IBM Cloud Docs

Attaching and detaching tags on a resource in the console

From the IBM Cloud® console, click the Navigation Menu icon > Resource list to view your list of resources.
Locate the specific resource in the list.
To attach a tag to the resource, click the Actions icon > Add tags.
Enter the name of the tag, and click Save.
To detach the tag from the resource, click the Edit icon next to the tag in your resource list.

When you detach an access management tag from a resource, any associated access policies are also detached from that resource.

Attaching tags to a resource by using the CLI

Log in to IBM Cloud® CLI and select your account to run the appropriate CLI command.

To attach a tag to a resource, use the ibmcloud resource tag-attach command. The allowed values for tag-type are user for user tags and access for access management tags. The default value is user. The following example shows how to attach a user tag that is called MyTag to a resource named MyResource:

ibmcloud resource tag-attach --tag-names MyTag --resource-name  'MyResource'

An example for attaching an access management tag called project:myproject to a resource named MyResource:

ibmcloud resource tag-attach --tag-names project:myproject --resource-name  'MyResource' --tag-type access

Detaching tags from a resource by using the CLI

To detach a tag from a resource, use the ibmcloud resource tag-detach command. An example to detach a user tag called MyTag from a resource named MyResource:

ibmcloud resource tag-detach --tag-names MyTag —resource-name 'MyResource'

An example to detach an access management tag called project:myproject from a resource named MyResource:

ibmcloud resource tag-detach --tag-names project:myproject —resource-name 'MyResource' --tag-type access

For more information, see the ibmcloud resource command reference.

When you detach an access management tag from a resource, any associated access policies are also detached from that resource.

Attaching tags to a resource by using the API

You can programmatically attach tags by calling the Global Search and Tagging - Tagging API as shown in the following sample requests. The allowed values for the tag_type query parameter are: user for user tags and access for access management tags. The following example shows how to attach an access management tag that is called project:myproject to a service instance.

Find the unique identifier for your resource by calling the following command:

curl -v -X POST -k --header 'Content-Type: application/json'
--header 'Accept: application/json'
--header 'Authorization: bearer  <your IAM token>'
-d '{"query": "name:myresource"}' 'https://api.global-search-tagging.cloud.ibm.com/v3/resources/search'

SearchOptions searchOptions = new SearchOptions.Builder()
 .query("GST-sdk-*")
 .fields(new java.util.ArrayList<String>(java.util.Arrays.asList("crn")))
 .searchCursor(searchCursor)
 .build();

Response<ScanResult> response = service.search(searchOptions).execute();
ScanResult scanResult = response.getResult();

System.out.println(scanResult);

const params = {
query: 'GST-sdk-*',
fields: ['crn'],
searchCursor: searchCursor,
};

globalSearchService.search(params)
.then(res => {
 console.log(JSON.stringify(res.result, null, 2));
})
.catch(err => {
 console.warn(err)
});

response = global_search_service.search(query='GST-sdk-*',
                   fields=['crn'])
scan_result = response.get_result()

print(json.dumps(scan_result, indent=2))

searchOptions := globalSearchService.NewSearchOptions()
searchOptions.SetLimit(10)
searchOptions.SetQuery("GST-sdk-*")
searchOptions.SetFields([]string{"crn"})

scanResult, response, err := globalSearchService.Search(searchOptions)
if err != nil {
 panic(err)
}
b, _ := json.MarshalIndent(scanResult, "", "  ")
fmt.Println(string(b))

Extract the value of the CRN field from the response.

   {
   "items": [
     {
       "crn": "crn:v1:bluemix:public:cf:au-syd:a/000af2ea12345aabb1234567801fffab::cf-organization:aaaf4100-0011-2233-1111-11aaffee0011"
     }
   ],
   "limit": 1,
   "search_cursor": "e34535305339jg0rntt39nt3nu5tt9yn3u5ntt329nutt92u4ntt92u4t9u5gt2u5gt92u4n5g982458hg2t45hg9u42rg9t2u49gh285ght28h5t2835th85ht318h4tg9138h4tg91u3hgt931hg45918h34tg18h43hgt31hgt3rng0fnefvodnfvpojdpbojarfdbpojeafrbeafbjeqpnrqngrpqgrhbHNlIiwiY2FuVGFnIjoiZmFsc2UiLCJsdfshfksdhfkshfdkshfdkhkhewrkfehrkhkwhfkwrhkfhrgk3h5k3h45k3hk45hgk3hgk3hfk3h4k3hfkrfh3rkgh3krghk3rgh3kghk3hgk3hgk3rhgdWJsaWM6Y2Y6YXUtwriretoeiroteito4i5ot4i5oyti45ito4tio45ito45io5ogno5iogn5oin5oingoi5o5ngogo4ngo4ngro3jrong3gor3g3gno3jrgo3jrngo3ngro3g32ODQiXX0t"
 }

Call the following command:

curl -X POST -H "Authorization: {iam_token}" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d '{ "resources": [{ "resource_id": "crn:v1:bluemix:public:cloud-object-storage:global:a/59bcbfa6ea2f006b4ed7094c1a08dcdd:1a0ec336-f391-4091-a6fb-5e084a4c56f4::" }], "tag_names": ["project:myproject"] }' \
"https://tags.global-search-tagging.cloud.ibm.com/v3/tags/attach?tag_type=access"

Resource resourceModel = new Resource.Builder().resourceId(resourceCRN).build();
AttachTagOptions attachTagOptions = new AttachTagOptions.Builder()
.addResources(resourceModel)
.addTagNames("project:myproject")
.tagType("access")
.build();

Response<TagResults> response = service.attachTag(attachTagOptions).execute();
TagResults tagResults = response.getResult();
System.out.println(tagResults.toString());

const resourceModel = {
resource_id: resourceCrn,
};

const params = {
resources: [resourceModel],
tagNames: ["project:myproject"],
tagType: 'access',
};

globalTaggingService.attachTag(params)
.then(res => {
console.log(JSON.stringify(res.result, null, 2));
})
.catch(err => {
console.warn(err)
});

resource_model = {'resource_id': resource_crn}

tag_results = global_tagging_service.attach_tag(
resources=[resource_model],
tag_names=['project:myproject'],
tag_type='access').get_result()


print(json.dumps(tag_results, indent=2))

resourceModel := &globaltaggingv1.Resource{
ResourceID: &resourceCRN,
}

attachTagOptions := globalTaggingService.NewAttachTagOptions(
[]globaltaggingv1.Resource{*resourceModel},
)
attachTagOptions.SetTagNames([]string{"project:myproject"})
attachTagOptions.SetTagType("access")

tagResults, response, err := globalTaggingService.AttachTag(attachTagOptions)
if err != nil {
panic(err)
}
b, _ := json.MarshalIndent(tagResults, "", "  ")
fmt.Println(string(b))

Detaching tags from a resource by using the API

You can programmatically detach tags by calling the Global Search and Tagging - Tagging API as shown in the following sample requests. The allowed values for the tag_type query parameter are: user for user tags and access for access management tags. The following example shows how to detach an access management tag that's called project:myproject from a service instance:

Find the unique identifier for your resource by calling the following command:

curl -v -X POST -k --header 'Content-Type: application/json'
--header 'Accept: application/json'
--header 'Authorization: bearer  <your IAM token>'
-d '{"query": "name:myresource"}' 'https://api.global-search-tagging.cloud.ibm.com/v3/resources/search'

SearchOptions searchOptions = new SearchOptions.Builder()
 .query("GST-sdk-*")
 .fields(new java.util.ArrayList<String>(java.util.Arrays.asList("crn")))
 .searchCursor(searchCursor)
 .build();

Response<ScanResult> response = service.search(searchOptions).execute();
ScanResult scanResult = response.getResult();

System.out.println(scanResult);

const params = {
query: 'GST-sdk-*',
fields: ['crn'],
searchCursor: searchCursor,
};

globalSearchService.search(params)
.then(res => {
 console.log(JSON.stringify(res.result, null, 2));
})
.catch(err => {
 console.warn(err)
});

response = global_search_service.search(query='GST-sdk-*',
                   fields=['crn'])
scan_result = response.get_result()

print(json.dumps(scan_result, indent=2))

searchOptions := globalSearchService.NewSearchOptions()
searchOptions.SetLimit(10)
searchOptions.SetQuery("GST-sdk-*")
searchOptions.SetFields([]string{"crn"})

scanResult, response, err := globalSearchService.Search(searchOptions)
if err != nil {
 panic(err)
}
b, _ := json.MarshalIndent(scanResult, "", "  ")
fmt.Println(string(b))

Extract the value of the CRN field from the response.

   {
   "items": [
     {
       "crn": "crn:v1:bluemix:public:cf:au-syd:a/000af2ea12345aabb1234567801fffab::cf-organization:aaaf4100-0011-2233-1111-11aaffee0011"
     }
   ],
   "limit": 1,
   "search_cursor": "e34535305339jg0rntt39nt3nu5tt9yn3u5ntt329nutt92u4ntt92u4t9u5gt2u5gt92u4n5g982458hg2t45hg9u42rg9t2u49gh285ght28h5t2835th85ht318h4tg9138h4tg91u3hgt931hg45918h34tg18h43hgt31hgt3rng0fnefvodnfvpojdpbojarfdbpojeafrbeafbjeqpnrqngrpqgrhbHNlIiwiY2FuVGFnIjoiZmFsc2UiLCJsdfshfksdhfkshfdkshfdkhkhewrkfehrkhkwhfkwrhkfhrgk3h5k3h45k3hk45hgk3hgk3hfk3h4k3hfkrfh3rkgh3krghk3rgh3kghk3hgk3hgk3rhgdWJsaWM6Y2Y6YXUtwriretoeiroteito4i5ot4i5oyti45ito4tio45ito45io5ogno5iogn5oin5oingoi5o5ngogo4ngo4ngro3jrong3gor3g3gno3jrgo3jrngo3ngro3g32ODQiXX0t"
 }

Call the following command:

curl -X POST -H "Authorization: {iam_token}" \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
-d '{ "resources": [{ "resource_id": "crn:v1:bluemix:public:cloud-object-storage:global:a/59bcbfa6ea2f006b4ed7094c1a08dcdd:1a0ec336-f391-4091-a6fb-5e084a4c56f4::" }], "tag_names": ["project:myproject"] }' \
"https://tags.global-search-tagging.cloud.ibm.com/v3/tags/detach?tag_type=access"

Resource resourceModel = new Resource.Builder().resourceId(resourceCRN).build();
DetachTagOptions detachTagOptions = new DetachTagOptions.Builder()
.addResources(resourceModel)
.addTagNames("project:myproject")
.tagType("access")
.build();

Response<TagResults> response = service.detachTag(detachTagOptions).execute();
TagResults tagResults = response.getResult();
System.out.println(tagResults.toString());

const resourceModel = {
resource_id: resourceCrn,
};

const params = {
resources: [resourceModel],
tagNames: ["project:myproject"],
tagType: 'access',
};

globalTaggingService.detachTag(params)
.then(res => {
console.log(JSON.stringify(res.result, null, 2));
})
.catch(err => {
console.warn(err)
});

resource_model = {'resource_id': resource_crn}

tag_results = global_tagging_service.detach_tag(
resources=[resource_model],
tag_names=['project:myproject'],
tag_type='access').get_result()

print(json.dumps(tag_results, indent=2))

resourceModel := &globaltaggingv1.Resource{
ResourceID: &resourceCRN,
}

detachTagOptions := globalTaggingService.NewDetachTagOptions(
[]globaltaggingv1.Resource{*resourceModel},
)
detachTagOptions.SetTagNames([]string{"project:myproject"})
detachTagOptions.SetTagType("access")

tagResults, response, err := globalTaggingService.DetachTag(detachTagOptions)
if err != nil {
panic(err)
}
b, _ := json.MarshalIndent(tagResults, "", "  ")
fmt.Println(string(b))

When you detach an access management tag from a resource, any associated access policies are also detached from that resource.

Attaching tags to a resource by using Terraform

Before you can attach tags to a resource by using Terraform, make sure that you have completed the following:

Install the Terraform CLI and configure the IBM Cloud Provider plug-in for Terraform. For more information, see the tutorial for Getting started with Terraform on IBM Cloud®. The plug-in abstracts the IBM Cloud APIs that are used to complete this task.
Create a Terraform configuration file that is named main.tf. In this file, you define resources by using HashiCorp Configuration Language. For more information, see the Terraform documentation.

Use the following steps to attach tags to a resource by using Terraform:

The following example attaches the imb_tag tag to the ibm resource for the resource ID ibm_satellite_location.location.crn.

resource "ibm_resource" "ibm" {
resource_id = ibm_satellite_location.location.crn
tags        = [ "ibm_tag" ]
}

After you finish building your configuration file, initialize the Terraform CLI. For more information, see Initializing Working Directories.
```
terraform init
```
Provision the resources from the main.tf file. For more information, see Provisioning Infrastructure with Terraform.
1. Run terraform plan to generate a Terraform execution plan to preview the proposed actions.
```
terraform plan
```
2. Run terraform apply to create the resources that are defined in the plan.
```
terraform apply
```

Attaching tags to a service ID in the console

To add a tag to a service ID, complete the following steps:

Choose to attach an access management tag or a user tag.
- If you want to attach an access management tag, you must first create the tag. For more information, see Creating tags.
- If you want to attach a user tag, you don't need to create the user tag to attach it to resources or service IDs. Attaching the tag also creates it.
Go to Manage > Access (IAM) > Service IDs.
Select the service ID that you want to tag.
Click Add tag .
Enter the name of the tag, and press Enter.
Click Save.

When you tag a service ID, all policies that have resources that are scoped to your access management tag include access to this service ID.

Attaching tags to a service ID by using the CLI

The allowed values for the tag_type query parameter are: user for user tags and access for access management tags. The following example shows how to attach an access management tag that is called project:myproject to a service ID.

To add a tag to a service ID, complete the following steps:

Choose to attach an access management tag or a user tag.
- If you want to attach an access management tag, you must first create the tag. For more information, see Creating tags.
- If you want to attach a user tag, you don't need to create the user tag to attach it to resources or service IDs. Attaching the tag also creates it.
To attach the tag to your service ID, use the tag-attach command. For more information, see the CLI command reference.
```
ibmcloud resource tag-attach --tag-names project:myproject --resource-name 'ServiceIdName' --tag-type access
```

When you tag a service ID, all policies that have resources that are scoped to your access management tag include access to this service ID.

Attaching tags to a service ID by using the API

To add a tag to a service ID, complete the following steps:

Choose to attach an access management tag or a user tag.
- If you want to attach an access management tag, you must first create the tag. For more information, see Creating tags.
- If you want to attach a user tag, you don't need to create the user tag to attach it to resources or service IDs. Attaching the tag also creates it.

Find the unique identifier for your service ID by calling the IAM Identity Services with the following command:

curl -X GET 'https://iam.cloud.ibm.com/v1/serviceids?account_id=ACCOUNT_ID&name=My-serviceID' -H 'Authorization: Bearer TOKEN' -H 'Content-Type: application/json'

ListServiceIdsOptions listServiceIdsOptions = new ListServiceIdsOptions.Builder()
   .accountId(accountId)
   .name(serviceIdName)
   .build();

Response<ServiceIdList> response = service.listServiceIds(listServiceIdsOptions).execute();
ServiceIdList serviceIdList = response.getResult();

System.out.println(serviceIdList);

const params = {
accountId: accountId,
name: serviceIdName,
};

try {
const res = await iamIdentityService.listServiceIds(params)
console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
console.warn(err);
}

service_id_list = iam_identity_service.list_service_ids(
account_id=account_id,
name=serviceid_name
).get_result()

print(json.dumps(service_id_list, indent=2))

listServiceIdsOptions := iamIdentityService.NewListServiceIdsOptions()
listServiceIdsOptions.SetAccountID(accountID)
listServiceIdsOptions.SetName(serviceIDName)

serviceIDList, response, err := iamIdentityService.ListServiceIds(listServiceIdsOptions)
if err != nil {
panic(err)
}
b, _ := json.MarshalIndent(serviceIDList, "", "  ")
fmt.Println(string(b))

Extract the value of the crn field from the response.

   {
"offset": 0,
"limit": 1,
"first": {
   "href": "https://iam.cloud.ibm.com/v1/serviceids?account_id=accountId"
},
"next": {
   "href": "https://iam.cloud.ibm.com/v1/serviceids?pagetoken=pageToken"
},
"serviceids": {
   "id": "ServiceId-ee1103f8-e03b-4d02-a977-e540ebdffb16",
   "iam_id": "iam-ServiceId-ee1103f8-e03b-4d02-a977-e540ebdffb16",
   "entity_tag": "3-c46d2fd21b701adf7eb67cfd1a498fde",
   "crn": "crn:v1:bluemix:public:iam-identity::a/100abcde100a41abc100aza678abc0zz::serviceid:ServiceId-ee1103f8-e03b-4d02-a977-e540ebdffb16",
   "locked": false,
   "created_at": "2020-10-16T10:36+0000",
   "modified_at": "2020-10-16T10:36+0000",
   "account_id": "100abcde100a41abc100aza678abc0zz",
   "name": "serviceId-test",
   "description": "serviceId-test",
   "unique_instance_crns": []
}
}

To attach the tag to your service ID, call the Global Search and Tagging - Tagging API with the following command.

Replace {SERVICEID_CRN} with the value that you extracted in the previous step.

Replace (serviceidCRN) with the value that you extracted in the previous step.

Replace serviceidCrn with the value that you extracted in the previous step.

Replace serviceid_crn with the value that you extracted in the previous step.

Replace &serviceidCRN with the value that you extracted in the previous step.

curl -X POST --header "Authorization: Bearer {iam_token}" --header "Accept: application/json" --header "Content-Type: application/json" -d '{ "resources": [{ "resource_id": "{SERVICEID_CRN}" }], "tag_names": ["tag_test_1", "tag_test_2"] }' "{base_url}/v3/tags/attach?tag_type=user"

Resource resourceModel = new Resource.Builder().resourceId(serviceidCRN).build();
AttachTagOptions attachTagOptions = new AttachTagOptions.Builder()
   .addResources(resourceModel)
   .addTagNames("tag_test_1")
   .addTagNames("tag_test_2")
   .build();

Response<TagResults> response = service.attachTag(attachTagOptions).execute();
TagResults tagResults = response.getResult();
System.out.println(tagResults.toString());

const resourceModel = {
resource_id: serviceidCrn,
};

const params = {
resources: [resourceModel],
tagNames: ["tag_test_1", "tag_test_2"],
tagType: 'user',
};

globalTaggingService.attachTag(params)
.then(res => {
   console.log(JSON.stringify(res.result, null, 2));
})
.catch(err => {
   console.warn(err)
});

resource_model = {'resource_id': serviceid_crn}

tag_results = global_tagging_service.attach_tag(
resources=[resource_model],
tag_names=['tag_test_1', 'tag_test_2'],
tag_type='user').get_result()

print(json.dumps(tag_results, indent=2))

resourceModel := &globaltaggingv1.Resource{
ResourceID: &serviceidCRN,
}

attachTagOptions := globalTaggingService.NewAttachTagOptions(
[]globaltaggingv1.Resource{*resourceModel},
)
attachTagOptions.SetTagNames([]string{"tag_test_1", "tag_test_2"})
attachTagOptions.SetTagType("user")

tagResults, response, err := globalTaggingService.AttachTag(attachTagOptions)
if err != nil {
panic(err)
}
b, _ := json.MarshalIndent(tagResults, "", "  ")
fmt.Println(string(b))

When you tag a service ID, all policies that have resources that are scoped to your access management tag include access to this service ID.

Detaching tags on a service ID in the console

To detach a tag from a service ID, complete the following steps:

Go to Manage > Access (IAM) > Service IDs.
Click the Edit icon in the Tags column.
Click the Remove icon on the tag that you want to detach from the service ID..
Click Save.

When you detach an access management tag from a service ID, any policies that are scoped that that tag no longer includes access the service ID.

Detaching tags on a service ID by using the CLI

To detach a tag on your service ID, use the tag-detach command. For more information, see the CLI command reference.

ibmcloud resource tag-detach --tag-names project:myproject --resource-id  'ServiceIdName' --tag-type access

When you detach an access management tag from a service ID, any policies that are scoped that that tag no longer includes access the service ID.

Detaching tags on a service ID by using the API

To detach a tag from a service ID, complete the following steps:

Find the unique identifier for your service ID by calling the IAM Identity Services with the following command:

curl -X GET 'https://iam.cloud.ibm.com/v1/serviceids?account_id=ACCOUNT_ID&name=My-serviceID' -H 'Authorization: Bearer TOKEN' -H 'Content-Type: application/json'

ListServiceIdsOptions listServiceIdsOptions = new ListServiceIdsOptions.Builder()
   .accountId(accountId)
   .name(serviceIdName)
   .build();

Response<ServiceIdList> response = service.listServiceIds(listServiceIdsOptions).execute();
ServiceIdList serviceIdList = response.getResult();

System.out.println(serviceIdList);

const params = {
accountId: accountId,
name: serviceIdName,
};

try {
const res = await iamIdentityService.listServiceIds(params)
console.log(JSON.stringify(res.result, null, 2));
} catch (err) {
console.warn(err);
}

service_id_list = iam_identity_service.list_service_ids(
account_id=account_id,
name=serviceid_name
).get_result()

print(json.dumps(service_id_list, indent=2))

listServiceIdsOptions := iamIdentityService.NewListServiceIdsOptions()
listServiceIdsOptions.SetAccountID(accountID)
listServiceIdsOptions.SetName(serviceIDName)

serviceIDList, response, err := iamIdentityService.ListServiceIds(listServiceIdsOptions)
if err != nil {
panic(err)
}
b, _ := json.MarshalIndent(serviceIDList, "", "  ")
fmt.Println(string(b))

Extract the value of the crn field from the response.

   {
"offset": 0,
"limit": 1,
"first": {
   "href": "https://iam.cloud.ibm.com/v1/serviceids?account_id=accountId"
},
"next": {
   "href": "https://iam.cloud.ibm.com/v1/serviceids?pagetoken=pageToken"
},
"serviceids": {
   "id": "ServiceId-ee1103f8-e03b-4d02-a977-e540ebdffb16",
   "iam_id": "iam-ServiceId-ee1103f8-e03b-4d02-a977-e540ebdffb16",
   "entity_tag": "3-c46d2fd21b701adf7eb67cfd1a498fde",
   "crn": "crn:v1:bluemix:public:iam-identity::a/100abcde100a41abc100aza678abc0zz::serviceid:ServiceId-ee1103f8-e03b-4d02-a977-e540ebdffb16",
   "locked": false,
   "created_at": "2020-10-16T10:36+0000",
   "modified_at": "2020-10-16T10:36+0000",
   "account_id": "100abcde100a41abc100aza678abc0zz",
   "name": "serviceId-test",
   "description": "serviceId-test",
   "unique_instance_crns": []
}
}

To detach the tag on your service ID, call the Global Search and Tagging - Tagging API with the following command.

Replace {SERVICEID_CRN} with the value that you extracted in the previous step.

Replace (serviceidCRN) with the value that you extracted in the previous step.

Replace serviceidCrn with the value that you extracted in the previous step.

Replace serviceid_crn with the value that you extracted in the previous step.

Replace &serviceidCRN with the value that you extracted in the previous step.

curl -X POST --header "Authorization: Bearer {iam_token}" --header "Accept: application/json" --header "Content-Type: application/json" -d '{ "resources": [{ "resource_id": "{SERVICEID_CRN}" }], "tag_names": ["tag_test_1", "tag_test_2"] }' "{base_url}/v3/tags/detach?tag_type=user"

Resource resourceModel = new Resource.Builder().resourceId(serviceidCRN).build();
DetachTagOptions detachTagOptions = new DetachTagOptions.Builder()
   .addResources(resourceModel)
   .addTagNames("tag_test_1")
   .addTagNames("tag_test_2")
   .tagType("user")
   .build();

Response<TagResults> response = service.detachTag(detachTagOptions).execute();
TagResults tagResults = response.getResult();
System.out.println(tagResults.toString());

const resourceModel = {
resource_id: serviceidCrn,
};

const params = {
resources: [resourceModel],
tagNames: ["tag_test_1", "tag_test_2"],
tagType: 'user',
};

globalTaggingService.detachTag(params)
.then(res => {
   console.log(JSON.stringify(res.result, null, 2));
})
.catch(err => {
   console.warn(err)
});

resource_model = {'resource_id': serviceid_crn}

tag_results = global_tagging_service.detach_tag(
resources=[resource_model],
tag_names=['tag_test_1', 'tag_test_2'],
tag_type='user').get_result()

print(json.dumps(tag_results, indent=2))

resourceModel := &globaltaggingv1.Resource{
ResourceID: &serviceidCRN,
}

detachTagOptions := globalTaggingService.NewDetachTagOptions(
[]globaltaggingv1.Resource{*resourceModel},
)
detachTagOptions.SetTagNames([]string{"tag_test_1", "tag_test_2"})
detachTagOptions.SetTagType("user")

tagResults, response, err := globalTaggingService.DetachTag(detachTagOptions)
if err != nil {
panic(err)
}
b, _ := json.MarshalIndent(tagResults, "", "  ")
fmt.Println(string(b))

When you detach an access management tag from a service ID, any policies that are scoped that that tag no longer includes access the service ID.