Skip to content
Michael O'Brien edited this page Mar 15, 2024 · 26 revisions

use https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/wiki/DevOps

Onboarding Procedures

Google Workspace or Cloud Identity Accounts for Organization Onboarding

Quota Increase

By default, a Billing Account can only be linked to a certain number of projects, based on a variety of factors. A temporary workaround is to create additional billing accounts to get quota per account - or associate an existing billing account from another organization - see https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/docs/google-cloud-onboarding.md#onboarding-category-3b1-3rd-party-email-account---3rd-party-aws-route53-domain-validation---reuse-existing-billing-account

Billing Quota

Project Quota

To submit a quota increase follow the next steps:

  • try to ask for under 50 at a time - as 50 is the verification point where the automated approval may not kick in - try for 20-30
  • Fill out the billing quota increase from the default 5 directly via https://support.google.com/code/contact/billing_quota_increase
  • or
  • Create (at least) 5 projects, or more, under the folder created in the GCP validation steps section.
  • On the left menu, go to Billing and select “My Projects”. Notice that the last project has billing disabled.
  • In the Actions column, click the "More Actions" (3 dots) icon corresponding to the project. Select “Change Billing”.
Screen Shot 2022-06-05 at 11 04 01
  • Select a Billing account and click “Set Account”.
Screen Shot 2022-06-05 at 11 04 32
  • The following message will appear. Select “Request Quota Increase”.
Screen Shot 2022-06-05 at 11 04 39
  • Provide the required information and submit the quota increase request.
Screen Shot 2022-06-05 at 11 05 45 Screen Shot 2022-06-05 at 11 05 55

Instead of submitting a Quota Increase request, you can also create another Billing Account.

  • Go to Billing, select “My Billing Accounts” and click “Create Account”.
  • Provide the payment information required.
Screen Shot 2022-06-05 at 11 24 46 Screen Shot 2022-06-05 at 11 25 16

Increasing Quotas

Ask for 20 from the default 5 for project/billing association - create 6 projects and assign billing on the 6th to get the popup. Select "paid services" and you will get approved in 3 min in most cases. For example

Fill out the form - note the paid services and less than 50 request

Usually you get 2 emails - the request and the response - lately we recieve just the response for billing/quota within 3 min. This is on an account that has been on past the 90 day credit period and with previously approved requests

Screen Shot 2022-11-16 at 12 33 15

Cloud Identity License Increases

By default your organization receives 50 licences for Cloud Identity Free edition. This will increase to 100 if you purchase services like Google Workspaces. If you require more than 50 or 100 licences and/or are prototype identity federation you can request more licenses by filling out the following form from your admin console.

Navigate to admin | billing | subscriptions

Screenshot 2023-05-18 at 4 45 21 PM

The process will take around 1 hour - you may get asked for verification of your request.

Billing

Billing Export

Billing Summary

  • Type 1: shared billing account where account owner in other org adds the super admin account in this org as a Billing Account Administrator and/or Billing Account User where normal IAM inheritance into Billing is not done due to security separation. In this case the target service account must have a copy of it's Billing Account User role also set on the billing page under the org "NONE SELECTED".
  • Type 2: direct billing credit card on this account (all tests above so far are this case) State of billing id associations for type 2 are the following (this one is for the guardrails install https://github.com/canada-ca/accelerators_accelerateurs-gcp/issues/47) - notice that the terraform service account is in the list as well as the user super admin account.
Screen Shot 2022-09-17 at 08 28 26

Shared Billing Accounts

_gcp_shared_billing_use_cases

TL;DR; Shared billing accounts do not get shared IAM roles - they need to be set separately

We need a workaround (see https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/issues/177 ) for the fact that if the billing account is of type "shared" - owned by a source organization where it comes in under the target organization as "Non Selected, ID=0" then any service account created will not get inherited links from IAM set in Billing - these like Billing Account User - need to be set manually. The workaround is currently manual - set the billing role directy in Billing on the shared account. See IAM Role inheritance into Billing Roles in https://cloud.google.com/billing/docs/how-to/billing-access

Example

michael@cloudshell:~$ gcloud config set project gcp-zone-landing-stg
Updated property [core/project].
michael@cloudshell:~ (gcp-zone-landing-stg)$ export PROJECT_ID=$(gcloud config list --format 'value(core.project)')
michael@cloudshell:~ (gcp-zone-landing-stg)$ export ORG_ID=$(gcloud projects get-ancestors $PROJECT_ID --format='get(id)' | tail -1)
michael@cloudshell:~ (gcp-zone-landing-stg)$ export SA_PREFIX=tfsa-example
michael@cloudshell:~ (gcp-zone-landing-stg)$ gcloud iam service-accounts create "${SA_PREFIX}" --display-name "Terraform example service account" --project=${PROJECT_ID}
Created service account [tfsa-example].
michael@cloudshell:~ (gcp-zone-landing-stg)$ export SA_EMAIL=`gcloud iam service-accounts list --project="${PROJECT_ID}" --filter=tfsa --format="value(email)"`
michael@cloudshell:~ (gcp-zone-landing-stg)$ echo $SA_EMAIL
tfsa-example@gcp-zone-landing-stg.iam.gserviceaccount.com

check existing roles
michael@cloudshell:~ (gcp-zone-landing-stg)$ gcloud organizations get-iam-policy $ORG_ID --filter="bindings.members:$SA_EMAIL" --flatten="bindings[].members" --format="table(bindings.role)"

Set the billing role
gcloud organizations add-iam-policy-binding ${ORG_ID}  --member=serviceAccount:${SA_EMAIL} --role=roles/billing.user

check again

michael@cloudshell:~ (gcp-zone-landing-stg)$ gcloud organizations add-iam-policy-binding ${ORG_ID}  --member=serviceAccount:${SA_EMAIL} --role=roles/billing.user
Updated IAM policy for organization [925207728429].
...
michael@cloudshell:~ (gcp-zone-landing-stg)$ gcloud organizations get-iam-policy $ORG_ID --filter="bindings.members:$SA_EMAIL" --flatten="bindings[].members" --format="table(bindings.role)"

ROLE: roles/billing.user

It may take a couple min to show in IAM

Screen Shot 2022-09-18 at 19 01 36

Checking billing on the shared account

expected on billing accounts belonging to this org - via IAM inheritance in billing Screen Shot 2022-09-18 at 19 04 02

not expected on billing accounts shared from other orgs Screen Shot 2022-09-18 at 19 04 49

Workaround - set manually Screen Shot 2022-09-18 at 19 18 21

ref https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/issues/177

Change Organization associated with a Billing Account ID - optional non-shared use case

For most cases we do not modify the original owning organization on a particular billing account. When we want to distributed this BID (billing ID) to other organizations in the form of project/billing associations - we do this via the Cloud Identity roles "Billing Account Administrator" - which can also assign "Billing Account User" roles to service accounts or just "Billing Account User". The identity user or SA in the receiving org can then switch projects to this shared billling account.

However there is a way to move a billing account (not recommended for cloud brokerage shared billing client organizations). When the organization admin role is assigned in the BID owning org to the organization admins / billing account admins in the target or sub-orgs (remember all organizations are flat - but they can appear as sub-orgs via subdomains).

Screenshot 2023-03-09 at 16 53 02

In the "Billing Account Management" view - select "Change Organization" and select one of the sub-orgs like below

Screenshot 2023-03-09 at 16 52 24

Moving the billing account between organizations is usually reserved for full organization migration.

GCP Account Shutdown Scenarios

GCP Project Deletion

There are 4 scenarios to start 1 - project(s) deletion - https://cloud.google.com/resource-manager/docs/creating-managing-projects#shutting_down_projects 2 - project migration to another organization - https://cloud.google.com/resource-manager/docs/project-migration and https://cloud.google.com/resource-manager/docs/moving-projects-folders 3 - project backup/restore (at the GCP service level using GCE snapshot for example, or if the services were raised using gcloud/terraform/kcc deployment scripts) 4 - disassociate billing on the project

Project Initial State

Project Deletion

  • notice that project clouddeploy-gz is assocated with the billing account 0127C1-...-EA25D6 from another org - the goal is to shutdown completely the project and disassociate billing so no more charges occur
  • We navigate to the project in the owning organization and delete the project - starting a 30day cycle where it can be reactivated
  • follow https://cloud.google.com/resource-manager/docs/creating-managing-projects#shutting_down_projects
  • Quote "If the project has a billing account associated with it, that association is broken, and isn't reinstated if the project delete operation is canceled. After 30 days, the project is fully deleted."
  • via https://console.cloud.google.com/cloud-resource-manager?organizationId=925207728429&supportedpurview=project
  • Screen Shot 2022-10-27 at 11 58 03 AM
  • hit delete on selected project
  • Screen Shot 2022-10-27 at 12 01 37 PM
  • wait -w e will check out removing/disassociating biling first below
  • Back up from removing billing - we readded billing back and will delete the project
  • Screen Shot 2022-10-27 at 12 28 35 PM
  • Screen Shot 2022-10-27 at 12 29 57 PM
  • Project "clouddeploy-gz" is now shut down and scheduled to be deleted after Nov 26, 2022.
  • Screen Shot 2022-10-27 at 12 30 49 PM
  • nothing off the billing page anymore
Screen Shot 2022-10-27 at 12 31 13 PM - Restoring the project to test billing association state - Screen Shot 2022-10-27 at 12 38 00 PM - in this scenario the project comes back up with the previous shared billing reassociated (note: super admin user only can do this) Screen Shot 2022-10-27 at 12 39 09 PM - GCE is not fully available yet - as you cannot reuse that billing account Screen Shot 2022-10-27 at 12 41 33 PM - switch billing to another shared account Screen Shot 2022-10-27 at 12 43 21 PM Screen Shot 2022-10-27 at 12 44 17 PM - switch back Screen Shot 2022-10-27 at 12 45 26 PM - VMs can be created in the restored project - Screen Shot 2022-10-27 at 12 46 41 PM - instance up - we will check that it is not in asset inventory (no billing) after re-deleting the project Screen Shot 2022-10-27 at 12 47 18 PM - asset inventory before - Screen Shot 2022-10-27 at 12 49 06 PM - delete project - Screen Shot 2022-10-27 at 12 49 40 PM - Screen Shot 2022-10-27 at 12 49 55 PM - we still show in asset inventory at the project level Screen Shot 2022-10-27 at 12 50 48 PM - and at the org level (3 + 1 vms) Screen Shot 2022-10-27 at 12 51 36 PM - the project though is in a 30 day restore state but not in billing - Asset inventory shows current and deleted (30 day window) resources - the source of truth is the billing page - no clouddeploy-lz project in billing Screen Shot 2022-10-27 at 12 53 08 PM

I will add gcloud scripting shortly

Billing Account Disassociation

  • Alternatively disable billing on the project without deleting it - in billing (project will be both deleted and visible in IAM this way)
  • Screen Shot 2022-10-27 at 12 03 34 PM
  • or select billing on the dropdown in resource manager
  • Screen Shot 2022-10-27 at 12 04 11 PM
  • Screen Shot 2022-10-27 at 12 05 08 PM
  • Screen Shot 2022-10-27 at 12 05 19 PM
  • Screen Shot 2022-10-27 at 12 05 42 PM
  • disable billing "When you disable billing, any billable activity of your services will stop, your billable resources may be deleted, and your application may stop functioning."
  • Screen Shot 2022-10-27 at 12 06 30 PM
  • Billing is disabled
  • Screen Shot 2022-10-27 at 12 07 32 PM
  • Project is still there but services are shutdown (almost the same as project deletion)
  • Screen Shot 2022-10-27 at 12 08 42 PM
  • Only default/uncharged services are still up in IAM - Asset Inventory
  • Screen Shot 2022-10-27 at 12 10 36 PM
  • You can still shell into your project
  • Screen Shot 2022-10-27 at 12 11 56 PM
  • But you cannot create billable resources - where we used to run a double GKE cluster - we cannot create GCE VMs or use GKE for example
  • Screen Shot 2022-10-27 at 12 12 59 PM
  • Screen Shot 2022-10-27 at 12 13 14 PM
  • either way - the project is deleted - whether you delete it or remove billing - both remove billing and place the project in "resources pending deletion"
  • Screen Shot 2022-10-27 at 12 18 20 PM

Undeleting a Project

Screen Shot 2022-10-27 at 12 15 42 PM - goto resources pending deletion at the end of resource manager in IAM Screen Shot 2022-10-27 at 12 16 55 PM - only the projects you deleted in the past 30 days can be restored with the extra permission of resourcemanager.projects.undelete Screen Shot 2022-10-27 at 12 20 02 PM - other projects we can restore with owner within the 30 day window - Screen Shot 2022-10-27 at 12 24 23 PM - Turn billing back on to any shared billing account and the project is ready again - we will go back up and formally delete the project now Screen Shot 2022-10-27 at 12 27 14 PM

Residual Billing

  • There may be a residual bill for essentially empty accounts - of 0.46 - investigating how to remove this charge
  • Screen Shot 2022-10-27 at 1 04 36 PM
  • in my case I have 2 projects that are billing under 0.01 per day with a cumulation of .23 and .21 = .44 - with 13% tax up to .49 - not all services are regional so if the buckets are in NA they will be taxed. Anyway I will determine which resources are having resdidual - likely cloud storage bucket costs.
  • Screen Shot 2022-10-27 at 1 14 41 PM

Disabled Billing and Free Services

Note: Deleted projects are recoverable up to 30 days from "pending deletion" state - after that they are fully deleted from backup.   billing-disabled/unset projects stay in IAM and have active free resources (such as an IAM service account) | Manage Resources - and are visible in /billing/projects indefinitely (IE: I have non-empty billing disabled projects from 2014 in one of my orgs) Therefore I recommend projects be in "Deleted" not "Disable Billing" state - unless you want to reenable them after 30 days.

For example an older billing disabled project

The project below has been in billing disabled state since 2014

Screen Shot 2022-11-08 at 14 46 18

I do however have a left over Google App Engine application (from an Eclipse in-IDE deployment) left over from 2019 that is created but not deployed - hence no billing account required yet. Screen Shot 2022-11-08 at 14 48 54

You can see that the service account created for GAE at 9AM on 2 May 2019 Screen Shot 2022-11-08 at 14 51 46

Screen Shot 2022-11-08 at 15 04 07

GCP Organization Deletion

This section details procedures around deleting one or more organizations. The use case around org deletion is usually in the context of semi-automated sub-org creation/deletion as teams iterate in and out of project level GCP deployments in a multi-org multi-tenant landing zone structure.

Note:

  • billing data is on a 24h refresh cycle

References

Example Organization Deletion

There are two organizations involved in this use case - the org under deletion gcp...network and the org holding the billing id gcp...network.

We will need to delete the super admin reference to the org under deletion that may still may be associated as a billing account administrator on the organization holding the billing account this is step 2 in the "creating-managing-organization" section

Scenario 1:

  • historical billing - org still up - org BAA still associated (normal scenario)
  • historical billing - org still up - org BAA unassociated more than 24h ago
  • historical billing - org deleted more than 24h ago - org BAA still associated
  • historical billing - org deleted more than 24h ago - org BAA unassociated more than 24h ago

Scenario: we will delete the organization gcp...network after at least 24h of billing association with the owning org approach...zone

20230103:1000 org deletion started

Following https://cloud.google.com/resource-manager/docs/creating-managing-organization#deleting_an_organization_resource

  • OA_ORG_D: Organization Administrator account (and Workspace super admin) - ad-s@gc*.g*.n*
  • ORG_D: Organization to delete = gcp.*.network
  • BID_1: Organization owning BID 1 = app*.gcp.z*
  • BID_2: Organization owning BID 2 = gcp.z*
Current State
  • The org admin OA_ORG_D for ORG_D is currently associated as a BAA under BID_1 and BID_2
Actions
  • delete 3 remaining projects including 2 stopped GCE VMs on ORG_D
  • Note: billing should be disabled first - if not goto billing | account managment - disable billing on deleted projects
  • dev-* with BID_1 app*
  • gcloud-* with BID_2 gcp*
  • (optionally disassociate OA_ORD_D from BID_1 and BID_2 - if you have BAA access to these other organizations
  • verify no projects in billing | my projects
  • verify single billing account directly under the org in billing
  • verify 3 billing accounts under the org "none selected"
  • delete all subscriptions except (cloud identity)
  • follow https://support.google.com/a/answer/9468554?hl=en
  • navigate to Account | Account settings | Account Management | Delete Account
Screen Shot 2023-01-03 at 09 58 33 Screen Shot 2023-01-03 at 10 05 02

Delete account

Screen Shot 2023-01-03 at 10 07 09

Check account

  • attempting to login = "This account was recently deleted and may be recoverable. Click Next to attempt to restore this account."
Verify Deleted Account
  • check shared billing at BID_1 and notice the BAA association now appends the following to the deleted account "uid=5034....247802"
  • We will wait 24h to verify whether billing history stays up and also verify whether the BAA assocation deletion has an effect on billing history (deletes historical records) - by removing the BAA only from BAA_2
  • To verify whether the GCP super admin gcloud/cloud-identity account has been deleted - check role associations in https://console.cloud.google.com in any other organization linked to the account and look for a ?uid=.... appended to the email
  • Before
Screen Shot 2023-01-03 at 10 12 31 - After
Remove Billing ID association for one of the orgs
  • on g*.z* removing billing association on a deleted project
  • removing the BAA role on the deleted account
  • in 24h check historical billing still shows for this deleted account
Screen Shot 2023-01-03 at 10 42 43 Screen Shot 2023-01-03 at 10 43 05 Screen Shot 2023-01-03 at 10 44 25

delete principal for "Billing Account Administrator" role on the owning organization of one of the billing accounts.

Screen Shot 2023-01-03 at 10 47 19 Screen Shot 2023-01-03 at 10 48 00

Principal "a...er@gc...rk?uid=503...47802" successfully removed from all policies on resource "billingAccounts/01...05.."

We still have historical billing data - will recheck after 24h Screen Shot 2023-01-03 at 10 49 34

Shared Billing considerations during Organization Deletion

In the shared billing account owning organization you will continue to see historical billing metrics around any projects, folders and the organization itself after deletion.

  • see historical organization data under billing | Reports | 90 days
  • specifically here gcp...services is historical but gcp...network is a currently billing project
Screen Shot 2022-12-23 at 8 00 35 AM
  • in the report view you will notice that we still show gcp...services org project traffic-os up to Dec 2 (it is Dec 23rd in this capture) - even though the org
Screen Shot 2022-12-23 at 8 05 05 AM
  • in the report view note that a 3rd org landing...zone that had billing traffic in Nov under the fortigate project shows billing data even though the organization SA was removed from the billing account administrator role on the owning org approach...zone more than 24h ago.
Screen Shot 2022-12-23 at 8 51 06 AM

the landing...zone SA is not in the BAA list below

Screen Shot 2022-12-23 at 8 49 15 AM

Multi-Organization

Multi organization single pane is possible (flat model) pending details.... Screen Shot 2023-04-13 at 11 51 59 AM

GCP Resources

Resource Manager

Resource Manager Tags

Query on Organization or Project level Resource Manager Tags at the GCE Instance level

  • last update 20240315 Tags can be created at the GCP Organization level or the project level - but not the folder level.
Setup for Tags
  • Add a couple tags - one at the organization level and one at the project level
  • currently no tags setup
Screenshot 2024-03-15 at 11 13 47
Create Tag Key
michael@cloudshell:~$ gcloud config set project cuda-old
# create tag key
michael@cloudshell:~ (cuda-old)$ TAG_NAME=gpu
michael@cloudshell:~ (cuda-old)$ BOOT_PROJECT_ID=cuda-old
michael@cloudshell:~ (cuda-old)$ ORGANIZATION_ID=$(gcloud projects get-ancestors $BOOT_PROJECT_ID --format='get(id)' | tail -1)
michael@cloudshell:~ (cuda-old)$ SUPER_ADMIN_EMAIL=$(gcloud config list --format json|jq .core.account | sed 's/"//g')
michael@cloudshell:~ (cuda-old)$ gcloud organizations add-iam-policy-binding $ORGANIZATION_ID --member=user:$SUPER_ADMIN_EMAIL --role=roles/resourcemanager.tagAdmin --quiet > /dev/null 1>&1
Updated IAM policy for organization [583675367868].
michael@cloudshell:~ (cuda-old)$ gcloud organizations add-iam-policy-binding $ORGANIZATION_ID --member=user:$SUPER_ADMIN_EMAIL --role=roles/resourcemanager.tagUser --quiet > /dev/null 1>&1
Updated IAM policy for organization [583675367868].

michael@cloudshell:~ (cuda-old)$ TAG_NAME=gpu
michael@cloudshell:~ (cuda-old)$ gcloud resource-manager tags keys create $TAG_NAME --parent=$RESOURCE_ID
Waiting for TagKey [gpu] to be created...done.                                                                                                  
createTime: '2024-03-15T15:21:45.515777Z'
etag: Xk0352M/9L4GEdKXgCZ9FQ==
name: tagKeys/281480420865053
namespacedName: 583675367868/gpu
parent: organizations/583675367868
shortName: gpu
updateTime: '2024-03-15T15:21:45.515777Z'
Get Tag Key
michael@cloudshell:~ (cuda-old)$ gcloud resource-manager tags keys describe tagKeys/281480420865053
createTime: '2024-03-15T15:21:45.515777Z'
etag: Xk0352M/9L4GEdKXgCZ9FQ==
name: tagKeys/281480420865053
namespacedName: 583675367868/gpu
parent: organizations/583675367868
shortName: gpu
updateTime: '2024-03-15T15:21:45.515777Z'


Create Tag Value
michael@cloudshell:~ (cuda-old)$ gcloud resource-manager tags values create L4x2  --parent=tagKeys/281480420865053
Waiting for TagValue [L4x2] to be created...done.                                                                                               
createTime: '2024-03-15T15:25:49.385598Z'
etag: vcOwj3mv2sVJl3simNyvFA==
name: tagValues/281477109412436
namespacedName: 583675367868/gpu/L4x2
parent: tagKeys/281480420865053
shortName: L4x2
updateTime: '2024-03-15T15:25:49.385598Z'

michael@cloudshell:~ (cuda-old)$ gcloud resource-manager tags values describe tagValues/281477109412436
createTime: '2024-03-15T15:25:49.385598Z'
etag: vcOwj3mv2sVJl3simNyvFA==
name: tagValues/281477109412436
namespacedName: 583675367868/gpu/L4x2
parent: tagKeys/281480420865053
shortName: L4x2
updateTime: '2024-03-15T15:25:49.385598Z'

Attach tag key/value to resource
  • attaching directly to VM in this case
michael@cloudshell:~ (cuda-old)$ export TAG_RESOURCE_ID=//cloudresourcemanager.googleapis.com/projects/196717963363
michael@cloudshell:~ (cuda-old)$ export TAGVALUE_NAME=tagValues/281477109412436

list out tags on the org
michael@cloudshell:~ (cuda-old)$ gcloud resource-manager tags bindings list --parent=//cloudresourcemanager.googleapis.com/$RESOURCE_ID
Listed 0 items.

list out tags on the project
michael@cloudshell:~ (cuda-old)$ gcloud resource-manager tags bindings list --parent=//cloudresourcemanager.googleapis.com/projects/cuda-old
Listed 0 items.

and inherited via --effective
michael@cloudshell:~ (cuda-old)$ gcloud resource-manager tags bindings list --parent=//cloudresourcemanager.googleapis.com/projects/cuda-old --effective
Listed 0 items.

list out existing tags on the instance

Bind Tags to an instance

https://cloud.google.com/compute/docs/tag-resources#adding_tags_to_a_resource

michael@cloudshell:~ (cuda-old)$ PROJECT_NUMBER=196717963363
michael@cloudshell:~ (cuda-old)$ ZONE=us-central1-a
michael@cloudshell:~ (cuda-old)$ VM_ID=3097255122501145313
michael@cloudshell:~ (cuda-old)$ REGION=us-central1
michael@cloudshell:~ (cuda-old)$ export TAGVALUE_NAME=tagValues/281477109412436

michael@cloudshell:~ (cuda-old)$ gcloud resource-manager tags bindings create --tag-value=$TAGVALUE_NAME --parent=//compute.googleapis.com/projects/$PROJECT_NUMBER/zones/$ZONE/instances/$VM_ID --location us-central1-a
done: true
response:
  '@type': type.googleapis.com/google.cloud.resourcemanager.v3.TagBinding
  name: tagBindings/%2F%2Fcompute.googleapis.com%2Fprojects%2F196717963363%2Fzones%2Fus-central1-a%2Finstances%2F3097255122501145313/tagValues/281477109412436
  parent: //compute.googleapis.com/projects/196717963363/zones/us-central1-a/instances/3097255122501145313
  tagValue: tagValues/281477109412436
  tagValueNamespacedName: 583675367868/gpu/L4x2
Screenshot 2024-03-15 at 12 22 12 Screenshot 2024-03-15 at 12 26 01
Query Tags


michael@cloudshell:~ (cuda-old)$ gcloud resource-manager tags bindings list  --parent=//compute.googleapis.com/projects/$PROJECT_NUMBER/zones/$ZONE/instances/$VM_ID --location us-central1-a
---
name: tagBindings/%2F%2Fcompute.googleapis.com%2Fprojects%2F196717963363%2Fzones%2Fus-central1-a%2Finstances%2F3097255122501145313/tagValues/281477109412436
parent: //compute.googleapis.com/projects/196717963363/zones/us-central1-a/instances/3097255122501145313
tagValue: tagValues/281477109412436


# from Martin via the json spec for the API
https://cloud.google.com/compute/docs/reference/rest/v1/instances/get

michael@cloudshell:~ (cuda-old)$ gcloud compute instances list --format='table(name,labels,params.resourceManagerTags,tags.list())'
NAME: instance-20240227-002215
LABELS: {'container-vm': 'cos-stable-109-17800-147-15', 'running': 'magellan'}
RESOURCE_MANAGER_TAGS: 
TAGS: fingerprint=42WmSpB8rSM=

NAME: nvidia-rtx-virtual-workstation-window-4-vm
LABELS: {'goog-dm': 'nvidia-rtx-virtual-workstation-window-4'}
RESOURCE_MANAGER_TAGS: 
TAGS: fingerprint=ozGpPKykoWo=,items=['nvidia-rtx-virtual-workstation-window-4-deployment']

no resource manager tags
false positive
michael@cloudshell:~ (cuda-old)$ gcloud compute instances list --filter='tags.items:(gpu)'
WARNING: --filter : operator evaluation is changing for consistency across Google APIs.  tags.items:gpu currently matches but will not match in the near future.  Run `gcloud topic filters` for details.
NAME: nvidia-rtx-virtual-workstation-w-8-4gpu-vm
ZONE: us-east4-a
MACHINE_TYPE: g2-standard-48
PREEMPTIBLE: 
INTERNAL_IP: 10.150.0.3
EXTERNAL_IP: 
STATUS: TERMINATED

https://cloud.google.com/sdk/gcloud/reference/topic/filters

michael@cloudshell:~ (cuda-old)$ gcloud compute instances list --filter="tags.items=tagKeys/281480420865053"
Listed 0 items.


Bind organization level tag to project
  • this one already has a value
Screenshot 2024-03-15 at 13 24 07

add a 2nd tag binding to the project and then list using --effective to get both the project and instance tag bindings

export TAGVALUE2_NAME=tagValues/281476455852818

michael@cloudshell:~ (cuda-old)$ gcloud resource-manager tags bindings create --tag-value=$TAGVALUE2_NAME --parent=//cloudresourcemanager.googleapis.com/projects/$PROJECT_NUMBER
done: true
response:
  '@type': type.googleapis.com/google.cloud.resourcemanager.v3.TagBinding
  name: tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Fprojects%2F196717963363/tagValues/281476455852818
  parent: //cloudresourcemanager.googleapis.com/projects/196717963363
  tagValue: tagValues/281476455852818
  tagValueNamespacedName: 583675367868/environment/development

michael@cloudshell:~ (cuda-old)$ gcloud resource-manager tags bindings list --parent=//cloudresourcemanager.googleapis.com/projects/$PROJECT_NUMBER
---
name: tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Fprojects%2F196717963363/tagValues/281476455852818
parent: //cloudresourcemanager.googleapis.com/projects/196717963363
tagValue: tagValues/281476455852818

Now query both tags Screenshot 2024-03-15 at 13 29 39

start at the bottom with full raw JSON

michael@cloudshell:~ (cuda-old)$ gcloud compute instances list --format json | grep L4x2
michael@cloudshell:~ (cuda-old)$

nothing
michael@cloudshell:~ (cuda-old)$ gcloud compute instances list --format json --filter="name~'instance-20240227.*'" 
[
  {
    "canIpForward": false,
    "confidentialInstanceConfig": {
      "enableConfidentialCompute": false
    },
    "cpuPlatform": "Intel Broadwell",
    "creationTimestamp": "2024-02-26T16:25:51.662-08:00",

   "metadata": {
      "fingerprint": "C6Xzi4E0dRo=",
      "items": [
        {
          "key": "framework",
          "value": "NumPy/SciPy/scikit-learn"
        },
        {
          "key": "shutdown-script",
          "value": "/opt/deeplearning/bin/shutdown_script.sh"
        },
        {
          "key": "title",
          "value": "BASE.CUDA11.3.GPU"
        },
        {
          "key": "version",
          "value": "112"
        },
        {
          "key": "ssh-keys",


    "shieldedInstanceConfig": {
      "enableIntegrityMonitoring": true,
      "enableSecureBoot": false,
      "enableVtpm": true
    },
    "shieldedInstanceIntegrityPolicy": {
      "updateAutoLearnPolicy": true
    },
    "startRestricted": false,
    "status": "TERMINATED",
    "tags": {
      "fingerprint": "IBk9zLcW_is=",
      "items": [
        "deeplearning-vm",
        "http-server",
        "https-server"
      ]
    },
    "zone": "https://www.googleapis.com/compute/v1/projects/cuda-old/zones/europe-west4-a"
  }
]
Check tag value is on key bound to Instance:

Yes, already added key/value pair Screenshot 2024-03-15 at 13 48 24 plus inherited tags from the org Screenshot 2024-03-15 at 13 57 34

Triage json output for key/value on Instance

We know we have 2 tags that appear on the console for the instance in question

  • environment:dev (organization binding)
  • gpu:L4x2 (instance)

we directly query again and apply jq to the output

our instance id is 3097255122501145313

tags:
  fingerprint: 42WmSpB8rSM=
zone: https://www.googleapis.com/compute/v1/projects/cuda-old/zones/us-central1-a
michael@cloudshell:~ (cuda-old)$ gcloud compute instances list  --filter="name~'instance-20240227-002215'"  --format="yaml" | grep tags
tags:

the tags attribute can be expanded and check params.resourceManagerTags

michael@cloudshell:~ (cuda-old)$ gcloud compute instances list  --filter="name~'instance-20240227-002215'"  --format="yaml(tags)"
---
tags:
  fingerprint: 42WmSpB8rSM=

no
michael@cloudshell:~ (cuda-old)$ gcloud compute instances list  --filter="name~'instance-20240227-002215'"  --format="yaml(params.resourceManagerTag)"
---
  null

michael@cloudshell:~ (cuda-old)$ gcloud compute instances describe instance-20240227-002215 --zone us-central1-a --format="value(tags.items)" 
michael@cloudshell:~ (cuda-old)$ 

Checking API spec

https://cloud.google.com/compute/docs/reference/rest/v1/instances/list

     "disks": [
        {
          "kind": string,
 ...
          "initializeParams": {
...
            "labels": {
              string: string,
              ...
            },
            "sourceSnapshot": string,
            "architecture": enum,
            "resourceManagerTags": {
              string: string,
              ...
            },
            "provisionedThroughput": string,
            "enableConfidentialCompute": boolean,
            "storagePool": string
          },

   "params": {
        "resourceManagerTags": {
          string: string,
          ...
        }

empty

michael@cloudshell:~ (cuda-old)$ gcloud compute instances list --filter="name~'instance-20240227-002215'" --format='table(params.resourceManagerTags)' 
RESOURCE_MANAGER_TAGS: 

of note there are regular instance tags via tags.list() but these are not the tags we want - we need bound params.resourceManagerTags https://cloud.google.com/sdk/gcloud/reference/compute/instances/add-tags

michael@cloudshell:~ (cuda-old)$ gcloud compute instances list --format="table(name,status,tags.list())"
NAME: instance-20240227-002215
STATUS: RUNNING
TAGS: fingerprint=42WmSpB8rSM=

NAME: nvidia-rtx-virtual-workstation-window-4-vm
STATUS: TERMINATED
TAGS: fingerprint=ozGpPKykoWo=,items=['nvidia-rtx-virtual-workstation-window-4-deployment']
Resource Manager Tags on Instance via Describe

https://cloud.google.com/sdk/gcloud/reference/compute/instances/describe

michael@cloudshell:~ (cuda-old)$ gcloud compute instances describe instance-20240227-002215 --format='table(params.resourceManagerTags,tags.list())'  --zone=us-central1-a
RESOURCE_MANAGER_TAGS: 
TAGS: fingerprint=42WmSpB8rSM=

Checking https://cloud.google.com/sdk/gcloud/reference/resource-manager/tags/values/describe

org level
michael@cloudshell:~ (cuda-old)$ gcloud resource-manager tags keys list --parent=organizations/$ORGANIZATION_ID
NAME: tagKeys/281477004159305
SHORT_NAME: environment
DESCRIPTION: 

NAME: tagKeys/281480420865053
SHORT_NAME: gpu
DESCRIPTION: 

NAME: tagKeys/97997085260
SHORT_NAME: dev
DESCRIPTION: dev

project level inheritance only

There might be a problem with the same gpu tag/value on the org and the instance - adding a 2nd instance local tag same key but different value required https://cloud.google.com/resource-manager/docs/tags/tags-overview#inheritance

Screenshot 2024-03-15 at 17 23 50
Effective tag bindings - inheritance at the project level
michael@cloudshell:~ (cuda-old)$ gcloud resource-manager tags bindings list --parent=//cloudresourcemanager.googleapis.com/projects/cuda-old
---
name: tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Fprojects%2F196717963363/tagValues/281476455852818
parent: //cloudresourcemanager.googleapis.com/projects/196717963363
tagValue: tagValues/281476455852818
michael@cloudshell:~ (cuda-old)$ gcloud resource-manager tags bindings list --parent=//cloudresourcemanager.googleapis.com/projects/cuda-old --effective 
---
namespacedTagKey: 583675367868/environment
namespacedTagValue: 583675367868/environment/development
tagKey: tagKeys/281477004159305
tagKeyParentName: organizations/583675367868
tagValue: tagValues/281476455852818

Tags on the instance - including tag inheritance
michael@cloudshell:~ (cuda-old)$ PROJECT_NUMBER=196717963363
michael@cloudshell:~ (cuda-old)$ ZONE=us-central1-a
michael@cloudshell:~ (cuda-old)$ VM_ID=3097255122501145313
michael@cloudshell:~ (cuda-old)$ REGION=us-central1
michael@cloudshell:~ (cuda-old)$ gcloud resource-manager tags bindings list --parent=//compute.googleapis.com/projects/$PROJECT_NUMBER/zones/$ZONE/instances/$VM_ID --effective --location=$ZONE
---
namespacedTagKey: 583675367868/gpu
namespacedTagValue: 583675367868/gpu/L4x2
tagKey: tagKeys/281480420865053
tagKeyParentName: organizations/583675367868
tagValue: tagValues/281477109412436
---
inherited: true
namespacedTagKey: 583675367868/environment
namespacedTagValue: 583675367868/environment/development
tagKey: tagKeys/281477004159305
tagKeyParentName: organizations/583675367868
tagValue: tagValues/281476455852818
michael@cloudshell:~ (cuda-old)$ 

related is that with the --effective tag - I now see the same 2 tags on the instance in gcloud that I see in the console (local and inherited)

Query for tags on Instances list

I think we may need to pipe the instance ID's from a list in the gcloud resource-manager tags bindings list - command above

pipe following
michael@cloudshell:~ (cuda-old)$ gcloud compute instances list --format='value(id)' 
3097255122501145313
5839359129841279351
8557521086831079305
4671609422449681801
7354295323227830391
2110892445322145001
2522328781629512718
1582019458233620485
8722103262972774360
2076196582829647435
3188326017067447870
Script that lists instances in a region with their resource tags

update: use json


to run
michael@cloudshell:~ (cuda-old)$ gcloud config set project cuda-old
Updated property [core/project].
michael@cloudshell:~ (cuda-old)$ ./tags.sh


#!/bin/bash
export PROJECT_NUMBER=196717963363
export ZONE=us-central1-a
export X1=$(gcloud compute instances list --format='value(id)' --filter="zone~'${ZONE}'")
for i in $X1; do
  echo "Instance ID: $i"
  gcloud resource-manager tags bindings list --parent=//compute.googleapis.com/projects/$PROJECT_NUMBER/zones/$ZONE/instances/$i --effective --location=$ZONE 
done


michael@cloudshell:~ (cuda-old)$ ./tags.sh 
Instance ID: 3097255122501145313
---
namespacedTagKey: 583675367868/gpu
namespacedTagValue: 583675367868/gpu/L4x2
tagKey: tagKeys/281480420865053
tagKeyParentName: organizations/583675367868
tagValue: tagValues/281477109412436
---
inherited: true
namespacedTagKey: 583675367868/environment
namespacedTagValue: 583675367868/environment/development
tagKey: tagKeys/281477004159305
tagKeyParentName: organizations/583675367868
tagValue: tagValues/281476455852818
Instance ID: 5839359129841279351
---
inherited: true
namespacedTagKey: 583675367868/environment
namespacedTagValue: 583675367868/environment/development
tagKey: tagKeys/281477004159305
tagKeyParentName: organizations/583675367868
tagValue: tagValues/281476455852818
Instance ID: 8557521086831079305
---
inherited: true
namespacedTagKey: 583675367868/environment
namespacedTagValue: 583675367868/environment/development
tagKey: tagKeys/281477004159305
tagKeyParentName: organizations/583675367868
tagValue: tagValues/281476455852818
Clone this wiki locally