Tagging Overview

Oracle Cloud Infrastructure Tagging allows you to add metadata to resources, which enables you to define keys and values and associate them with resources. You can use the tags to organize and list resources based on your business needs.

How Tagging Works

The Tagging service provides two ways for you to add tags to resources. Each approach offers a different type of tag for you to work with:

  • Defined tags - tag administrators manage resource metadata.
  • Free-form tags - unmanaged metadata applied to resources by users.

One approach involves a tag administrator creating and managing all the tags that users apply to resources. Use IAM policy to select tag administrators, who can create tags. Grant all others in the tenancy only the ability to apply tags. The benefit to this approach is that you can create and manage the keys and values used to tag resources. You can then avoid typos that weaken automation based on tags and provide better reporting based on tags.

The other approach is to allow users to add tags to resources. Each tag is edited or applied at the resource by you or a user creating or modifying a resource. You can use both types of tags throughout your tenancy.

Most of the Tagging features require defined tags. "Tag" is used generically to refer to defined tags. To create metadata that you can trust to manage resources and collect data, use defined tags. With defined tags, the following scenarios become possible: 

  • Create default tags that are applied to all resources in compartments. See Managing Tag Defaults.
  • Specify that users must apply tags to resources to successfully create resources in compartments.
  • If you make a typo using defined tags, correct it by editing or even deleting the tag. When you delete a defined tag, Oracle removes the key and any value for that tag from all resources. See Deleting Tag Key Definitions and Namespaces.
  • Associate a list of predefined values for a defined tag. See Using Predefined Values.
  • Use system variables to generate values for defined tags or tag defaults automatically. See Using Tag Variables.
  • Track costs based on tags. Use of defined tags is recommended for this use case.
  • Set budgets using cost-tracking tags to be alerted when your spending reaches specified levels. See Using Cost-Tracking Tags.

Tagging Concepts

Here's a list of the basic tagging concepts:

TAG NAMESPACE
You can think of a tag namespace as a container for your tag keys. It consists of a name and zero or more tag key definitions. Tag namespaces are not case sensitive and must be unique across the tenancy. The namespace is also a natural grouping to which administrators can apply policy. One policy on the tag namespace applies to all the tag definitions contained within that namespace.
TAG KEY
The name you use to refer to the tag. Tag keys are case insensitive. For example, "mytagkey" duplicates "MyTagKey". You must create tag keys for defined tags in a namespace. Each tag key must be unique within a namespace.
TAG VALUE TYPE
The tag value type specifies the data type allowed for the value. Currently two data types are supported: string and a list of strings.
KEY DEFINITION
A key definition defines the schema of a tag and includes a namespace, tag key, and tag value type.
TAG VALUE
The tag value is the value that the user applying the tag adds to the tag key. Tag values support two data types: strings and lists of strings. You can define a list of values for the user to select from when you define the tag key, or you can allow the user to enter any value when the tag is applied to the resource. If you select a string tag value when you create the key, the user can leave the value blank when they apply the key.
In the example:
Operations.CostCenter="42"
Operations is the namespace, CostCenter is the tag key, and 42 is the tag value.
TAG (OR DEFINED TAG)
A tag is the instance of a key definition that is applied to a resource. It consists of a namespace, a key, and a value. "Tag" is used generically to refer to defined tags.
FREE-FORM TAG
A basic metadata association that consists of a key and a value only. Free-form tags have limited functionality. See Understanding Free-form Tags.
COST TRACKING

Cost tracking is a feature available with defined tags. This feature is being deprecated and is currently only relevant for use with Budgets. To understand when you need to designate a tag as a cost-tracking Tag, see Using Cost-Tracking Tags.

TAG DEFAULT
Tag defaults let you specify tags that are applied automatically to all resources in a specific compartment at the time of creation, regardless of the permissions of the user who creates the resource. See Managing Tag Defaults.
RETIRE
You can retire a tag key definition or a tag namespace. Retired tag namespaces and key definitions can no longer be applied to resources. However, retired tags are not removed from the resources to which they have already been applied. You can still specify retired tags when searching, filtering, reporting, and so on.
REACTIVATE
You can reactivate a tag namespace or tag key definition that has been retired to reinstate its usage in your tenancy.
TAG VARIABLE
You can use a variable to set the value of a tag. When you add or update a tag on a resource, the variable resolves to the data it represents. See Using Tag Variables.
PREDEFINED VALUES
You can use a variable to set the value of a tag. When you add or update a tag on a resource, the variable resolves to the data it represents. See Using Predefined Values.

Authentication and Authorization

Each service in Oracle Cloud Infrastructure integrates with IAM for authentication and authorization, for all interfaces (the Console, SDK or CLI, and REST API).

An administrator in your organization needs to set up groups , compartments , and policies  that control which users can access which services, which resources, and the type of access. For example, the policies control who can create new users, create and manage the cloud network, launch instances, create buckets, download objects, etc. For more information, see Getting Started with Policies. For specific details about writing policies for each of the different services, see Policy Reference.

If you’re a regular user (not an administrator) who needs to use the Oracle Cloud Infrastructure resources that your company owns, contact your administrator to set up a user ID for you. The administrator can confirm which compartment or compartments you should be using.

For administrators: Use the following topics to find example of IAM policy for Tagging

Region Availability

Tagging is currently available in all regions.

Ways to Access Oracle Cloud Infrastructure

You can access Oracle Cloud Infrastructure using the Console (a browser-based interface) or the REST API. Instructions for the Console and API are included in topics throughout this guide. For a list of available SDKs, see Software Development Kits and Command Line Interface.

To access the Console, you must use a supported browser. To go to the Console sign-in page, open the navigation menu at the top of this page and click Infrastructure Console. You will be prompted to enter your cloud tenant, your user name, and your password.

Limits on Tags

See Service Limits for a list of applicable limits and instructions for requesting a limit increase.
  • Tags per tenancy: unlimited
  • Tags per resource: 10 free-form tags and 64 defined tags
  • Tags enabled for cost-tracking: 10 per tenancy (includes both active and retired tags)
  • Total tag data size: 5 K (JSON). The total tag data size includes all tag data for a single resource (all applied tags and tag values). Sizing is per UTF-8.
  • Number of pre-defined values for a tag key: 100 per list
Resource Supported Characters Max Length
Tag namespace Printable ASCII, excluding periods (.) and spaces 100 characters

Tag key name

(free-form and defined)

Printable ASCII, excluding periods (.) and spaces 100 characters

Tag value

(free-form and defined)

Unicode characters 256 characters

Resources That Can Be Tagged

The following table lists resources that support tagging. This table will be updated as tagging support is added for more resources.

Service Taggable Resource Types
Analytics Cloud analytics-instances
API Gateway

api-deployments

api-gateways

Application Migration

ams-migration

ams-source

ams-work-request

Audit audit-events
Big Data bds-instances
Block Volume

volumes

volume-backups

backup-policies

boot-volume-backups

Blockchain Platform blockchain-platforms
Budgets usage-budgets
Cloud Guard

managed-lists

targets

Compute

auto-scaling-configurations

cluster-networks

instance

instance-configurations

instance-image

instance-pools

instanceconsoleconnections

Content and Experience oce-instances
Data Catalog

data-catalogs

data-catalog-data-assets

data-catalog-glossaries

Data Flow

dataflow-applications

dataflow-runs

Data Integration workspaces
Data Safe data-safe
Data Science

data-science-models

data-science-notebook-sessions

data-science-projects

Database

autonomous-databases

db-systems

databases

Digital Assistant

oda-instances

DNS

dns-steering-policies

dns-tsig-keys

dns-zones

Email Delivery approved-senders
Events cloudevents-rules
File Storage

file-systems

mount-targets

snapshots

Functions

fn-app

fn-function

Health Checks health-check-monitor
IAM

compartments

dynamic-groups

groups

identity-providers

network-sources

policies

tenancy (root compartment)

users

Integration integration-instances
Load Balancing load-balancers
Logging Analytics

loganalytics-entity

loganalytics-log-group

Management Agent management-agents
Monitoring alarms
MySQL Database

mysql-configurations

mysql-instances

mysql-backups

Networking, FastConnect

cpes

cross-connects

cross-connect-groups

dhcp-options

drgs

internet-gateways

ipsec-connections

ipv6s

ipsec-connections

local-peering-gateways

nat-gateways

network-security-groups

private-ips

public-ips

remote-peering-connections

route-tables

security-lists

service-gateways

subnets

vcns

virtual-circuits

vnics

vnic-attachments

Notifications

ons-subscriptions

ons-topics

Object Storage, Data Transfer, and Archive Storage

buckets

data-transfer-jobs

OS Management

osms-managed-instances

osms-managed-instance-groups

osms-software-sources

osms-scheduled-jobs

Quotas Service quota
Resource Manager

orm-jobs

orm-stacks

Search resourcesummary
Service Connector Hub service-connectors
Streaming

connect-harnesses

streams

streampools

Tagging

tag-namespaces

tag-definitions (API only)

Vault

keys

vaults

key-delegate

WAF

http-redirects

waas-address-list

waas-certificate

waas-custom-protection-rule

waas-policy