Tags are essentially pairs of user defined metadata made up of a name (key) and a value that are added to resources when they are created.

In AWS and Azure these are referred to as "Tags" whereas GCP refers to these as "Labels" apart from some network components where they are referenced as "Network Tags".

GCP has 3 different types of 'resource tagging':

1. Tags (https://cloud.google.com/resource-manager/docs/tags/tags-overview) - provide a way to conditionally allow or deny policies based on whether a resource has a specific tag. Tags can be referenced in IAM policy bindings or Organization Policy constraints to grant conditional access to resources.
2. Labels (https://cloud.google.com/compute/docs/labeling-resources) - can be used as queryable annotations for resources, but can't be used to set conditions on policies. Labels are arbitrary key:value pairs that are stored as part of the resource's metadata. You can use labels to organize your Google Cloud resources.
   1. • User Labels - edited by users
      • System Labels - added automatically by GCP
3. Network Tags (https://cloud.google.com/vpc/docs/add-remove-network-tags) are simple strings, not keys and values, and don't offer any kind of access control. They are mainly used in Compute Engine VM instances to allow you to make firewall rules and routes applicable to specific VM instances or a set of instances.
   1. • You make a firewall rule applicable to specific instances by using target tags and source tags.
      • You make a route applicable to specific instances by using a tag.

The platform pulls only labels using API calls and data in the BigQuery Billing Export, network tags are available in the tags field in API responses.  It is currently unable to pull tags.

When you tag resources in GCP, it is important to use Labels rather than Tags. Labels are the correct way of tagging resources -> much like how you tag AWS and Azure (GCP uses different terminology).

When you view labels within the platform, GCP labels have the prefix "Label":