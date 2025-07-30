GCP Tags and Labels as Teleport Agent Labels
When running on an Google Compute Engine instance, Teleport will automatically detect and import GCP
tags (key-value pairs that are
their own resource) and labels (key-value
pairs that are specific to each instance)
as Teleport labels for SSH nodes, applications, databases, and Kubernetes clusters. Both tags and labels imported
this way will have the
gcp/ prefix; additionally, tags will receive the
tag/ infix and labels will receive
the
label/ infix. For example, an instance with label
foo=bar and tag
baz=quux will have the Teleport labels
gcp/label/foo=bar and
gcp/tag/baz=quux.
When the Teleport process starts, it fetches all tags and labels from the GCP API and adds them as labels. The process will update the tags every hour, so newly created or deleted tags will be reflected in the labels.
If the GCP label
TeleportHostname is present, its value (must be lower case) will override the node's hostname. This
does not apply to GCP tags.
tsh lsNode Name Address Labels -------------------- -------------- -------------------------------------------------------------------------------------------fakehost.example.com 127.0.0.1:3022 gcp/label/testing=yes,gcp/tag/environment=staging,gcp/TeleportHostname=fakehost.example.com
For services that manage multiple resources (such as the Database Service), each resource will receive the same tags and labels from GCP.
Prerequisites
-
A running Teleport cluster version 17.0.0-dev or above. If you want to get started with Teleport, sign up for a free trial or set up a demo environment.
-
The
tctland
tshclients.
Installing
tctland
tshclients
- Mac
- Windows - Powershell
- Linux
Download the signed macOS .pkg installer for Teleport, which includes the
tctland
tshclients:curl -O https://cdn.teleport.dev/teleport-17.0.0-dev.pkg
In Finder double-click the
pkgfile to begin installation.danger
Using Homebrew to install Teleport is not supported. The Teleport package in Homebrew is not maintained by Teleport and we can't guarantee its reliability or security.curl.exe -O https://cdn.teleport.dev/teleport-v17.0.0-dev-windows-amd64-bin.zip
Unzip the archive and move the `tctl` and `tsh` clients to your %PATH%
NOTE: Do not place the `tctl` and `tsh` clients in the System32 directory, as this can cause issues when using WinSCP.
Use %SystemRoot% (C:\Windows) or %USERPROFILE% (C:\Users\<username>) instead.
All of the Teleport binaries in Linux installations include the
tctland
tshclients. For more options (including RPM/DEB packages and downloads for i386/ARM/ARM64) see our installation page.curl -O https://cdn.teleport.dev/teleport-v17.0.0-dev-linux-amd64-bin.tar.gztar -xzf teleport-v17.0.0-dev-linux-amd64-bin.tar.gzcd teleportsudo ./install
Teleport binaries have been copied to /usr/local/bin
The
tctland
tshclients must be at most one major version behind your Teleport cluster version. Send a GET request to the Proxy Service at
/v1/webapi/pingand use a JSON query tool to obtain your cluster version:curl https://example.teleport.sh/v1/webapi/ping | jq -r '.server_version'17.0.0-dev
- One Teleport Agent running on a GCP Compute instance. See our guides for how to set up Teleport Agents.
Configure service account on instances with Teleport nodes
Create a service account that will give Teleport the IAM permissions needed
to import tags and labels. Copy the following and paste it into a file called
teleport-labels-role.yaml:
# teleport-labels-role.yaml
title: "teleport-labels"
description: "A role to enable Teleport to import tags and labels"
stage: "ALPHA"
includedPermissions:
- compute.instances.get
- compute.instances.listEffectiveTags
Then run the following command to create the role:
gcloud iam roles create teleport_labels \--project=project_id \--file=teleport-labels-role.yaml
Run the following command to create the service account:
gcloud iam service-accounts create teleport-labels \--description="A service account to enable Teleport to import tags and labels" \--display-name="teleport-labels"
Run the following command to add the new role to the new service account:
gcloud projects add-iam-policy-binding project_id \--member="serviceAccount:teleport-labels@project_id.iam.gserviceaccount.com" \--role="projects/project_id/roles/teleport_labels"
If you want to only import labels or only import tags, you can leave
compute.instances.listEffectiveTags or
compute.instances.get
out of your created service account's permissions, respectively.