Oracle Cloud Infrastructure Documentation

Understanding Free-form Tags

Oracle Cloud Infrastructure supports two kinds of tags: free-form tags and defined tags. This topic describes free-form tags.

Because free-from tags are limited in functionality, Oracle recommends that you only use them when you are first getting started with tagging, to try out the tagging feature in your system. For more information about the features and limitations of free-form tags, see Working with Free-form Tags.

Required IAM Policy

If you're in the Administrators group, then you have the required access for free-form tags. For more policy samples specific to working with free-form tags, see Required Permissions for Working with Free-form Tags.

If you're new to policies, see Getting Started with Policies and Common Policies. If you want to dig deeper into writing policies for groups or other IAM components, see Details for IAM.

Overview of Free-form Tags

Free-form tags consist simply of a key and a value, for example:

Environment: Production

where "Environment" is the key and "Production" is the value.

You can apply multiple free-form tags to a single resource (up to the limit).

This image shows two instances with free-form tags

Working with Free-form Tags

Free-form tags consist simply of a key-value pair. Free-form tags have limited features. To experience the full feature set of tagging, use defined tags.

Features of free-form tags include:

  • Consist of a key and a value. Free-form tags do not belong to a namespace.
  • You can apply free-form tags during resource creation or to an existing resource.
  • Free-form tag keys are case sensitive. For example, "Project" and "project" are distinct keys.
  • Free-form tag values are case sensitive. For example, "alpha" and "Alpha" are distinct values.

Limitations of free-form tags include:

  • When applying a free-form tag, you can't see a list of existing free-form tags, so you don't know what tags and values have already been used.
  • You can't see a list of existing free-form tags in your tenancy.
  • You can't use free-form tags to control access to resources (that is, you can't include free-form tags in IAM policies).
  • You can't use tag variables in free-form tags.
  • You can't use predefined values in free-form tags.

Required Permissions for Working with Free-form Tags

To apply, update, or remove free-form tags for a resource, you must have the update permission on the resource. For many resources, the update permission is granted with the use verb. For example, users who can use instances in CompartmentA, can also apply, update, or remove free-form tags for instances in CompartmentA.

Some resources don't include the update permission with the use verb. To allow a group to apply, update, or remove free-form tags for these resources without granting the full permissions of manage, you can add a policy statement to grant only the <RESOURCE>_UPDATE permission from the manage verb. For example, to allow a group NetworkUsers to work with free-from tags with VCNs in CompartmentA, you could write a policy like:

Allow group NetworkUsers to use vcns in compartment CompartmentA

Allow group NetworkUsers to manage vcns in compartment CompartmentA where request.permission='VCN_UDPATE'

The inspect verb for a resource grants permissions to view free-form tags for that resource. So users who can inspect instances in CompartmentA can also view any free-form tags applied to the instance.

For information about resource permissions, see Policy Reference.