According to GCP Documentation for Tags: To delete a tag value, you must first remove it from all resources. A tag value that is still attached to a resource will not be deleted.

If you have numerous resources where this tag is used (across Buckets, BQ Datasets, VMs, IAM, etc.) it can be cumbersome to check every resource page to identify where this tag is used.

Is there a CLI command that lists all places where a tag value is used?

This is useful:

1. If a tag deletion is failing because it used somewhere but you don't know where.
2. If you want to edit/extend functionality of an existing tag value and want an audit of everywhere it is currently utilized to ensure edits are made where required.
3. When Google tries to delete a tag value I'm sure it already runs a similar check in the background to ensure a successful deletion.

According to GCP Documentation for Tags: To delete a tag value, you must first remove it from all resources. A tag value that is still attached to a resource will not be deleted.

If you have numerous resources where this tag is used (across Buckets, BQ Datasets, VMs, IAM, etc.) it can be cumbersome to check every resource page to identify where this tag is used.

Is there a CLI command that lists all places where a tag value is used?

This is useful:

1. If a tag deletion is failing because it used somewhere but you don't know where.
2. If you want to edit/extend functionality of an existing tag value and want an audit of everywhere it is currently utilized to ensure edits are made where required.
3. When Google tries to delete a tag value I'm sure it already runs a similar check in the background to ensure a successful deletion.

• google-cloud-platform
• tags
• google-cloud-iam

2 Answers 2

Use the CLI command below to show a list of Tags attached to a specific resource:

gcloud resource-manager tags bindings list --parent=//cloudresourcemanager.googleapis/projects/PROJECT_ID

As an expected result, it should only show the inherited key-tag value pairs that are under the projects, which is the tag value.

For additional information, you can check the gcloud resource-manager tags bindings list.

SOLUTION

Cloud Asset Inventory provides this functionality. To search for a sample tag value of "access", you can use below example or see documentation on how to construct a query.

gcloud asset search-all-resources --query="tagValues:access"

Notes:

• This requires enabling the Cloud Asset Inventory API (presently, this has no costs associated)
• Not all resources can be searched. See resource types for resource names and to check if they are available to the search API. Notably, BigQuery datasets can't be searched.
• Since this may output a lot of information if you have a number of resources, you can use --format="table(name,assetType,project)" or some variation to limit the output.