Stay organized with collections
Save and categorize content based on your preferences.
Tags are key-value pairs you can apply to your worker pools for fine-grained access
control. Tags provides a way to conditionally allow or deny
policies based on whether a resource has a specific tag.
At the organization or project level, tag administrators create tags for resources across Google Cloud and manage them in
Resource Manager.
Required roles
To get the permissions that
you need to attach or detach tags,
ask your administrator to grant you the
following IAM roles on the Cloud Run worker pool:
To manage access on the tag value resource in Resource Manager, your
account must also have the
Tag User (roles/resourcemanager.tagUser) role
granted for the tag value.
The tag value is the resource that is attached to the Cloud Run
worker pool.
To update more than one tag, supply a comma-delimited list of key/value
pairs.
Replace:
TAG_VALUE with the value for the key. You can use several
different types of values, such as a permanent ID such as tagValues/12345678901, a namespaced value such as 123456789012/env/prod, or a short name such as prod.
PROJECT_ID with project ID of your Google Cloud project
REGION with region your Cloud Run worker pool is deployed to
WORKER_POOL with name of your Cloud Run worker pool
Detach a tag
Use the Google Cloud CLI to detach tags from your worker pool.
To detach more than one tag, supply a comma-delimited list of key/value
pairs.
Replace
TAG_VALUE with the value for the key: you can several
different types of values: a permanent ID such as tagValues/12345678901,
a namespaced value such as 123456789012/env/prod, or a short name such as prod.
PROJECT_ID with project ID of your Google Cloud project
REGION with region your Cloud Run worker pool is deployed to
WORKER_POOL with name of your Cloud Run worker pool
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[],[],null,["# Tag worker pools\n\n| **Preview\n| --- Cloud Run worker pools**\n|\n|\n| This feature is subject to the \"Pre-GA Offerings Terms\" in the General Service Terms section\n| of the [Service Specific Terms](/terms/service-terms#1).\n|\n| Pre-GA features are available \"as is\" and might have limited support.\n|\n| For more information, see the\n| [launch stage descriptions](/products#product-launch-stages).\n\nTags are key-value pairs you can apply to your worker pools for fine-grained access\ncontrol. Tags provides a way to conditionally allow or deny\npolicies based on whether a resource has a specific tag.\n\nAt the organization or project level, tag administrators create tags for resources across Google Cloud and manage them in\n[Resource Manager](/resource-manager/docs/tags/tags-creating-and-managing).\n| **Note:** In contrast to tags, [labels](/run/docs/configuring/workerpools/labels) are used to identify resources for billing-related reasons, filtering logs, and so forth.\n\nRequired roles\n--------------\n\n\nTo get the permissions that\nyou need to attach or detach tags,\n\nask your administrator to grant you the\nfollowing IAM roles on the Cloud Run worker pool:\n\n- [Cloud Run Admin](/iam/docs/roles-permissions/run#run.admin) (`roles/run.admin`)\n- [Tag User](/iam/docs/roles-permissions/resourcemanager#resourcemanager.tagUser) (`roles/resourcemanager.tagUser`)\n\n\nTo manage access on the tag value resource in Resource Manager, your\naccount must also have the\n[Tag User](/iam/docs/understanding-roles#resourcemanager.tagUser) (`roles/resourcemanager.tagUser`) role\n[granted for the tag value](/resource-manager/docs/tags/tags-creating-and-managing#managing_access).\nThe tag value is the resource that is attached to the Cloud Run\nworker pool.\n\nFor a list of IAM roles and permissions that are associated with\nCloud Run, see\n[Cloud Run IAM roles](/run/docs/reference/iam/roles)\nand [Cloud Run IAM permissions](/run/docs/reference/iam/permissions).\nIf your Cloud Run worker pool interfaces with\nGoogle Cloud APIs, such as Cloud Client Libraries, see the\n[service identity configuration guide](/run/docs/configuring/workerpools/service-identity).\nFor more information about granting roles, see\n[deployment permissions](/run/docs/reference/iam/roles#additional-configuration)\nand [manage access](/iam/docs/granting-changing-revoking-access).\n\nAttach tags\n-----------\n\nNote that attaching a tag to your worker pool *does not* result in the creation\nof a new revision.\n\nYou can attach tags using the Google Cloud CLI. \n\n### gcloud\n\nYou can update tags for a worker pool using the command: \n\n```bash\ngcloud resource-manager tags bindings create \\\n --tag-value=TAG_VALUE \\\n --parent=//run.googleapis.com/projects/PROJECT_ID/locations/REGION/workerpools/WORKER_POOL \\\n --location=REGION\n```\n\nTo update more than one tag, supply a comma-delimited list of key/value\npairs.\n\nReplace:\n\n- \u003cvar translate=\"no\"\u003eTAG_VALUE\u003c/var\u003e with the value for the key. You can use several different types of values, such as a permanent ID such as `tagValues/12345678901`, a namespaced value such as `123456789012/env/prod`, or a short name such as `prod`.\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with project ID of your Google Cloud project\n- \u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e with region your Cloud Run worker pool is deployed to\n- \u003cvar translate=\"no\"\u003eWORKER_POOL\u003c/var\u003e with name of your Cloud Run worker pool\n\nDetach a tag\n------------\n\nUse the Google Cloud CLI to detach tags from your worker pool. \n\n### gcloud\n\nTo detach a tag from a worker pool: \n\n```bash\ngcloud resource-manager tags bindings delete \\\n --tag-value=TAG_VALUE \\\n --parent=//run.googleapis.com/projects/PROJECT_ID/locations/REGION/workerpools/WORKER_POOL \\\n --location=REGION\n```\n\nTo detach more than one tag, supply a comma-delimited list of key/value\npairs.\n\nReplace\n\n- \u003cvar translate=\"no\"\u003eTAG_VALUE\u003c/var\u003e with the value for the key: you can several different types of values: a permanent ID such as `tagValues/12345678901`, a namespaced value such as `123456789012/env/prod`, or a short name such as `prod`.\n- \u003cvar translate=\"no\"\u003ePROJECT_ID\u003c/var\u003e with project ID of your Google Cloud project\n- \u003cvar translate=\"no\"\u003eREGION\u003c/var\u003e with region your Cloud Run worker pool is deployed to\n- \u003cvar translate=\"no\"\u003eWORKER_POOL\u003c/var\u003e with name of your Cloud Run worker pool"]]
