The tags are attached to the instance template. But, when the instance group tries to create an instance with that template, I'm seeing this error in the errors tab:
Instance 'example' creation failed: Permission compute.instances.createTagBinding denied on resource //compute.googleapis.com/projects/example/zones/us-east4-c/instances/example(or it might not exist). com.google.cloud.resourcemanager.common.error.ExternalStatusException: generic::PERMISSION_DENIED: Permission compute.instances.createTagBinding denied on resource //compute.googleapis.com/projects/example/zones/us-east4-c/instances/example (or it might not exist).
The Compute Engine Service Agent has this permission by default. I've tried giving the service account I'm using and default compute engine service account the Tag User IAM role.
I talked with google cloud support and they found through the Logs explorer that the Google API Service Agent was the issue, and it was missing that permission. They told me to give the Tag User role to that service agent.