use in access policies, which grant access to the resources where access management tags are attached. Only the account administrator can create access management tags, and they can delete them only when the tags aren't attached to any resources in the account. Only the resource administrator can attach and detach access management tags on the resource itself.
Tagging rules
Tags are not case-sensitive, any uppercase characters are converted to lowercase, and the maximum length of a tag is 128 characters. The permitted characters are A-Z, 0-9, spaces, underscore, hyphen, period, and colon. The only supported format
for access management tags is key:value
. The use of a colon formats the tag into a string that isolates two logical parts, like a env:dev
pair. A comma separates multiple tags and can't be used within the tag name
itself.
Tags are visible account-wide and can be replicated across geographic regions. Since tags are not regulated information, avoid creating tags that use personal information, such as your name, address, phone number, email address, or other identifying or proprietary information.
Sample tags and syntax
You can apply tags to help you organize and manage your resources, service IDs, and access policies. Consider writing tags as key:value
pairs to help coordinate your development environments, projects, compliance, and optimization
throughout your organization. See the following table for some examples of tags that you might want to use.
Tag | Description |
---|---|
env:dev , env:test , env:stage , env:prod |
Use to identify or even manage access to your development environment |
project:lw-wizard , app:poc-app |
Use to identify or even manage access to a project |
dataresidency:germany , compliance:hipaa , compliance:pii |
Use to define compliance requirements |
schedule:24x7 , maxruntime:12days |
Use to help you automate optimization |
Creating tags
Creating access management tags in the console
Before you can attach your access management tags to individual resources or service IDs, you need to create them first. To create access management tags, you must have the administrator role on either the Tagging Service or on All Account management services.
IBM Cloud® allows up to 250 access management tags per account.
- Go to Manage > Account in the IBM Cloud® console, and select Tags.
- Click Access management tags.
- Type the names of your tags, and click Create Tags. These tags are now ready to be attached to resources or service IDs, and to scope access policies.
Next, see Attaching and detaching tags. For a full tutorial, see Controlling access to resources by using tags.
Creating access management tags by using the CLI
Before you can attach your access management tags to individual resources or service IDs, you need to create them first. To create access management tags, you need to have administrator role on either the Tagging Service that is listed under the Account management services or on all Account management services.
IBM Cloud® allows up to 250 access management tags per account.
-
Log in to IBM Cloud CLI. If you have multiple accounts, you are prompted to select which account to use. If you do not specify a region with the
-r
flag, you must also select a region.ibmcloud login
If your credentials are rejected, you might be using a federated ID. To log in with a federated ID, use the
--sso
flag. See Logging in with a federated ID for more details.If it's your first time using the IBM Cloud CLI, check out the getting started tutorial.
-
Enter the
ibmcloud resource tag-create
command to create an access management tag in your account. This example creates a tag that is calledproject:myproject
:ibmcloud resource tag-create --tag-names project:myproject
For more information, see the ibmcloud resource
command reference.
Next, see Attaching and detaching tags.
Creating access management tags by using the API
Before you can attach your access management tags to individual resources or service IDs, you need to create them first. To create access management tags, you need to have administrator role on either the Tagging Service that is listed under the Account management services or on all Account management services.
IBM Cloud® allows up to 250 access management tags per account.
You can programmatically create access management tags by calling the Global Search and Tagging - Tagging API as shown in the following sample request. The example
creates a tag that is called project:myproject
.
curl -X POST -H "Authorization: {iam_token}" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d '{ "tag_names": ["project:myproject"] }' \
"tags.global-search-tagging.cloud.ibm.com/v3/tags?tag_type=access"
CreateTagOptions createTagOptions = new CreateTagOptions.Builder()
.addTagNames("project:myproject")
.tagType("access")
.build();
Response<CreateTagResults> response = service.createTag(createTagOptions).execute();
CreateTagResults createTagResults = response.getResult();
System.out.println(createTagResults);
const params = {
tagNames: ['project:myproject'],
tagType: 'access',
};
globalTaggingService.createTag(params)
.then(res => {
console.log(JSON.stringify(res.result, null, 2));
})
.catch(err => {
console.warn(err)
});
create_tag_results = global_tagging_service.create_tag(
tag_names=['project:myproject'],
tag_type='access').get_result()
print(json.dumps(create_tag_results, indent=2))
createTagOptions := globalTaggingService.NewCreateTagOptions(
[]string{"project:myproject"},
)
createTagOptions.SetTagType("access")
createTagResults, response, err := globalTaggingService.CreateTag(createTagOptions)
if err != nil {
panic(err)
}
b, _ := json.MarshalIndent(createTagResults, "", " ")
fmt.Println(string(b))
Next, see Attaching and detaching tags.
Creating access management tags by using Terraform
Before you can create access management tags by using Terraform, make sure that you have completed the following:
- Install the Terraform CLI and configure the IBM Cloud Provider plug-in for Terraform. For more information, see the tutorial for Getting started with Terraform on IBM Cloud®. The plug-in abstracts the IBM Cloud APIs that are used to complete this task.
- Create a Terraform configuration file that is named
main.tf
. In this file, you define resources by using HashiCorp Configuration Language. For more information, see the Terraform documentation. - Before you can attach your access management tags to individual resources or service IDs, you need to create them first. To create access management tags, you need to have administrator role on either the Tagging Service that is listed under the Account management services or on all Account management services.
IBM Cloud® allows up to 250 access management tags per account.
Use the following steps to create access management tags by using Terraform:
-
Create an argument in your
main.tf
file. The following example creates the access management tagibm_tag
to theibm
resource for the resource IDibm_satellite_location.location.crn
.resource "ibm_resource" "ibm" { resource_id = ibm_satellite_location.location.crn tags = [ "ibm_tag" ] }
-
After you finish building your configuration file, initialize the Terraform CLI. For more information, see Initializing Working Directories.
terraform init
-
Provision the resources from the
main.tf
file. For more information, see Provisioning Infrastructure with Terraform.-
Run
terraform plan
to generate a Terraform execution plan to preview the proposed actions.terraform plan
-
Run
terraform apply
to create the resources that are defined in the plan.terraform apply
-
Tagging for resellers
All tags are visible to all members of an account. To view the policy of an access management tag, the user must be assigned at least a viewer role on the tagged resource. If your account is associated with different organizations, if you're a reseller for example, you might want to recommend your customers not to store sensitive information in tags.
To control tag visibility, circulate tagging guidelines and let users know that tags are visible account-wide.
Use codes rather than names for clients and accounts and avoid placing sensitive information in tags.