diff --git a/doc/source/getting-started/policy_mapping.rst b/doc/source/getting-started/policy_mapping.rst
index e766f63a4a..da1d2095a7 100644
--- a/doc/source/getting-started/policy_mapping.rst
+++ b/doc/source/getting-started/policy_mapping.rst
@@ -38,6 +38,15 @@ identity:create_project                                    POST /v3/projects
 identity:update_project                                    PATCH /v3/projects/{project_id}
 identity:delete_project                                    DELETE /v3/projects/{project_id}
 
+identity:get_project_tag                                   GET /v3/projects/{project_id}/tags/{tag_name}
+                                                           HEAD /v3/projects/{project_id}/tags/{tag_name}
+identity:list_project_tags                                 GET /v3/projects/{project_id}/tags
+                                                           HEAD /v3/projects/{project_id}/tags
+identity:create_project_tag                                PUT /v3/projects/{project_id}/tags/{tag_name}
+identity:update_project_tags                               PUT /v3/projects/{project_id}/tags
+identity:delete_project_tag                                DELETE /v3/projects/{project_id}/tags/{tag_name}
+identity:delete_project_tags                               DELETE /v3/projects/{project_id}/tags
+
 identity:get_user                                          GET /v3/users/{user_id}
 identity:list_users                                        GET /v3/users
 identity:create_user                                       POST /v3/users
diff --git a/etc/policy.v3cloudsample.json b/etc/policy.v3cloudsample.json
index 5dbcb7dbbe..1d9dda829d 100644
--- a/etc/policy.v3cloudsample.json
+++ b/etc/policy.v3cloudsample.json
@@ -42,6 +42,12 @@
     "identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id",
     "identity:update_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
     "identity:delete_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id",
+    "identity:create_project_tag": "rule:admin_required",
+    "identity:delete_project_tag": "rule:admin_required",
+    "identity:get_project_tag": "rule:admin_required",
+    "identity:list_project_tags": "rule:admin_required",
+    "identity:delete_project_tags": "rule:admin_required",
+    "identity:update_project_tags": "rule:admin_required",
 
     "admin_and_matching_target_user_domain_id": "rule:admin_required and domain_id:%(target.user.domain_id)s",
     "admin_and_matching_user_domain_id": "rule:admin_required and domain_id:%(user.domain_id)s",
diff --git a/keystone/common/policies/project.py b/keystone/common/policies/project.py
index 433c31d38b..9b82bfd45b 100644
--- a/keystone/common/policies/project.py
+++ b/keystone/common/policies/project.py
@@ -50,6 +50,46 @@ project_policies = [
         check_str=base.RULE_ADMIN_REQUIRED,
         description='Delete project.',
         operations=[{'path': '/v3/projects/{project_id}',
+                     'method': 'DELETE'}]),
+    policy.DocumentedRuleDefault(
+        name=base.IDENTITY % 'list_project_tags',
+        check_str=base.RULE_ADMIN_OR_TARGET_PROJECT,
+        description='List tags for a project.',
+        operations=[{'path': '/v3/projects/{project_id}/tags',
+                     'method': 'GET'},
+                    {'path': '/v3/projects/{project_id}/tags',
+                     'method': 'HEAD'}]),
+    policy.DocumentedRuleDefault(
+        name=base.IDENTITY % 'get_project_tag',
+        check_str=base.RULE_ADMIN_OR_TARGET_PROJECT,
+        description='Check if project contains a tag.',
+        operations=[{'path': '/v3/projects/{project_id}/tags/{value}',
+                     'method': 'GET'},
+                    {'path': '/v3/projects/{project_id}/tags/{value}',
+                     'method': 'HEAD'}]),
+    policy.DocumentedRuleDefault(
+        name=base.IDENTITY % 'update_project_tags',
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='Replace all tags on a project with the new set of tags.',
+        operations=[{'path': '/v3/projects/{project_id}/tags',
+                     'method': 'PUT'}]),
+    policy.DocumentedRuleDefault(
+        name=base.IDENTITY % 'create_project_tag',
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='Add a single tag to a project.',
+        operations=[{'path': '/v3/projects/{project_id}/tags/{value}',
+                     'method': 'PUT'}]),
+    policy.DocumentedRuleDefault(
+        name=base.IDENTITY % 'delete_project_tags',
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='Remove all tags from a project.',
+        operations=[{'path': '/v3/projects/{project_id}/tags',
+                     'method': 'DELETE'}]),
+    policy.DocumentedRuleDefault(
+        name=base.IDENTITY % 'delete_project_tag',
+        check_str=base.RULE_ADMIN_REQUIRED,
+        description='Delete a specified tag from project.',
+        operations=[{'path': '/v3/projects/{project_id}/tags/{value}',
                      'method': 'DELETE'}])
 ]