Onboarding
use https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/wiki/DevOps
By default, a Billing Account can only be linked to a certain number of projects, based on a variety of factors. A temporary workaround is to create additional billing accounts to get quota per account - or associate an existing billing account from another organization - see https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/docs/google-cloud-onboarding.md#onboarding-category-3b1-3rd-party-email-account---3rd-party-aws-route53-domain-validation---reuse-existing-billing-account
- default 5 per billing account - add 10-20 at a time https://support.google.com/code/contact/billing_quota_increase
- default 12-50 per organization - add 20-50 at a time https://support.google.com/code/contact/project_quota_increase
To submit a quota increase follow the next steps:
- try to ask for under 50 at a time - as 50 is the verification point where the automated approval may not kick in - try for 20-30
- Fill out the billing quota increase from the default 5 directly via https://support.google.com/code/contact/billing_quota_increase
- or
- Create (at least) 5 projects, or more, under the folder created in the GCP validation steps section.
- On the left menu, go to Billing and select “My Projects”. Notice that the last project has billing disabled.
- In the Actions column, click the "More Actions" (3 dots) icon corresponding to the project. Select “Change Billing”.
- Select a Billing account and click “Set Account”.
- The following message will appear. Select “Request Quota Increase”.
- Provide the required information and submit the quota increase request.
Instead of submitting a Quota Increase request, you can also create another Billing Account.
- Go to Billing, select “My Billing Accounts” and click “Create Account”.
- Provide the payment information required.
Ask for 20 from the default 5 for project/billing association - create 6 projects and assign billing on the 6th to get the popup. Select "paid services" and you will get approved in 3 min in most cases. For example
Fill out the form - note the paid services and less than 50 request
Usually you get 2 emails - the request and the response - lately we recieve just the response for billing/quota within 3 min. This is on an account that has been on past the 90 day credit period and with previously approved requests
By default your organization receives 50 licences for Cloud Identity Free edition. This will increase to 100 if you purchase services like Google Workspaces. If you require more than 50 or 100 licences and/or are prototype identity federation you can request more licenses by filling out the following form from your admin console.
- I could have used a support case instead (don't think the client has a support contract yet) - next time
- https://console.cloud.google.com/support/createcase/v2?project=biometric-ol
Navigate to admin | billing | subscriptions
-
click on the link in "Learn More"
-
-
https://admin.google.com/ac/billing/subscriptions/i9T-sfdXnZik1HvrbBnqZA
-
https://support.google.com/cloudidentity/answer/7295541?hl=en
-
Learn More | Increase your user cap | Fill out this form
The process will take around 1 hour - you may get asked for verification of your request.
- from https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/docs/google-cloud-onboarding.md#billing
- discussion https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/659
- see https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/292
- see BAA requirement for shared billing - https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/255
- Verify billing quota first
- Type 1: shared billing account where account owner in other org adds the super admin account in this org as a Billing Account Administrator and/or Billing Account User where normal IAM inheritance into Billing is not done due to security separation. In this case the target service account must have a copy of it's Billing Account User role also set on the billing page under the org "NONE SELECTED".
- Type 2: direct billing credit card on this account (all tests above so far are this case) State of billing id associations for type 2 are the following (this one is for the guardrails install https://github.com/canada-ca/accelerators_accelerateurs-gcp/issues/47) - notice that the terraform service account is in the list as well as the user super admin account.
TL;DR; Shared billing accounts do not get shared IAM roles - they need to be set separately
We need a workaround (see https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/issues/177 ) for the fact that if the billing account is of type "shared" - owned by a source organization where it comes in under the target organization as "Non Selected, ID=0" then any service account created will not get inherited links from IAM set in Billing - these like Billing Account User - need to be set manually. The workaround is currently manual - set the billing role directy in Billing on the shared account. See IAM Role inheritance into Billing Roles in https://cloud.google.com/billing/docs/how-to/billing-access
Example
michael@cloudshell:~$ gcloud config set project gcp-zone-landing-stg
Updated property [core/project].
michael@cloudshell:~ (gcp-zone-landing-stg)$ export PROJECT_ID=$(gcloud config list --format 'value(core.project)')
michael@cloudshell:~ (gcp-zone-landing-stg)$ export ORG_ID=$(gcloud projects get-ancestors $PROJECT_ID --format='get(id)' | tail -1)
michael@cloudshell:~ (gcp-zone-landing-stg)$ export SA_PREFIX=tfsa-example
michael@cloudshell:~ (gcp-zone-landing-stg)$ gcloud iam service-accounts create "${SA_PREFIX}" --display-name "Terraform example service account" --project=${PROJECT_ID}
Created service account [tfsa-example].
michael@cloudshell:~ (gcp-zone-landing-stg)$ export SA_EMAIL=`gcloud iam service-accounts list --project="${PROJECT_ID}" --filter=tfsa --format="value(email)"`
michael@cloudshell:~ (gcp-zone-landing-stg)$ echo $SA_EMAIL
tfsa-example@gcp-zone-landing-stg.iam.gserviceaccount.com
check existing roles
michael@cloudshell:~ (gcp-zone-landing-stg)$ gcloud organizations get-iam-policy $ORG_ID --filter="bindings.members:$SA_EMAIL" --flatten="bindings[].members" --format="table(bindings.role)"
Set the billing role
gcloud organizations add-iam-policy-binding ${ORG_ID} --member=serviceAccount:${SA_EMAIL} --role=roles/billing.user
check again
michael@cloudshell:~ (gcp-zone-landing-stg)$ gcloud organizations add-iam-policy-binding ${ORG_ID} --member=serviceAccount:${SA_EMAIL} --role=roles/billing.user
Updated IAM policy for organization [925207728429].
...
michael@cloudshell:~ (gcp-zone-landing-stg)$ gcloud organizations get-iam-policy $ORG_ID --filter="bindings.members:$SA_EMAIL" --flatten="bindings[].members" --format="table(bindings.role)"
ROLE: roles/billing.user
It may take a couple min to show in IAM
Checking billing on the shared account
expected on billing accounts belonging to this org - via IAM inheritance in billing
not expected on billing accounts shared from other orgs
Workaround - set manually
ref https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/issues/177
For most cases we do not modify the original owning organization on a particular billing account. When we want to distributed this BID (billing ID) to other organizations in the form of project/billing associations - we do this via the Cloud Identity roles "Billing Account Administrator" - which can also assign "Billing Account User" roles to service accounts or just "Billing Account User". The identity user or SA in the receiving org can then switch projects to this shared billling account.
However there is a way to move a billing account (not recommended for cloud brokerage shared billing client organizations). When the organization admin role is assigned in the BID owning org to the organization admins / billing account admins in the target or sub-orgs (remember all organizations are flat - but they can appear as sub-orgs via subdomains).
In the "Billing Account Management" view - select "Change Organization" and select one of the sub-orgs like below
Moving the billing account between organizations is usually reserved for full organization migration.
- Note: billing accounts and shared billing accounts cannot be deleted - they can be removed from an org by removing the "Billing Account Administrator" role for other organization super admins (not the current owned billing project for this org)
- see https://github.com/GoogleCloudPlatform/pbmm-on-gcp-onboarding/blob/main/docs/google-cloud-onboarding.md#shared-billing-accounts
- Summary: delete the project to ensure resources are shutdown
- Disabling billing will remove billable
There are 4 scenarios to start 1 - project(s) deletion - https://cloud.google.com/resource-manager/docs/creating-managing-projects#shutting_down_projects 2 - project migration to another organization - https://cloud.google.com/resource-manager/docs/project-migration and https://cloud.google.com/resource-manager/docs/moving-projects-folders 3 - project backup/restore (at the GCP service level using GCE snapshot for example, or if the services were raised using gcloud/terraform/kcc deployment scripts) 4 - disassociate billing on the project
- two organizations (gcp.zone - org with the project to be deleted) and (landing.gcp.zone - org owning the shared billing account)
- Shared billing account from landing.gcp.zone to gcp.zone org via Billing Account Administrator role
- https://console.cloud.google.com/billing?organizationId=962342543445&supportedpurview=project
-
- Project to be deleted in gcp.zone associated with landing.gcp.zone billing
- https://console.cloud.google.com/billing/projects?organizationId=925207728429&supportedpurview=project
-
- Current bill was running a total of $85 for clouddeploy-gz over this month
-
- notice that project clouddeploy-gz is assocated with the billing account 0127C1-...-EA25D6 from another org - the goal is to shutdown completely the project and disassociate billing so no more charges occur
- We navigate to the project in the owning organization and delete the project - starting a 30day cycle where it can be reactivated
- follow https://cloud.google.com/resource-manager/docs/creating-managing-projects#shutting_down_projects
- Quote "If the project has a billing account associated with it, that association is broken, and isn't reinstated if the project delete operation is canceled. After 30 days, the project is fully deleted."
- via https://console.cloud.google.com/cloud-resource-manager?organizationId=925207728429&supportedpurview=project
-
- hit delete on selected project
-
- wait -w e will check out removing/disassociating biling first below
- Back up from removing billing - we readded billing back and will delete the project
-
-
- Project "clouddeploy-gz" is now shut down and scheduled to be deleted after Nov 26, 2022.
-
- nothing off the billing page anymore
- Restoring the project to test billing association state
- 
- in this scenario the project comes back up with the previous shared billing reassociated (note: super admin user only can do this)
- GCE is not fully available yet - as you cannot reuse that billing account
- switch billing to another shared account
- switch back
- VMs can be created in the restored project
- 
- instance up - we will check that it is not in asset inventory (no billing) after re-deleting the project
- asset inventory before
- 
- delete project
- 
- 
- we still show in asset inventory at the project level
- and at the org level (3 + 1 vms)
- the project though is in a 30 day restore state but not in billing - Asset inventory shows current and deleted (30 day window) resources
- the source of truth is the billing page
- no clouddeploy-lz project in billing
I will add gcloud scripting shortly
- Alternatively disable billing on the project without deleting it - in billing (project will be both deleted and visible in IAM this way)
-
- or select billing on the dropdown in resource manager
-
-
-
-
- disable billing "When you disable billing, any billable activity of your services will stop, your billable resources may be deleted, and your application may stop functioning."
-
- Billing is disabled
-
- Project is still there but services are shutdown (almost the same as project deletion)
-
- Only default/uncharged services are still up in IAM - Asset Inventory
-
- You can still shell into your project
-
- But you cannot create billable resources - where we used to run a double GKE cluster - we cannot create GCE VMs or use GKE for example
-
-
- either way - the project is deleted - whether you delete it or remove billing - both remove billing and place the project in "resources pending deletion"
-
- see https://support.google.com/googleapi/answer/6251787?hl=en#zippy=%2Crestore-a-project
- Note that even though I have project creator and deleter roles on my SA - I cannot undelete a previously deleted or billing associated project without adding resourcemanager.projects.undelete or owner
- goto resources pending deletion at the end of resource manager in IAM
- only the projects you deleted in the past 30 days can be restored with the extra permission of resourcemanager.projects.undelete
- other projects we can restore with owner within the 30 day window
- 
- Turn billing back on to any shared billing account and the project is ready again - we will go back up and formally delete the project now
- There may be a residual bill for essentially empty accounts - of 0.46 - investigating how to remove this charge
-
- in my case I have 2 projects that are billing under 0.01 per day with a cumulation of .23 and .21 = .44 - with 13% tax up to .49 - not all services are regional so if the buckets are in NA they will be taxed. Anyway I will determine which resources are having resdidual - likely cloud storage bucket costs.
-
Note: Deleted projects are recoverable up to 30 days from "pending deletion" state - after that they are fully deleted from backup. billing-disabled/unset projects stay in IAM and have active free resources (such as an IAM service account) | Manage Resources - and are visible in /billing/projects indefinitely (IE: I have non-empty billing disabled projects from 2014 in one of my orgs) Therefore I recommend projects be in "Deleted" not "Disable Billing" state - unless you want to reenable them after 30 days.
For example an older billing disabled project
The project below has been in billing disabled state since 2014
I do however have a left over Google App Engine application (from an Eclipse in-IDE deployment) left over from 2019 that is created but not deployed - hence no billing account required yet.
You can see that the service account created for GAE at 9AM on 2 May 2019
This section details procedures around deleting one or more organizations. The use case around org deletion is usually in the context of semi-automated sub-org creation/deletion as teams iterate in and out of project level GCP deployments in a multi-org multi-tenant landing zone structure.
Note:
- billing data is on a 24h refresh cycle
- Deleting an organization resource https://cloud.google.com/resource-manager/docs/creating-managing-organization
- Delete your organization's Google Account https://support.google.com/a/answer/9468554?hl=en
There are two organizations involved in this use case - the org under deletion gcp...network and the org holding the billing id gcp...network.
We will need to delete the super admin reference to the org under deletion that may still may be associated as a billing account administrator on the organization holding the billing account this is step 2 in the "creating-managing-organization" section
- historical billing - org still up - org BAA still associated (normal scenario)
- historical billing - org still up - org BAA unassociated more than 24h ago
- historical billing - org deleted more than 24h ago - org BAA still associated
- historical billing - org deleted more than 24h ago - org BAA unassociated more than 24h ago
Scenario: we will delete the organization gcp...network after at least 24h of billing association with the owning org approach...zone
- OA_ORG_D: Organization Administrator account (and Workspace super admin) - ad-s@gc*.g*.n*
- ORG_D: Organization to delete = gcp.*.network
- BID_1: Organization owning BID 1 = app*.gcp.z*
- BID_2: Organization owning BID 2 = gcp.z*
- The org admin OA_ORG_D for ORG_D is currently associated as a BAA under BID_1 and BID_2
- delete 3 remaining projects including 2 stopped GCE VMs on ORG_D
- Note: billing should be disabled first - if not goto billing | account managment - disable billing on deleted projects
- dev-* with BID_1 app*
- gcloud-* with BID_2 gcp*
- (optionally disassociate OA_ORD_D from BID_1 and BID_2 - if you have BAA access to these other organizations
- verify no projects in billing | my projects
- verify single billing account directly under the org in billing
- verify 3 billing accounts under the org "none selected"
- delete all subscriptions except (cloud identity)
- follow https://support.google.com/a/answer/9468554?hl=en
- navigate to Account | Account settings | Account Management | Delete Account
Delete account
Check account
- attempting to login = "This account was recently deleted and may be recoverable. Click Next to attempt to restore this account."
- check shared billing at BID_1 and notice the BAA association now appends the following to the deleted account "uid=5034....247802"
- We will wait 24h to verify whether billing history stays up and also verify whether the BAA assocation deletion has an effect on billing history (deletes historical records) - by removing the BAA only from BAA_2
- To verify whether the GCP super admin gcloud/cloud-identity account has been deleted - check role associations in https://console.cloud.google.com in any other organization linked to the account and look for a ?uid=.... appended to the email
- Before
- After
- on g*.z* removing billing association on a deleted project
- removing the BAA role on the deleted account
- in 24h check historical billing still shows for this deleted account
delete principal for "Billing Account Administrator" role on the owning organization of one of the billing accounts.
Principal "a...er@gc...rk?uid=503...47802" successfully removed from all policies on resource "billingAccounts/01...05.."
We still have historical billing data - will recheck after 24h
In the shared billing account owning organization you will continue to see historical billing metrics around any projects, folders and the organization itself after deletion.
- see historical organization data under billing | Reports | 90 days
- specifically here gcp...services is historical but gcp...network is a currently billing project
- in the report view you will notice that we still show gcp...services org project traffic-os up to Dec 2 (it is Dec 23rd in this capture) - even though the org
- in the report view note that a 3rd org landing...zone that had billing traffic in Nov under the fortigate project shows billing data even though the organization SA was removed from the billing account administrator role on the owning org approach...zone more than 24h ago.
the landing...zone SA is not in the BAA list below
Multi organization single pane is possible (flat model) pending details....
- reference https://cloud.google.com/resource-manager/docs/tags/tags-creating-and-managing
- Issue https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/issues/729
- last update 20240315 Tags can be created at the GCP Organization level or the project level - but not the folder level.
- Add a couple tags - one at the organization level and one at the project level
- currently no tags setup
michael@cloudshell:~$ gcloud config set project cuda-old
# create tag key
michael@cloudshell:~ (cuda-old)$ TAG_NAME=gpu
michael@cloudshell:~ (cuda-old)$ BOOT_PROJECT_ID=cuda-old
michael@cloudshell:~ (cuda-old)$ ORGANIZATION_ID=$(gcloud projects get-ancestors $BOOT_PROJECT_ID --format='get(id)' | tail -1)
michael@cloudshell:~ (cuda-old)$ SUPER_ADMIN_EMAIL=$(gcloud config list --format json|jq .core.account | sed 's/"//g')
michael@cloudshell:~ (cuda-old)$ gcloud organizations add-iam-policy-binding $ORGANIZATION_ID --member=user:$SUPER_ADMIN_EMAIL --role=roles/resourcemanager.tagAdmin --quiet > /dev/null 1>&1
Updated IAM policy for organization [583675367868].
michael@cloudshell:~ (cuda-old)$ gcloud organizations add-iam-policy-binding $ORGANIZATION_ID --member=user:$SUPER_ADMIN_EMAIL --role=roles/resourcemanager.tagUser --quiet > /dev/null 1>&1
Updated IAM policy for organization [583675367868].
michael@cloudshell:~ (cuda-old)$ TAG_NAME=gpu
michael@cloudshell:~ (cuda-old)$ gcloud resource-manager tags keys create $TAG_NAME --parent=$RESOURCE_ID
Waiting for TagKey [gpu] to be created...done.
createTime: '2024-03-15T15:21:45.515777Z'
etag: Xk0352M/9L4GEdKXgCZ9FQ==
name: tagKeys/281480420865053
namespacedName: 583675367868/gpu
parent: organizations/583675367868
shortName: gpu
updateTime: '2024-03-15T15:21:45.515777Z'
michael@cloudshell:~ (cuda-old)$ gcloud resource-manager tags keys describe tagKeys/281480420865053
createTime: '2024-03-15T15:21:45.515777Z'
etag: Xk0352M/9L4GEdKXgCZ9FQ==
name: tagKeys/281480420865053
namespacedName: 583675367868/gpu
parent: organizations/583675367868
shortName: gpu
updateTime: '2024-03-15T15:21:45.515777Z'
michael@cloudshell:~ (cuda-old)$ gcloud resource-manager tags values create L4x2 --parent=tagKeys/281480420865053
Waiting for TagValue [L4x2] to be created...done.
createTime: '2024-03-15T15:25:49.385598Z'
etag: vcOwj3mv2sVJl3simNyvFA==
name: tagValues/281477109412436
namespacedName: 583675367868/gpu/L4x2
parent: tagKeys/281480420865053
shortName: L4x2
updateTime: '2024-03-15T15:25:49.385598Z'
michael@cloudshell:~ (cuda-old)$ gcloud resource-manager tags values describe tagValues/281477109412436
createTime: '2024-03-15T15:25:49.385598Z'
etag: vcOwj3mv2sVJl3simNyvFA==
name: tagValues/281477109412436
namespacedName: 583675367868/gpu/L4x2
parent: tagKeys/281480420865053
shortName: L4x2
updateTime: '2024-03-15T15:25:49.385598Z'
- attaching directly to VM in this case
michael@cloudshell:~ (cuda-old)$ export TAG_RESOURCE_ID=//cloudresourcemanager.googleapis.com/projects/196717963363
michael@cloudshell:~ (cuda-old)$ export TAGVALUE_NAME=tagValues/281477109412436
list out tags on the org
michael@cloudshell:~ (cuda-old)$ gcloud resource-manager tags bindings list --parent=//cloudresourcemanager.googleapis.com/$RESOURCE_ID
Listed 0 items.
list out tags on the project
michael@cloudshell:~ (cuda-old)$ gcloud resource-manager tags bindings list --parent=//cloudresourcemanager.googleapis.com/projects/cuda-old
Listed 0 items.
and inherited via --effective
michael@cloudshell:~ (cuda-old)$ gcloud resource-manager tags bindings list --parent=//cloudresourcemanager.googleapis.com/projects/cuda-old --effective
Listed 0 items.
list out existing tags on the instance
https://cloud.google.com/compute/docs/tag-resources#adding_tags_to_a_resource
michael@cloudshell:~ (cuda-old)$ PROJECT_NUMBER=196717963363
michael@cloudshell:~ (cuda-old)$ ZONE=us-central1-a
michael@cloudshell:~ (cuda-old)$ VM_ID=3097255122501145313
michael@cloudshell:~ (cuda-old)$ REGION=us-central1
michael@cloudshell:~ (cuda-old)$ export TAGVALUE_NAME=tagValues/281477109412436
michael@cloudshell:~ (cuda-old)$ gcloud resource-manager tags bindings create --tag-value=$TAGVALUE_NAME --parent=//compute.googleapis.com/projects/$PROJECT_NUMBER/zones/$ZONE/instances/$VM_ID --location us-central1-a
done: true
response:
'@type': type.googleapis.com/google.cloud.resourcemanager.v3.TagBinding
name: tagBindings/%2F%2Fcompute.googleapis.com%2Fprojects%2F196717963363%2Fzones%2Fus-central1-a%2Finstances%2F3097255122501145313/tagValues/281477109412436
parent: //compute.googleapis.com/projects/196717963363/zones/us-central1-a/instances/3097255122501145313
tagValue: tagValues/281477109412436
tagValueNamespacedName: 583675367868/gpu/L4x2
michael@cloudshell:~ (cuda-old)$ gcloud resource-manager tags bindings list --parent=//compute.googleapis.com/projects/$PROJECT_NUMBER/zones/$ZONE/instances/$VM_ID --location us-central1-a
---
name: tagBindings/%2F%2Fcompute.googleapis.com%2Fprojects%2F196717963363%2Fzones%2Fus-central1-a%2Finstances%2F3097255122501145313/tagValues/281477109412436
parent: //compute.googleapis.com/projects/196717963363/zones/us-central1-a/instances/3097255122501145313
tagValue: tagValues/281477109412436
# from Martin via the json spec for the API
https://cloud.google.com/compute/docs/reference/rest/v1/instances/get
michael@cloudshell:~ (cuda-old)$ gcloud compute instances list --format='table(name,labels,params.resourceManagerTags,tags.list())'
NAME: instance-20240227-002215
LABELS: {'container-vm': 'cos-stable-109-17800-147-15', 'running': 'magellan'}
RESOURCE_MANAGER_TAGS:
TAGS: fingerprint=42WmSpB8rSM=
NAME: nvidia-rtx-virtual-workstation-window-4-vm
LABELS: {'goog-dm': 'nvidia-rtx-virtual-workstation-window-4'}
RESOURCE_MANAGER_TAGS:
TAGS: fingerprint=ozGpPKykoWo=,items=['nvidia-rtx-virtual-workstation-window-4-deployment']
no resource manager tags
false positive
michael@cloudshell:~ (cuda-old)$ gcloud compute instances list --filter='tags.items:(gpu)'
WARNING: --filter : operator evaluation is changing for consistency across Google APIs. tags.items:gpu currently matches but will not match in the near future. Run `gcloud topic filters` for details.
NAME: nvidia-rtx-virtual-workstation-w-8-4gpu-vm
ZONE: us-east4-a
MACHINE_TYPE: g2-standard-48
PREEMPTIBLE:
INTERNAL_IP: 10.150.0.3
EXTERNAL_IP:
STATUS: TERMINATED
https://cloud.google.com/sdk/gcloud/reference/topic/filters
michael@cloudshell:~ (cuda-old)$ gcloud compute instances list --filter="tags.items=tagKeys/281480420865053"
Listed 0 items.
- this one already has a value
add a 2nd tag binding to the project and then list using --effective to get both the project and instance tag bindings
export TAGVALUE2_NAME=tagValues/281476455852818
michael@cloudshell:~ (cuda-old)$ gcloud resource-manager tags bindings create --tag-value=$TAGVALUE2_NAME --parent=//cloudresourcemanager.googleapis.com/projects/$PROJECT_NUMBER
done: true
response:
'@type': type.googleapis.com/google.cloud.resourcemanager.v3.TagBinding
name: tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Fprojects%2F196717963363/tagValues/281476455852818
parent: //cloudresourcemanager.googleapis.com/projects/196717963363
tagValue: tagValues/281476455852818
tagValueNamespacedName: 583675367868/environment/development
michael@cloudshell:~ (cuda-old)$ gcloud resource-manager tags bindings list --parent=//cloudresourcemanager.googleapis.com/projects/$PROJECT_NUMBER
---
name: tagBindings/%2F%2Fcloudresourcemanager.googleapis.com%2Fprojects%2F196717963363/tagValues/281476455852818
parent: //cloudresourcemanager.googleapis.com/projects/196717963363
tagValue: tagValues/281476455852818
Now query both tags
start at the bottom with full raw JSON
michael@cloudshell:~ (cuda-old)$ gcloud compute instances list --format json | grep L4x2
michael@cloudshell:~ (cuda-old)$
nothing
michael@cloudshell:~ (cuda-old)$ gcloud compute instances list --format json --filter="name~'instance-20240227.*'"
[
{
"canIpForward": false,
"confidentialInstanceConfig": {
"enableConfidentialCompute": false
},
"cpuPlatform": "Intel Broadwell",
"creationTimestamp": "2024-02-26T16:25:51.662-08:00",
"metadata": {
"fingerprint": "C6Xzi4E0dRo=",
"items": [
{
"key": "framework",
"value": "NumPy/SciPy/scikit-learn"
},
{
"key": "shutdown-script",
"value": "/opt/deeplearning/bin/shutdown_script.sh"
},
{
"key": "title",
"value": "BASE.CUDA11.3.GPU"
},
{
"key": "version",
"value": "112"
},
{
"key": "ssh-keys",
"shieldedInstanceConfig": {
"enableIntegrityMonitoring": true,
"enableSecureBoot": false,
"enableVtpm": true
},
"shieldedInstanceIntegrityPolicy": {
"updateAutoLearnPolicy": true
},
"startRestricted": false,
"status": "TERMINATED",
"tags": {
"fingerprint": "IBk9zLcW_is=",
"items": [
"deeplearning-vm",
"http-server",
"https-server"
]
},
"zone": "https://www.googleapis.com/compute/v1/projects/cuda-old/zones/europe-west4-a"
}
]
Yes, already added key/value pair
plus inherited tags from the org
