If you have spent more than a week architecting solutions on Google Cloud Platform (GCP), you have likely stared at the metadata inputs for a resource and felt a twinge of confusion. You see a field for Labels. You see a field for Tags.
To the uninitiated, these are synonyms. In almost every other context in the software engineering world, a label and a tag are the same thing. They are key-value pairs used to categorize an object for searchability.
But in GCP, treating them as synonyms is an architectural trap that can lead to security holes, billing nightmares, and governance failures. While they share a similar syntax (key:value), they represent two completely different philosophical approaches to cloud governance. One is a Post-it note. The other is a security badge. One is bottom-up. The other is top-down.
In this deep dive, we are not just going to look at the documentation differences. We are going to explore the strategic implications of these two metadata types, why Google introduced the complexity of Resource Manager Tags, and how moving from RBAC (Role-Based Access Control) to ABAC (Attribute-Based Access Control) depends entirely on understanding the difference.
Part 1: Labels or The Post-it Notes
Let us start with the veteran of the ecosystem. Labels have been around for a long time. They are user-defined strings that you attach to resources like Compute Engine instances, Cloud Storage buckets, or BigQuery datasets.
The Mental Model
Think of Labels as operational metadata. They are "Post-it notes" that developers and DevOps engineers stick onto resources to make sense of the sprawl.
"This VM belongs to the backend team."
"This bucket is for the staging environment."
"This database creates costs for Project X."
Because they are essentially free-text strings, they are incredibly flexible. You do not need to ask permission to create a label. You simply type it in. This low barrier to entry encourages developers to tag resources liberally, which is excellent for visibility.
The Superpower: High-Cardinality Billing
The primary driver for using Labels is FinOps.
When you export your Cloud Billing data to BigQuery, labels are the magic column that allows you to slice and dice costs. Without labels, you get a bill that says "Compute Engine: $5,000." With labels, you get a bill that says "Compute Engine (Cost Center 101): $5,000."
Crucially, Labels support high cardinality. You can have thousands of unique values. If you need to tag a resource with a transaction-id or a specific user-uuid for granular cost tracking, Labels are the only tool for the job. Resource Manager Tags have strict limits (max 1,000 values per key), making them impossible to use for this kind of detailed data tagging.
The Limitations
However, Labels have significant architectural weaknesses when viewed through a governance lens.
First, they have no inheritance mechanism. If you put a Label on a Project, the resources inside that Project do not inherit that label. A VM inside a labeled project is technically naked unless you explicitly label the VM itself. This forces you to write automation scripts that constantly scan for new resources and apply labels to them.
Second, they suffer from loose governance. Anyone with "Editor" permissions on a resource can usually modify labels. They are free-text strings. One developer might use env:prod, another environment:production, and a third Env:Prod. This lack of schema enforcement makes automation difficult.
Finally, they are not designed for security. Because they are mutable by resource owners and do not inherit, they are terrible candidates for defining security boundaries. You would never want to base a firewall rule on a Label that a junior developer could accidentally delete.
Part 2: Resource Manager Tags or The Security Badges
Enter Resource Manager Tags (RM Tags). These were formerly known simply as "Tags," which is confusingly distinct from "Network Tags" used for firewalls.
RM Tags are a relatively newer addition to the GCP ecosystem, designed to solve the governance problems that Labels could not touch.
The Mental Model
Think of Tags as governance attributes or DNA. They are strict, centrally managed, and securely attached.
Unlike Labels, which are just strings stored on the resource, an RM Tag is a distinct resource itself. You must create a Tag Key at the Organization level (e.g., data-sensitivity). You must create allowed Tag Values for that key (e.g., high, medium, low). Only then can you bind these to resources.
Under the hood, Google assigns them unique numeric IDs. This prevents "string drift." Even if you rename the human-readable display name of a tag, the policy enforcing it still works because it targets the immutable ID.
The Superpower: Inheritance and Scope
The killer feature of RM Tags is inheritance combined with broad scope support.
Originally, RM Tags were designed for the resource hierarchy. If you attach a Tag environment: production to a Folder, every single Project and Resource inside that Folder automatically possesses that Tag. This changes the game for governance. You no longer need to write scripts that frantically scan every new bucket to apply a label. The bucket is born with the tag because of where it lives in the hierarchy.
However, Google has aggressively expanded the scope of RM Tags. They are no longer just for Projects and Folders. You can now bind these tags directly to "leaf" resources like Compute Engine Instances, VPC Networks, Subnets, and Cloud Storage Buckets.
This duality allows for powerful combinations. You can have a baseline security posture inherited from the Folder, but specific network policies applied via a tag bound directly to a Subnet.
Part 3: The Strategic Shift from RBAC to ABAC
This is where the topic becomes thought-provoking. Why did Google build a second metadata system? The answer lies in the limitations of RBAC (Role-Based Access Control).
In a traditional RBAC model, you define access based on identity. You say "John is an Editor on Project A." This works fine until you have 5,000 projects. Suddenly, managing who has access to what becomes a nightmare of IAM bindings. You end up with "role explosion."
RM Tags enable ABAC (Attribute-Based Access Control).
With ABAC, you stop caring about the specific resource ID and start caring about the attributes of that resource. You can write a Conditional IAM Policy that says "John is an Admin on ANY resource where env: dev."
This allows your IAM policies to be static, while your infrastructure is dynamic. You write the policy once at the Organization level. When a new Project is created and tagged env: dev, John automatically gets access. No one needs to update an IAM binding.
The Organization Policy Integration
It goes beyond user access. RM Tags are the engine that drives conditional Organization Policies.
Imagine you have a strict requirement that no resource handling "High Sensitivity" data can have a public IP address.
With Labels, this is impossible to enforce natively. You would need a reactive script that detects the violation and shuts it down.
With RM Tags, you create an Organization Policy to "Restrict Public IP creation." You add a condition: enforce this only when data-sensitivity: high.
Now, if a developer creates a VM in a Project tagged data-sensitivity: high, the API will reject their request to add a public IP. It is preventative, not reactive.
Part 4: The Network Security Revolution
For years, GCP engineers relied on "Network Tags" to manage firewalls. If you wanted to allow HTTP traffic to a web server, you added the network tag web-server to the instance and wrote a firewall rule targeting that tag.
But Legacy Network Tags are flawed. They are not IAM-governed in a granular way. If a user has Instance Editor rights, they can change the Network Tags. This means a developer could theoretically add the allow-all-traffic tag to their database server to bypass a firewall restriction.
RM Tags introduce "Secure Tags" for firewalls.
Because RM Tags are governed by specific IAM permissions (Tag User vs. Tag Admin), you can separate duties. A developer can spin up a VM, but they might not have permission to attach the firewall-tier: frontend RM Tag.
By binding RM Tags to VPCs, Subnets, or VMs, you can write global firewall rules that say "Allow traffic from tier: frontend to tier: backend." This decouples your network security from IP addresses (which change) and from Project IDs (which are arbitrary).
Part 5: Comparing the Two
Let us look at the differences side-by-side to make them concrete.
| Feature | Labels | Resource Manager Tags |
|---|---|---|
| Scope | Most Resources | Org / Folder / Project AND Supported Resources (VMs, VPCs, Buckets, etc.) |
| Inheritance | No. Explicit assignment only. | Yes. Cascades down, but can also be bound directly. |
| Governance | Resource Owners / Editors (Free-text) | Organization Admins (Strict Schema) |
| Primary Use Case | Granular Billing, Filtering, Grouping | IAM Conditions, Org Policy, VPC Firewall Rules |
| Mutability | Easy to change by dev | Controlled by Admin permissions |
| Cardinality | High (Unlimited values) | Low (Max 1,000 values per key) |
Part 6: A Decision Framework
It is rarely an "either/or" situation. A mature GCP organization uses both, but for different layers of the stack.
Use Labels When
You need specific Cost Allocation. If you need to know how much the "Halloween Marketing Campaign" spent, use a Label. While RM Tags technically export to billing now, their low limit on values makes them poor candidates for tracking hundreds of different campaign codes.
You need Operational Filtering. If your SRE team wants to filter the dashboard to see only "Frontend" servers, Labels are the UI-friendly way to do it.
The data is high-cardinality. If you need to tag a resource with a commit-hash, a user-id, or a unique request-id, use Labels.
Use RM Tags When
Security is involved. If the metadata dictates who can access the resource, it must be an RM Tag. Labels are too mutable and insecure for access control.
Compliance is involved. "Data Residency," "PCI-DSS Scope," or "PII" indicators should always be Tags to enforce Organization Policies.
You need Hierarchy. If you want to tag a Project and have it apply to all current and future resources within that project, you need RM Tags.
Part 7: Implementing a Governance Strategy
Moving from a Label-based mindset to a Tag-based mindset requires a shift in how you provision infrastructure.
In a modern Terraform setup for GCP, you should apply Tags at the Folder level whenever possible. By tagging the folder, you ensure that every project created inside inherits the security posture defined by your security team. This is the concept of "Landing Zones." You create a "Production" folder and tag it. Any project dropped into that folder automatically inherits the Production policies.
Conversely, Labels should be applied at the Resource level, ideally enforced by your Infrastructure as Code (IaC) pipelines.
Terraform Example for Tags
Here is how you might attach a tag to a Folder in Terraform. Notice how we reference the Tag Value ID, not the string name.
resource "google_tags_tag_binding" "production_folder_binding" {
parent = "//cloudresourcemanager.googleapis.com/folders/12345678"
tag_value = "tagValues/5678"
# Where 5678 represents the value 'prod'
}
Terraform Example for Labels
Here is the standard way to label a bucket. Note the free-text nature of the input.
resource "google_storage_bucket" "app_bucket" {
name = "my-app-bucket"
location = "US"
labels = {
cost_center = "marketing"
app_id = "campaign-manager"
}
}
Conclusion: The Maturity Curve
The confusion between Labels and Tags is a symptom of cloud maturity.
When you start your cloud journey (Cloud 1.0), you tend to ignore metadata. You just build things.
When you grow (Cloud 2.0), you start using Labels to figure out why your bill is so high. You realize you need to categorize things.
When you scale (Cloud 3.0), you start using RM Tags to automate security and governance across thousands of resources.
The identity crisis is not a flaw in GCP. It is a necessary distinction between describing your infrastructure (Labels) and governing your infrastructure (RM Tags).
The "description" helps you pay the bill and debug the app. The "governance" keeps you out of the news for a data breach.
If you are building for scale, stop using Labels for policy. Stop writing scripts that check if env=prod. Embrace the strict, hereditary, and securely bound power of Resource Manager Tags. Your security team, your auditors, and your future self will thank you.
Summary Checklist for Developers
Billing for specific IDs? Use Labels.
IAM Condition? Use RM Tags.
Firewall rule? Use Secure RM Tags.
Filtering in Console? Use Labels.
Org Policy Enforcement? Use RM Tags.
What is your experience with GCP metadata? Have you ever had a security policy fail because someone misspelled a Label? Let me know in the comments below!
Top comments (0)