GCP has 3 different types of 'resource tagging':
- Tags - https://cloud.google.com/resource-manager/docs/tags/tags-overview
- Labels - https://cloud.google.com/compute/docs/labeling-resources
- Network Tags - https://cloud.google.com/vpc/docs/add-remove-network-tags
1. Tags provide a way to conditionally allow or deny policies based on whether a resource has a specific tag. Tags can be referenced in IAM policy bindings or Organization Policy constraints to grant conditional access to resources.
2. Labels can be used as queryable annotations for resources, but can't be used to set conditions on policies. Labels are arbitrary key:value pairs that are stored as part of the resource's metadata. You can use labels to organize your Google Cloud resources.
a. User Labels - edited by users
b. System Labels - added automatically by GCP
3. Network Tags are simple strings, not keys and values, and don't offer any kind of access control. They are mainly used in Compute Engine VM instances to allow you to make firewall rules and routes applicable to specific VM instances or a set of instances.
a. You make a firewall rule applicable to specific instances by using target tags and source tags.
b. You make a route applicable to specific instances by using a tag.
The platform pulls labels using API calls, network tags are also available in the tags field in API responses from VMs. However, we're currently unable to pull tags, so it is not supported.