Oracle Cloud Infrastructure Documentation

Managing Tags and Tag Namespaces

When you have many resources (for example, instances, VCNs, load balancers, and block volumes) across multiple compartments in your tenancy, it can become difficult to track resources used for specific purposes, or to aggregate them, report on them, or take bulk actions on them. Tagging allows you to define keys and values and associate them with resources. You can then use the tags to help you organize and list resources based on your business needs.

Required IAM Policy

If you're in the Administrators group, then you have the required access for managing tag namespaces and tags. For more policy samples specific to working with tags and tag namespaces, see Required Permissions for Working with Defined Tags.

If you're new to policies, see Getting Started with Policies and Common Policies. If you want to dig deeper into writing policies for groups or other IAM components, see Details for IAM.

Overview of Tags

Oracle Cloud Infrastructure supports two kinds of tags: free-form tags and defined tags.

Tip

Watch a video to introduce you to the concepts and features of tagging: Introduction to Tagging.

Free-form Tags

Free-form tags consist simply of a key and a value, for example:

Environment: Production

where "Environment" is the key and "Production" is the value.

You can apply multiple free-form tags to a single resource (up to the limit).

This image shows two instances with free-form tags

Because free-from tags are limited in functionality, Oracle recommends that you only use them when you are first getting started with tagging, to try out the tagging feature in your system. For more information about the features and limitations of free-form tags, see Working with Free-form Tags.

Defined Tags

Defined tags provide more features and control than free-form tags. Before you create a defined tag key, you first set up a tag namespace for it. You can think of the tag namespace as a container for a set of tag keys. When you create the tag key definition, you must choose the type of value (which also determines how the user applying the tag adds the value): 

  • You can leave it empty so that a user can fill in the value
  • You can create a list of values so that the user must choose from those values

To apply a defined tag to a resource, a user first selects the tag namespace, then the tag key within the namespace, and then they can assign the value. If the tag key contains a blank value, the user can type in a value or leave it blank. If the tag key contains a list, the user must select a value from the list.

Defined tags support policy to allow you to control who can apply your defined tags. The tag namespace is the entity to which you can apply policy. Administrators can control which groups of users are allowed to use each namespace.

The following diagrams illustrate defined tags. Two tag namespaces are set up: Operations and HumanResources. The tag keys are defined in the namespaces. Within each namespace, the tag keys must be unique, but a tag key name can be repeated across namespaces. In the example, both namespaces include a key named "Environment."

This image shows two namespaces with tag key definitions

The first instance is tagged with two tags from the Operations tag namespace, indicating that it belongs to the Operations production environment and the Operations project "Alpha". The second instance is tagged with tags from both the HumanResources tag namespace and the Operations tag namespace, indicating that it belongs to the HumanResources "Production" environment, the HumanResources cost center "42", and also the Operations project "Beta".

This image shows defined tags applied to instances, highlighting the concept of namespace

Tagging Concepts

Here's a list of the basic tagging concepts:

Tag Namespace
You can think of a tag namespace as a container for your tag keys. It consists of a name, and zero or more tag key definitions. Tag namespaces are not case sensitive, and must be unique across the tenancy. The namespace is also a natural grouping to which administrators can apply policy. One policy on the tag namespace applies to all the tag definitions contained in it.
Tag Key
The name you use to refer to the tag. Tag keys are case insensitive (for example," mytagkey" duplicates "MyTagKey"). Tag keys for defined tags must be created in a namespace. A tag key must be unique within a namespace.
Tag Value Type
The tag value type specifies the data type allowed for the value. Currently two data types are supported: string and a list of strings.
Key Definition
A key definition defines the schema of a tag and includes a namespace, tag key, and tag value type.
Tag Value
The tag value is the value the user applying the tag adds to the tag key. Tag values support two data types: strings and lists of strings. You can define a list of values for the user to select from when you define the tag key, or you can allow the user to enter any value when the tag is applied to the resource. If you select a string tag value when you create the key, the user can leave the value blank when they apply the key.
In the example:
Operations.CostCenter="42"
Operations is the namespace, CostCenter is the tag key, and 42 is the tag value.
Tag (or Defined Tag)
A tag is the instance of a key definition that is applied to a resource. It consists of a namespace, a key, and a value. "Tag" is used generically to refer to defined tags.
Free-form Tag
A basic metadata association that consists of a key and a value only. Free-form tags have limited functionality. See Working with Free-form Tags.
Cost tracking
Cost tracking is a feature supported for defined tags. Tags enabled for cost tracking (also called cost-tracking tags) help you to manage costs in your tenancy. You can use cost-tracking tags to track projected costs and set budgets and receive alerts when your costs reach a particular threshold. See Using Cost-Tracking Tags.
Tag Default
Tag defaults let you specify tags to be applied automatically to all resources, in a specific compartment, at the time of creation, regardless of the permissions of the user who creates the resource. See Managing Tag Defaults.
Retire
You can retire a tag key definition or a tag namespace. Retired tag namespaces and key definitions can no longer be applied to resources. However, retired tags are not removed from the resources to which they have already been applied. You can still specify retired tags when searching, filtering, reporting, and so on.
Reactivate
You can reactivate a tag namespace or tag key definition that has been retired to reinstate its usage in your tenancy.
Tag Variable
You can use a variable to set the value of a tag. When you add or update a tag on a resource, the variable resolves to the data it represents. See Using Tag Variables.
Predefined values
You can use a variable to set the value of a tag. When you add or update a tag on a resource, the variable resolves to the data it represents. See Using Predefined Values.

Working with Free-form Tags

Free-form tags consist simply of a key-value pair. Free-form tags have limited features. To experience the full feature set of tagging, use defined tags.

Features of free-form tags include:

  • Consist of a key and a value. Free-form tags do not belong to a namespace.
  • You can apply free-form tags during resource creation or to an existing resource.
  • Free-form tag keys are case sensitive. For example, "Project" and "project" are distinct keys.
  • Free-form tag values are case sensitive. For example, "alpha" and "Alpha" are distinct values.

Limitations of free-form tags include:

  • When applying a free-form tag, you can't see a list of existing free-form tags, so you don't know what tags and values have already been used.
  • You can't see a list of existing free-form tags in your tenancy.
  • You can't use free-form tags to control access to resources (that is, you can't include free-form tags in IAM policies).
  • You can't use tag variables in free-form tags.
  • You can't use predefined values in free-form tags.

Required Permissions for Working with Free-form Tags

To apply, update, or remove free-form tags for a resource, you must have the update permission on the resource. For many resources, the update permission is granted with the use verb. For example, users who can use instances in CompartmentA, can also apply, update, or remove free-form tags for instances in CompartmentA.

Some resources don't include the update permission with the use verb. To allow a group to apply, update, or remove free-form tags for these resources without granting the full permissions of manage, you can add a policy statement to grant only the <RESOURCE>_UPDATE permission from the manage verb. For example, to allow a group NetworkUsers to work with free-from tags with VCNs in CompartmentA, you could write a policy like:

Allow group NetworkUsers to use vcns in compartment CompartmentA

Allow group NetworkUsers to manage vcns in compartment CompartmentA where request.permission='VCN_UDPATE'

The inspect verb for a resource grants permissions to view free-form tags for that resource. So users who can inspect instances in CompartmentA can also view any free-form tags applied to the instance.

For information about resource permissions, see Policy Reference.

Working with Defined Tags

You must set up the tag namespace and tag keys in your tenancy before users can apply a defined tag to a resource. As part of the set up process, you must also grant permissions to the user groups that will need to use the namespace.

Features of defined tags include:

  • Consist of a tag namespace, a key, and a value.
  • The tag namespace and tag key definition must be set up in your tenancy before users can apply a defined tag to a resource.
  • You can create the tag key with either a tag value type of string (for the user to add a value or leave blank) or a list of values (from which the user must choose).
  • When applying a defined tag, users select from the list of tag keys.
  • Users can apply a defined tag during resource creation or to an existing resource.
  • Defined tag keys are case insensitive.
  • Defined tag values are case sensitive. For example, "alpha" and "Alpha" are distinct values.
  • You can use tag variables.
  • You can create a list of predefined variables to associate with a tag key. Users that apply the tag to a resource must select a value from the list you create.

Required Permissions for Working with Defined Tags

To apply, update, or remove defined tags for a resource, a user must be granted permissions on the resource and permissions to use the tag namespace.

Users must be granted use access on the tag namespace to apply, update, or remove a defined tag for a resource.

Some example policies for tag namespaces:

To allow a group to simply view the tag namespaces in the tenancy (or in a compartment) requires inspect access:

Allow group GroupA to inspect tag-namespaces in tenancy

Important

To apply tags to a resource when using the Console, a user must have permissions to inspect tag-namespaces in tenancy. If the user does not have this permission, the list of tag namespaces cannot be presented to the user in the dialog menu.

To allow a group to read the tag definitions contained in tag namespaces requires read access:

Allow group GroupA to read tag-namespaces in tenancy

To allow a group to apply, update, or remove a defined tag for a resource requires the use access on the tag namespace:

Allow group GroupA to use tag-namespaces in tenancy

To allow usage of a specific tag namespace or namespaces , use a where clause with the target.tag-namespace.name variable. For example:

Allow group GroupA to use tag-namespaces in tenancy where target.tag-namespace.name='Operations'

or to specify multiple tag namespaces:

Allow group GroupA to use tag-namespaces in tenancy where any {target.tag-namespace.name='Operations', target.tag-namespace.name='HumanResources'}

To manage tag namespaces and the tag definitions in them, requires manage access:

Allow group GroupA to manage tag-namespaces in tenancy

In addition to the permissions to work with the tag namespace, to apply or remove defined tags on a resource you must have the update permission for the resource. For many resources, the update permission is granted with the use verb. For example, users who can use instances in CompartmentA, can also apply, update, or remove defined tags for instances in CompartmentA.

Some resources don't include the update permission with the use verb. To allow a group to apply, update, or remove defined tags for these resources without granting the full permissions of manage, you can add a policy statement to grant only the <RESOURCE>_UPDATE permission from the manage verb. For example, to allow a group NetworkUsers to work with defined tags with VCNs in CompartmentA, you could write a policy like:

Allow group NetworkUsers to use vcns in compartment CompartmentA
Allow group NetworkUsers to manage vcns in compartment CompartmentA where request.permission='VCN_UDPATE'

The inspect permission for a resource grants permissions to view defined tags for that resource. For example, users who can inspect instances can also view any defined tags applied to the instance.

For information about resource permissions, see Policy Reference.

Example Scenario

Your company has an Operations department. Within the Operations department are several cost centers. You want to be able to tag resources that belong to the Operations department with the appropriate cost center.

  1. Create a tag namespace definition called Operations.
  2. In the Operations namespace, create a tag key definition called CostCenter.

Alice already belongs to the group InstanceLaunchers. Alice can manage instances in CompartmentA. You want Alice and other members of the InstanceLaunchers group to be able to apply the Operations.CostCenter tag to instances in CompartmentA.

To grant the InstanceLaunchers group access to the Operations tag namespace (and only the Operations tag namespace), add the following statements to the InstanceLaunchers policy:

Allow group InstanceLaunchers to use tag-namespaces in compartment CompartmentA where target.tag-namespace.name='Operations'

Alice can now apply the Operations.CostCenter tag to resources in CompartmentA.

Using Cost-Tracking Tags

You  can use cost-tracking tags to help manage costs in your tenancy. Use cost-tracking tags to do any of the following:

  • Filter projected costs
  • Set budgets

For example, suppose that you have a defined tag key definition called Finance.CostCenter. You enable this tag definition for cost tracking. You apply the tag with a value of "W1" (Finance.CostCenter="W1") to some resources, and you apply the tag with a value of "C2" (Finance.CostCenter="C2") to some other resources. These tags enable the following scenarios: 

  • When you view your Cost Analysis, you can filter the usage information to show you only the costs generated by the resources tagged with "Finance.CostCenter=W1" . You can then filter your usage summary by "Finance.CostCenter=C2".
  • Create a budget for resources tagged "Finance.CostCenter=W1" and another budget for resources tagged "Finance.CostCenter=C2". If spending surpasses a certain amount or is forecast to exceed a particular threshold, you can set up alerts that notify you.

Use cost-tracking tags to compare and track resource usage based on tags, or to set up budgets based on resources grouped by tags, rather than by compartments.

Enabling Tags for Cost-Tracking

You can enable cost-tracking when you create a tag key definition, or you can update an existing tag key definition to enable cost tracking.

Viewing Usage by Cost-Tracking Tags

To view usage by filtering projected costs or creating a budget

  • Cost Analysis provides easy-to-use visualization tools to help you track and optimize your spending. For more information, see Checking Your Balance and Usage.
  • Budgets can be used to set thresholds for your spending. You can set alerts on your budget to let you know when you might exceed your budget, and you can view all of your budgets and spending from one single place Console. See Budgets Overview for more information.

Limits on Cost-Tracking Tags

  • You can have a maximum of 10 tags enabled for cost-tracking in your tenancy at a time. This limitation includes both active and retired tags.

Using Tag Variables

You can use a variable to set the value of a tag. When you add the tag to a resource, the variable resolves to the data it represents. In the example:

Operations.CostCenter="${iam.principal.name} at ${oci.datetime}"

Operations is the namespace, CostCenter is the tag key, and the tag value contains two tag variables ${iam.principal.name} and ${oci.datetime}. When you add this tag to a resource, the variable resolves to your user name (the name of the principal that applied the tag) and a time date stamp for when you added the tag.

user_name at 2019-06-18T18:00:57.604Z

The variable is replaced with data at the time you apply the tag. If you later edit the tag, the variable is gone and only the data remains. You can edit the tag value in all the ways you would edit any other tag value.

To create a tag variable, you must use a specific format.

${<variable>}

Type a dollar sign followed by open and close curly brackets. The tag variable goes between the curly brackets. You can use tag variables with other tag variables and with string values.

Supported Tag Variables

The following tag variables are supported.

Variable Description
${iam.principal.name} The name of the principal that tagged the resource.
${iam.principal.type} The type of principal that tagged the resource.
${oci.datetime} The date and time that the tag was created.

Using Predefined Values

You can create a list of values and associate that list with a tag key. When users apply the tag to a resource, they must select a value from the list. Use lists of predefined values to impose limits on the values that users can apply to tags.

You can update existing tags to use predefined values.

Every predefined list you create must contain at least one value. Your lists can't contain duplicate values or blank entries. With predefined values, users applying tags can't set the value of a tag to null. For more information, see create and update tag key definitions.

Predefined Values and Default Tags

You can use predefined values and default tags to ensure that users creating resources apply tag values you trust.

Here's how it works:

  1. You define a list of predefined values for a tag key.
  2. You create a default tag that uses the key with the list of predefined values and requires that users who create resources in the compartment add the value to the tag.
  3. Oracle prompts all users creating resources in the compartment to enter a tag value. Since the tag key contains a predefined list you created, the value the user applies is a value you trust.

These features help to ensure that new resources contain the values you expect. For more information, see Managing Tag Defaults.

Retiring Key Definitions and Namespace Definitions

You can retire a tag key definition or a tag namespace definition.

When you retire a tag key definition, you can no longer apply it to resources. However, the tag is not removed from the resources that it was applied to. The tag still exists as metadata on those resources and you can still call the retired tag in operations (such as listing, sorting, or reporting).

Important

Retiring a tag stops cost tracking for the tag, but if you do not disable the cost-tracking option on the tag key definition, the retired tag continues to count against your maximum of 10 cost-tracking tags for your tenancy. Ensure that you disable cost tracking before you retire the tag key definition. To disable cost-tracking after a tag is retired, you must reactivate the tag key definition to update it. You can't update tag key definitions that are in the retired state.

When you retire a tag namespace, all the tag keys in the tag namespace are retired. As described earlier, this means that all tags in the tag namespace can no longer be applied to resources, though existing tags are not removed. No new keys can be created in the retired tag namespace.

Reactivating Tag Key Definitions and Namespace Definitions

You can reactivate retired tag key definitions and tag namespace definitions.

When you reactivate a tag key, it is again available for you to apply to resources.

When you reactivate a tag namespace, you can once again create tag key definitions in the namespace. However, if you want to use any of the tag key definitions that were retired with the namespace, you must explicitly reactivate each tag key definition.

Moving Tag Namespaces to a Different Compartment

You can move a tag namespace to a different compartment. The tag namespace can be active or retired when you move it. When you move the tag namespace, all its tag key definitions are moved along with it.

This functionality is useful if you need to reorganize your compartment hierarchy, or if you need to delete a compartment that contains a retired tag namespace. Remember that you can't delete a compartment that still contains resources. A retired tag namespace, even though it is retired, is still an existing resource. Moving the retired tag namespace to a different compartment can enable you to delete its original containing compartment.

To move a tag namespace, you must be allowed to manage tag-namespaces in both compartments.

See the procedure To move a tag namespace to a different compartment.

Deleting Tag Key Definitions and Namespace

You can delete a tag key definition or a tag namespace.

When you delete a tag key definition, you begin a process that removes the tag from all resources in your tenancy. These things happen immediately: 

  • If the tag was a cost-tracking tag, it no longer counts against your 10 cost-tracking tags limit, whether you first disabled it or not.
  • If the tag was used with dynamic groups, none of the rules that contain the tag will be evaluated against the tag.

The delete action is asynchronous and initiates a work request. Once you start the delete operation, the state of the tag changes to deleting and tag removal from resources begins. This process can take up to 48 hours depending on the number of resources that were tagged as well as the regions in which those resources reside. When all tags have been removed, the state changes to deleted. You cannot restore a deleted tag. Once the deleted tag changes its state to Deleted, you can use the same tag name again.

To delete a tag key definition, you must first retire it.

To delete a tag namespace, you must first delete all its tag key definitions.

Tip

To delete a tag namespace that contains tag key definitions, first retire the tag namespace. When you retire a tag namespace, all the tag keys in the tag namespace are retired.

Limits on Tags

See Service Limits for a list of applicable limits and instructions for requesting a limit increase.

  • Tag namespaces: 100 tag namespaces per tenancy
  • Tags per Tag namespace: 100 tags per tag namespace
  • Tags per resource: 10 free-form tags and 64 defined tags
  • Tags enabled for cost-tracking: 10 per tenancy (includes both active and retired tags)
  • Total tag data size: 5 K (JSON). The total tag data size includes all tag data for a single resource (all applied tags and tag values). Sizing is per UTF-8.
Resource Supported Characters Max Length
Tag namespace Printable ASCII, excluding periods (.) and spaces 100 characters

Tag key name

(free-form and defined)

Printable ASCII, excluding periods (.) and spaces 100 characters

Tag value

(free-form and defined)

Unicode characters 256 characters

Using the Console

Warning

Avoid entering confidential information when assigning descriptions, tags, or friendly names to your cloud resources through the Oracle Cloud Infrastructure Console, API, or CLI.

Managing Tag Namespaces

To create a tag namespace
To update a tag namespace's description
To retire a tag namespace
To reactivate a tag namespace
To move a tag namespace to a different compartment
To delete a tag namespace

Managing Key Definitions

To create a key definition
To update a tag key definition
To retire a tag key definition
To reactivate a tag key definition
To delete a tag key definition
To monitor a work request for a deleted tag

Using the API

For information about using the API and signing requests, see REST APIs and Security Credentials. For information about SDKs, see Software Development Kits and Command Line Interface.

Use these API operations to manage tag namespaces:

Use these API operations to manage tag key definitions:

  • GetTag - gets the tag key definition
  • ListTags - lists tag key definitions
  • ListCostTrackingTags - lists the tags that have been enabled for cost-tracking (can be performed in the root compartment only)
  • CreateTag - creates a tag key definition
  • UpdateTag - updates the tag key definition (use this operation to retire or reactivate a tag key)
  • DeleteTag - deletes the tag key definition

Use these API operations to manage work requests spawned by the DeleteTag operation: