Regen all docs. (#700)
* Stop recursing if discovery == {}
* Generate docs with 'make docs'.
diff --git a/docs/dyn/dlp_v2.projects.deidentifyTemplates.html b/docs/dyn/dlp_v2.projects.deidentifyTemplates.html
new file mode 100644
index 0000000..4408665
--- /dev/null
+++ b/docs/dyn/dlp_v2.projects.deidentifyTemplates.html
@@ -0,0 +1,12434 @@
+<html><body>
+<style>
+
+body, h1, h2, h3, div, span, p, pre, a {
+ margin: 0;
+ padding: 0;
+ border: 0;
+ font-weight: inherit;
+ font-style: inherit;
+ font-size: 100%;
+ font-family: inherit;
+ vertical-align: baseline;
+}
+
+body {
+ font-size: 13px;
+ padding: 1em;
+}
+
+h1 {
+ font-size: 26px;
+ margin-bottom: 1em;
+}
+
+h2 {
+ font-size: 24px;
+ margin-bottom: 1em;
+}
+
+h3 {
+ font-size: 20px;
+ margin-bottom: 1em;
+ margin-top: 1em;
+}
+
+pre, code {
+ line-height: 1.5;
+ font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;
+}
+
+pre {
+ margin-top: 0.5em;
+}
+
+h1, h2, h3, p {
+ font-family: Arial, sans serif;
+}
+
+h1, h2, h3 {
+ border-bottom: solid #CCC 1px;
+}
+
+.toc_element {
+ margin-top: 0.5em;
+}
+
+.firstline {
+ margin-left: 2 em;
+}
+
+.method {
+ margin-top: 1em;
+ border: solid 1px #CCC;
+ padding: 1em;
+ background: #EEE;
+}
+
+.details {
+ font-weight: bold;
+ font-size: 14px;
+}
+
+</style>
+
+<h1><a href="dlp_v2.html">Cloud Data Loss Prevention (DLP) API</a> . <a href="dlp_v2.projects.html">projects</a> . <a href="dlp_v2.projects.deidentifyTemplates.html">deidentifyTemplates</a></h1>
+<h2>Instance Methods</h2>
+<p class="toc_element">
+ <code><a href="#create">create(parent, body, x__xgafv=None)</a></code></p>
+<p class="firstline">Creates a DeidentifyTemplate for re-using frequently used configuration</p>
+<p class="toc_element">
+ <code><a href="#delete">delete(name, x__xgafv=None)</a></code></p>
+<p class="firstline">Deletes a DeidentifyTemplate.</p>
+<p class="toc_element">
+ <code><a href="#get">get(name, x__xgafv=None)</a></code></p>
+<p class="firstline">Gets a DeidentifyTemplate.</p>
+<p class="toc_element">
+ <code><a href="#list">list(parent, orderBy=None, pageToken=None, x__xgafv=None, pageSize=None)</a></code></p>
+<p class="firstline">Lists DeidentifyTemplates.</p>
+<p class="toc_element">
+ <code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p>
+<p class="firstline">Retrieves the next page of results.</p>
+<p class="toc_element">
+ <code><a href="#patch">patch(name, body, x__xgafv=None)</a></code></p>
+<p class="firstline">Updates the DeidentifyTemplate.</p>
+<h3>Method Details</h3>
+<div class="method">
+ <code class="details" id="create">create(parent, body, x__xgafv=None)</code>
+ <pre>Creates a DeidentifyTemplate for re-using frequently used configuration
+for de-identifying content, images, and storage.
+See https://cloud.google.com/dlp/docs/creating-templates-deid to learn
+more.
+
+Args:
+ parent: string, The parent resource name, for example projects/my-project-id or
+organizations/my-org-id. (required)
+ body: object, The request body. (required)
+ The object takes the form of:
+
+{ # Request message for CreateDeidentifyTemplate.
+ "deidentifyTemplate": { # The DeidentifyTemplates contains instructions on how to deidentify content. # The DeidentifyTemplate to create.
+ # See https://cloud.google.com/dlp/docs/concepts-templates to learn more.
+ "updateTime": "A String", # The last update timestamp of a inspectTemplate, output only field.
+ "displayName": "A String", # Display name (max 256 chars).
+ "description": "A String", # Short description (max 256 chars).
+ "deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////
+ "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text
+ # transformation everywhere.
+ # apply various `PrimitiveTransformation`s to each finding, where the
+ # transformation is applied to only values that were identified as a specific
+ # info_type.
+ "transformations": [ # Transformation for each infoType. Cannot specify more than one
+ # for a given infoType. [required]
+ { # A transformation to apply to text that is identified as a specific
+ # info_type.
+ "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
+ # For example, if your string is 555-555-5555 and you ask us to skip `-` and
+ # mask 5 chars with * we would produce ***-*55-5555.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String",
+ "charactersToSkip": "A String",
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
+ # alphabetic string such as name, or "0" for a numeric string such as ZIP
+ # code or credit card number. String must have length 1. If not supplied, we
+ # will default to "*" for strings, 0 for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # '0', number_to_mask is 14, and `reverse_order` is false, then
+ # 1234-5678-9012-3456 -> 00000000000000-3456
+ # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
+ # is true, then 12345 -> 12***
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
+ # input. Outputs a base64 encoded representation of the encrypted output.
+ # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
+ # referential integrity such that the same identifier in two different
+ # contexts will be given a distinct surrogate. The context is appended to
+ # plaintext value being encrypted. On decryption the provided context is
+ # validated against the value used during encryption. If a context was
+ # provided during encryption, same context must be provided during decryption
+ # as well.
+ #
+ # If the context is not set, plaintext would be used as is for encryption.
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 2. the field is not present when transforming a given value,
+ #
+ # plaintext would be used as is for encryption.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom info type followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: <info type name>(<surrogate character count>):<surrogate>
+ #
+ # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom info type 'Surrogate'. This facilitates reversal of the
+ # surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this info type must
+ # not occur naturally anywhere in your data; otherwise, inspection may either
+ #
+ # - reverse a surrogate that does not correspond to an actual identifier
+ # - be unable to parse the surrogate and result in an error
+ #
+ # Therefore, choose your custom info type name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
+ # Bucketing transformation can provide all of this functionality,
+ # but requires more configuration. This message is provided as a convenience to
+ # the user for simple bucketing strategies.
+ #
+ # The transformed value will be a hyphenated string of
+ # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
+ # all values that are within this bucket will be replaced with "10-20".
+ #
+ # This can be used on data of type: double, long.
+ #
+ # If the bound Value type differs from the type of data
+ # being transformed, we will first attempt converting the type of the data to
+ # be transformed to match the type of the bound before comparing.
+ #
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
+ # grouped together into a single bucket; for example if `lower_bound` = 10,
+ # then all values less than 10 are replaced with the value “-10”. [Required].
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
+ # grouped together into a single bucket; for example if `upper_bound` = 89,
+ # then all values greater than 89 are replaced with the value “89+”.
+ # [Required].
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
+ # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
+ # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
+ # portion of the value.
+ "partToExtract": "A String",
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
+ # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
+ # to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
+ # results in the same shift for the same context and crypto_key.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
+ # [Required]
+ "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
+ # range (inclusive ends). Negative means shift to earlier in time. Must not
+ # be more than 365250 days (1000 years) each direction.
+ #
+ # For example, 3 means shift date to at most 3 days into the future.
+ # [Required]
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
+ # If set, must also set method. If set, shift will be consistent for the
+ # given context.
+ "name": "A String", # Name describing the field.
+ },
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ ],
+ },
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
+ # (FPE) with the FFX mode of operation; however when used in the
+ # `ReidentifyContent` API method, it serves the opposite function by reversing
+ # the surrogate back into the original identifier. The identifier must be
+ # encoded as ASCII. For a given crypto key and context, the same identifier
+ # will be replaced with the same surrogate. Identifiers must be at least two
+ # characters long. In the case that the identifier is the empty string, it will
+ # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
+ # more.
+ #
+ # Note: We recommend using CryptoDeterministicConfig for all use cases which
+ # do not require preserving the input alphabet space and size, plus warrant
+ # referential integrity.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
+ "commonAlphabet": "A String",
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
+ # that the FFX mode natively supports. This happens before/after
+ # encryption/decryption.
+ # Each character listed must appear only once.
+ # Number of characters must be in the range [2, 62].
+ # This must be encoded as ASCII.
+ # The order of characters does not matter.
+ "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
+ # identifier in two different contexts won't be given the same surrogate. If
+ # the context is not set, a default tweak will be used.
+ #
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 1. the field is not present when transforming a given value,
+ #
+ # a default tweak will be used.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ # Currently, the referenced field may be of value type integer or string.
+ #
+ # The tweak is constructed as a sequence of bytes in big endian byte order
+ # such that:
+ #
+ # - a 64 bit integer is encoded followed by a single byte of value 1
+ # - a string is encoded in UTF-8 format followed by a single byte of value 2
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom infoType followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: info_type_name(surrogate_character_count):surrogate
+ #
+ # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom infoType
+ # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
+ # This facilitates reversal of the surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this infoType must
+ # not occur naturally anywhere in your data; otherwise, inspection may
+ # find a surrogate that does not correspond to an actual identifier.
+ # Therefore, choose your custom infoType name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`.
+ "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ },
+ "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
+ # this transformation to apply to all findings that correspond to
+ # infoTypes that were requested in `InspectConfig`.
+ { # Type of information detected by the API.
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ ],
+ },
+ ],
+ },
+ "recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to
+ # specific locations within structured datasets, such as transforming
+ # a column within a table.
+ # table.
+ "recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that
+ # match any suppression rule are omitted from the output [optional].
+ { # Configuration to suppress records whose suppression conditions evaluate to
+ # true.
+ "condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
+ # evaluated to be suppressed from the transformed content.
+ # a field.
+ "expressions": { # An expression, consisting or an operator and conditions. # An expression.
+ "conditions": { # A collection of conditions.
+ "conditions": [
+ { # The field type of `value` and `field` do not need to match to be
+ # considered equal, but not all comparisons are possible.
+ # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
+ # but all other comparisons are invalid with incompatible types.
+ # A `value` of type:
+ #
+ # - `string` can be compared against all other types
+ # - `boolean` can only be compared against other booleans
+ # - `integer` can be compared against doubles or a string if the string value
+ # can be parsed as an integer.
+ # - `double` can be compared against integers or a string if the string can
+ # be parsed as a double.
+ # - `Timestamp` can be compared against strings in RFC 3339 date string
+ # format.
+ # - `TimeOfDay` can be compared against timestamps and strings in the format
+ # of 'HH:mm:ss'.
+ #
+ # If we fail to compare do to type mismatch, a warning will be given and
+ # the condition will evaluate to false.
+ "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
+ "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
+ "name": "A String", # Name describing the field.
+ },
+ "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ ],
+ },
+ "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
+ # only supported value is `AND`.
+ },
+ },
+ },
+ ],
+ "fieldTransformations": [ # Transform the record by applying various field transformations.
+ { # The transformation to apply to the field.
+ "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
+ # transform content that matches an `InfoType`.
+ # apply various `PrimitiveTransformation`s to each finding, where the
+ # transformation is applied to only values that were identified as a specific
+ # info_type.
+ "transformations": [ # Transformation for each infoType. Cannot specify more than one
+ # for a given infoType. [required]
+ { # A transformation to apply to text that is identified as a specific
+ # info_type.
+ "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
+ # For example, if your string is 555-555-5555 and you ask us to skip `-` and
+ # mask 5 chars with * we would produce ***-*55-5555.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String",
+ "charactersToSkip": "A String",
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
+ # alphabetic string such as name, or "0" for a numeric string such as ZIP
+ # code or credit card number. String must have length 1. If not supplied, we
+ # will default to "*" for strings, 0 for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # '0', number_to_mask is 14, and `reverse_order` is false, then
+ # 1234-5678-9012-3456 -> 00000000000000-3456
+ # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
+ # is true, then 12345 -> 12***
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
+ # input. Outputs a base64 encoded representation of the encrypted output.
+ # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
+ # referential integrity such that the same identifier in two different
+ # contexts will be given a distinct surrogate. The context is appended to
+ # plaintext value being encrypted. On decryption the provided context is
+ # validated against the value used during encryption. If a context was
+ # provided during encryption, same context must be provided during decryption
+ # as well.
+ #
+ # If the context is not set, plaintext would be used as is for encryption.
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 2. the field is not present when transforming a given value,
+ #
+ # plaintext would be used as is for encryption.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom info type followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: <info type name>(<surrogate character count>):<surrogate>
+ #
+ # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom info type 'Surrogate'. This facilitates reversal of the
+ # surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this info type must
+ # not occur naturally anywhere in your data; otherwise, inspection may either
+ #
+ # - reverse a surrogate that does not correspond to an actual identifier
+ # - be unable to parse the surrogate and result in an error
+ #
+ # Therefore, choose your custom info type name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
+ # Bucketing transformation can provide all of this functionality,
+ # but requires more configuration. This message is provided as a convenience to
+ # the user for simple bucketing strategies.
+ #
+ # The transformed value will be a hyphenated string of
+ # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
+ # all values that are within this bucket will be replaced with "10-20".
+ #
+ # This can be used on data of type: double, long.
+ #
+ # If the bound Value type differs from the type of data
+ # being transformed, we will first attempt converting the type of the data to
+ # be transformed to match the type of the bound before comparing.
+ #
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
+ # grouped together into a single bucket; for example if `lower_bound` = 10,
+ # then all values less than 10 are replaced with the value “-10”. [Required].
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
+ # grouped together into a single bucket; for example if `upper_bound` = 89,
+ # then all values greater than 89 are replaced with the value “89+”.
+ # [Required].
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
+ # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
+ # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
+ # portion of the value.
+ "partToExtract": "A String",
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
+ # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
+ # to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
+ # results in the same shift for the same context and crypto_key.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
+ # [Required]
+ "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
+ # range (inclusive ends). Negative means shift to earlier in time. Must not
+ # be more than 365250 days (1000 years) each direction.
+ #
+ # For example, 3 means shift date to at most 3 days into the future.
+ # [Required]
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
+ # If set, must also set method. If set, shift will be consistent for the
+ # given context.
+ "name": "A String", # Name describing the field.
+ },
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ ],
+ },
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
+ # (FPE) with the FFX mode of operation; however when used in the
+ # `ReidentifyContent` API method, it serves the opposite function by reversing
+ # the surrogate back into the original identifier. The identifier must be
+ # encoded as ASCII. For a given crypto key and context, the same identifier
+ # will be replaced with the same surrogate. Identifiers must be at least two
+ # characters long. In the case that the identifier is the empty string, it will
+ # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
+ # more.
+ #
+ # Note: We recommend using CryptoDeterministicConfig for all use cases which
+ # do not require preserving the input alphabet space and size, plus warrant
+ # referential integrity.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
+ "commonAlphabet": "A String",
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
+ # that the FFX mode natively supports. This happens before/after
+ # encryption/decryption.
+ # Each character listed must appear only once.
+ # Number of characters must be in the range [2, 62].
+ # This must be encoded as ASCII.
+ # The order of characters does not matter.
+ "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
+ # identifier in two different contexts won't be given the same surrogate. If
+ # the context is not set, a default tweak will be used.
+ #
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 1. the field is not present when transforming a given value,
+ #
+ # a default tweak will be used.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ # Currently, the referenced field may be of value type integer or string.
+ #
+ # The tweak is constructed as a sequence of bytes in big endian byte order
+ # such that:
+ #
+ # - a 64 bit integer is encoded followed by a single byte of value 1
+ # - a string is encoded in UTF-8 format followed by a single byte of value 2
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom infoType followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: info_type_name(surrogate_character_count):surrogate
+ #
+ # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom infoType
+ # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
+ # This facilitates reversal of the surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this infoType must
+ # not occur naturally anywhere in your data; otherwise, inspection may
+ # find a surrogate that does not correspond to an actual identifier.
+ # Therefore, choose your custom infoType name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`.
+ "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ },
+ "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
+ # this transformation to apply to all findings that correspond to
+ # infoTypes that were requested in `InspectConfig`.
+ { # Type of information detected by the API.
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ ],
+ },
+ ],
+ },
+ "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
+ # For example, if your string is 555-555-5555 and you ask us to skip `-` and
+ # mask 5 chars with * we would produce ***-*55-5555.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String",
+ "charactersToSkip": "A String",
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
+ # alphabetic string such as name, or "0" for a numeric string such as ZIP
+ # code or credit card number. String must have length 1. If not supplied, we
+ # will default to "*" for strings, 0 for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # '0', number_to_mask is 14, and `reverse_order` is false, then
+ # 1234-5678-9012-3456 -> 00000000000000-3456
+ # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
+ # is true, then 12345 -> 12***
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
+ # input. Outputs a base64 encoded representation of the encrypted output.
+ # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
+ # referential integrity such that the same identifier in two different
+ # contexts will be given a distinct surrogate. The context is appended to
+ # plaintext value being encrypted. On decryption the provided context is
+ # validated against the value used during encryption. If a context was
+ # provided during encryption, same context must be provided during decryption
+ # as well.
+ #
+ # If the context is not set, plaintext would be used as is for encryption.
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 2. the field is not present when transforming a given value,
+ #
+ # plaintext would be used as is for encryption.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom info type followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: <info type name>(<surrogate character count>):<surrogate>
+ #
+ # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom info type 'Surrogate'. This facilitates reversal of the
+ # surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this info type must
+ # not occur naturally anywhere in your data; otherwise, inspection may either
+ #
+ # - reverse a surrogate that does not correspond to an actual identifier
+ # - be unable to parse the surrogate and result in an error
+ #
+ # Therefore, choose your custom info type name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
+ # Bucketing transformation can provide all of this functionality,
+ # but requires more configuration. This message is provided as a convenience to
+ # the user for simple bucketing strategies.
+ #
+ # The transformed value will be a hyphenated string of
+ # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
+ # all values that are within this bucket will be replaced with "10-20".
+ #
+ # This can be used on data of type: double, long.
+ #
+ # If the bound Value type differs from the type of data
+ # being transformed, we will first attempt converting the type of the data to
+ # be transformed to match the type of the bound before comparing.
+ #
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
+ # grouped together into a single bucket; for example if `lower_bound` = 10,
+ # then all values less than 10 are replaced with the value “-10”. [Required].
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
+ # grouped together into a single bucket; for example if `upper_bound` = 89,
+ # then all values greater than 89 are replaced with the value “89+”.
+ # [Required].
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
+ # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
+ # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
+ # portion of the value.
+ "partToExtract": "A String",
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
+ # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
+ # to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
+ # results in the same shift for the same context and crypto_key.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
+ # [Required]
+ "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
+ # range (inclusive ends). Negative means shift to earlier in time. Must not
+ # be more than 365250 days (1000 years) each direction.
+ #
+ # For example, 3 means shift date to at most 3 days into the future.
+ # [Required]
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
+ # If set, must also set method. If set, shift will be consistent for the
+ # given context.
+ "name": "A String", # Name describing the field.
+ },
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ ],
+ },
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
+ # (FPE) with the FFX mode of operation; however when used in the
+ # `ReidentifyContent` API method, it serves the opposite function by reversing
+ # the surrogate back into the original identifier. The identifier must be
+ # encoded as ASCII. For a given crypto key and context, the same identifier
+ # will be replaced with the same surrogate. Identifiers must be at least two
+ # characters long. In the case that the identifier is the empty string, it will
+ # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
+ # more.
+ #
+ # Note: We recommend using CryptoDeterministicConfig for all use cases which
+ # do not require preserving the input alphabet space and size, plus warrant
+ # referential integrity.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
+ "commonAlphabet": "A String",
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
+ # that the FFX mode natively supports. This happens before/after
+ # encryption/decryption.
+ # Each character listed must appear only once.
+ # Number of characters must be in the range [2, 62].
+ # This must be encoded as ASCII.
+ # The order of characters does not matter.
+ "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
+ # identifier in two different contexts won't be given the same surrogate. If
+ # the context is not set, a default tweak will be used.
+ #
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 1. the field is not present when transforming a given value,
+ #
+ # a default tweak will be used.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ # Currently, the referenced field may be of value type integer or string.
+ #
+ # The tweak is constructed as a sequence of bytes in big endian byte order
+ # such that:
+ #
+ # - a 64 bit integer is encoded followed by a single byte of value 1
+ # - a string is encoded in UTF-8 format followed by a single byte of value 2
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom infoType followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: info_type_name(surrogate_character_count):surrogate
+ #
+ # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom infoType
+ # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
+ # This facilitates reversal of the surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this infoType must
+ # not occur naturally anywhere in your data; otherwise, inspection may
+ # find a surrogate that does not correspond to an actual identifier.
+ # Therefore, choose your custom infoType name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`.
+ "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ },
+ "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
+ # given `RecordCondition`. The conditions are allowed to reference fields
+ # that are not used in the actual transformation. [optional]
+ #
+ # Example Use Cases:
+ #
+ # - Apply a different bucket transformation to an age column if the zip code
+ # column for the same record is within a specific range.
+ # - Redact a field if the date of birth field is greater than 85.
+ # a field.
+ "expressions": { # An expression, consisting or an operator and conditions. # An expression.
+ "conditions": { # A collection of conditions.
+ "conditions": [
+ { # The field type of `value` and `field` do not need to match to be
+ # considered equal, but not all comparisons are possible.
+ # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
+ # but all other comparisons are invalid with incompatible types.
+ # A `value` of type:
+ #
+ # - `string` can be compared against all other types
+ # - `boolean` can only be compared against other booleans
+ # - `integer` can be compared against doubles or a string if the string value
+ # can be parsed as an integer.
+ # - `double` can be compared against integers or a string if the string can
+ # be parsed as a double.
+ # - `Timestamp` can be compared against strings in RFC 3339 date string
+ # format.
+ # - `TimeOfDay` can be compared against timestamps and strings in the format
+ # of 'HH:mm:ss'.
+ #
+ # If we fail to compare do to type mismatch, a warning will be given and
+ # the condition will evaluate to false.
+ "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
+ "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
+ "name": "A String", # Name describing the field.
+ },
+ "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ ],
+ },
+ "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
+ # only supported value is `AND`.
+ },
+ },
+ "fields": [ # Input field(s) to apply the transformation to. [required]
+ { # General identifier of a data field in a storage service.
+ "name": "A String", # Name describing the field.
+ },
+ ],
+ },
+ ],
+ },
+ },
+ "createTime": "A String", # The creation timestamp of a inspectTemplate, output only field.
+ "name": "A String", # The template name. Output only.
+ #
+ # The template will have one of the following formats:
+ # `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR
+ # `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`
+ },
+ "templateId": "A String", # The template id can contain uppercase and lowercase letters,
+ # numbers, and hyphens; that is, it must match the regular
+ # expression: `[a-zA-Z\\d-_]+`. The maximum length is 100
+ # characters. Can be empty to allow the system to generate one.
+ }
+
+ x__xgafv: string, V1 error format.
+ Allowed values
+ 1 - v1 error format
+ 2 - v2 error format
+
+Returns:
+ An object of the form:
+
+ { # The DeidentifyTemplates contains instructions on how to deidentify content.
+ # See https://cloud.google.com/dlp/docs/concepts-templates to learn more.
+ "updateTime": "A String", # The last update timestamp of a inspectTemplate, output only field.
+ "displayName": "A String", # Display name (max 256 chars).
+ "description": "A String", # Short description (max 256 chars).
+ "deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////
+ "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text
+ # transformation everywhere.
+ # apply various `PrimitiveTransformation`s to each finding, where the
+ # transformation is applied to only values that were identified as a specific
+ # info_type.
+ "transformations": [ # Transformation for each infoType. Cannot specify more than one
+ # for a given infoType. [required]
+ { # A transformation to apply to text that is identified as a specific
+ # info_type.
+ "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
+ # For example, if your string is 555-555-5555 and you ask us to skip `-` and
+ # mask 5 chars with * we would produce ***-*55-5555.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String",
+ "charactersToSkip": "A String",
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
+ # alphabetic string such as name, or "0" for a numeric string such as ZIP
+ # code or credit card number. String must have length 1. If not supplied, we
+ # will default to "*" for strings, 0 for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # '0', number_to_mask is 14, and `reverse_order` is false, then
+ # 1234-5678-9012-3456 -> 00000000000000-3456
+ # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
+ # is true, then 12345 -> 12***
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
+ # input. Outputs a base64 encoded representation of the encrypted output.
+ # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
+ # referential integrity such that the same identifier in two different
+ # contexts will be given a distinct surrogate. The context is appended to
+ # plaintext value being encrypted. On decryption the provided context is
+ # validated against the value used during encryption. If a context was
+ # provided during encryption, same context must be provided during decryption
+ # as well.
+ #
+ # If the context is not set, plaintext would be used as is for encryption.
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 2. the field is not present when transforming a given value,
+ #
+ # plaintext would be used as is for encryption.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom info type followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: <info type name>(<surrogate character count>):<surrogate>
+ #
+ # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom info type 'Surrogate'. This facilitates reversal of the
+ # surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this info type must
+ # not occur naturally anywhere in your data; otherwise, inspection may either
+ #
+ # - reverse a surrogate that does not correspond to an actual identifier
+ # - be unable to parse the surrogate and result in an error
+ #
+ # Therefore, choose your custom info type name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
+ # Bucketing transformation can provide all of this functionality,
+ # but requires more configuration. This message is provided as a convenience to
+ # the user for simple bucketing strategies.
+ #
+ # The transformed value will be a hyphenated string of
+ # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
+ # all values that are within this bucket will be replaced with "10-20".
+ #
+ # This can be used on data of type: double, long.
+ #
+ # If the bound Value type differs from the type of data
+ # being transformed, we will first attempt converting the type of the data to
+ # be transformed to match the type of the bound before comparing.
+ #
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
+ # grouped together into a single bucket; for example if `lower_bound` = 10,
+ # then all values less than 10 are replaced with the value “-10”. [Required].
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
+ # grouped together into a single bucket; for example if `upper_bound` = 89,
+ # then all values greater than 89 are replaced with the value “89+”.
+ # [Required].
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
+ # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
+ # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
+ # portion of the value.
+ "partToExtract": "A String",
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
+ # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
+ # to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
+ # results in the same shift for the same context and crypto_key.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
+ # [Required]
+ "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
+ # range (inclusive ends). Negative means shift to earlier in time. Must not
+ # be more than 365250 days (1000 years) each direction.
+ #
+ # For example, 3 means shift date to at most 3 days into the future.
+ # [Required]
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
+ # If set, must also set method. If set, shift will be consistent for the
+ # given context.
+ "name": "A String", # Name describing the field.
+ },
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ ],
+ },
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
+ # (FPE) with the FFX mode of operation; however when used in the
+ # `ReidentifyContent` API method, it serves the opposite function by reversing
+ # the surrogate back into the original identifier. The identifier must be
+ # encoded as ASCII. For a given crypto key and context, the same identifier
+ # will be replaced with the same surrogate. Identifiers must be at least two
+ # characters long. In the case that the identifier is the empty string, it will
+ # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
+ # more.
+ #
+ # Note: We recommend using CryptoDeterministicConfig for all use cases which
+ # do not require preserving the input alphabet space and size, plus warrant
+ # referential integrity.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
+ "commonAlphabet": "A String",
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
+ # that the FFX mode natively supports. This happens before/after
+ # encryption/decryption.
+ # Each character listed must appear only once.
+ # Number of characters must be in the range [2, 62].
+ # This must be encoded as ASCII.
+ # The order of characters does not matter.
+ "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
+ # identifier in two different contexts won't be given the same surrogate. If
+ # the context is not set, a default tweak will be used.
+ #
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 1. the field is not present when transforming a given value,
+ #
+ # a default tweak will be used.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ # Currently, the referenced field may be of value type integer or string.
+ #
+ # The tweak is constructed as a sequence of bytes in big endian byte order
+ # such that:
+ #
+ # - a 64 bit integer is encoded followed by a single byte of value 1
+ # - a string is encoded in UTF-8 format followed by a single byte of value 2
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom infoType followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: info_type_name(surrogate_character_count):surrogate
+ #
+ # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom infoType
+ # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
+ # This facilitates reversal of the surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this infoType must
+ # not occur naturally anywhere in your data; otherwise, inspection may
+ # find a surrogate that does not correspond to an actual identifier.
+ # Therefore, choose your custom infoType name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`.
+ "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ },
+ "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
+ # this transformation to apply to all findings that correspond to
+ # infoTypes that were requested in `InspectConfig`.
+ { # Type of information detected by the API.
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ ],
+ },
+ ],
+ },
+ "recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to
+ # specific locations within structured datasets, such as transforming
+ # a column within a table.
+ # table.
+ "recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that
+ # match any suppression rule are omitted from the output [optional].
+ { # Configuration to suppress records whose suppression conditions evaluate to
+ # true.
+ "condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
+ # evaluated to be suppressed from the transformed content.
+ # a field.
+ "expressions": { # An expression, consisting or an operator and conditions. # An expression.
+ "conditions": { # A collection of conditions.
+ "conditions": [
+ { # The field type of `value` and `field` do not need to match to be
+ # considered equal, but not all comparisons are possible.
+ # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
+ # but all other comparisons are invalid with incompatible types.
+ # A `value` of type:
+ #
+ # - `string` can be compared against all other types
+ # - `boolean` can only be compared against other booleans
+ # - `integer` can be compared against doubles or a string if the string value
+ # can be parsed as an integer.
+ # - `double` can be compared against integers or a string if the string can
+ # be parsed as a double.
+ # - `Timestamp` can be compared against strings in RFC 3339 date string
+ # format.
+ # - `TimeOfDay` can be compared against timestamps and strings in the format
+ # of 'HH:mm:ss'.
+ #
+ # If we fail to compare do to type mismatch, a warning will be given and
+ # the condition will evaluate to false.
+ "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
+ "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
+ "name": "A String", # Name describing the field.
+ },
+ "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ ],
+ },
+ "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
+ # only supported value is `AND`.
+ },
+ },
+ },
+ ],
+ "fieldTransformations": [ # Transform the record by applying various field transformations.
+ { # The transformation to apply to the field.
+ "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
+ # transform content that matches an `InfoType`.
+ # apply various `PrimitiveTransformation`s to each finding, where the
+ # transformation is applied to only values that were identified as a specific
+ # info_type.
+ "transformations": [ # Transformation for each infoType. Cannot specify more than one
+ # for a given infoType. [required]
+ { # A transformation to apply to text that is identified as a specific
+ # info_type.
+ "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
+ # For example, if your string is 555-555-5555 and you ask us to skip `-` and
+ # mask 5 chars with * we would produce ***-*55-5555.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String",
+ "charactersToSkip": "A String",
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
+ # alphabetic string such as name, or "0" for a numeric string such as ZIP
+ # code or credit card number. String must have length 1. If not supplied, we
+ # will default to "*" for strings, 0 for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # '0', number_to_mask is 14, and `reverse_order` is false, then
+ # 1234-5678-9012-3456 -> 00000000000000-3456
+ # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
+ # is true, then 12345 -> 12***
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
+ # input. Outputs a base64 encoded representation of the encrypted output.
+ # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
+ # referential integrity such that the same identifier in two different
+ # contexts will be given a distinct surrogate. The context is appended to
+ # plaintext value being encrypted. On decryption the provided context is
+ # validated against the value used during encryption. If a context was
+ # provided during encryption, same context must be provided during decryption
+ # as well.
+ #
+ # If the context is not set, plaintext would be used as is for encryption.
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 2. the field is not present when transforming a given value,
+ #
+ # plaintext would be used as is for encryption.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom info type followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: <info type name>(<surrogate character count>):<surrogate>
+ #
+ # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom info type 'Surrogate'. This facilitates reversal of the
+ # surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this info type must
+ # not occur naturally anywhere in your data; otherwise, inspection may either
+ #
+ # - reverse a surrogate that does not correspond to an actual identifier
+ # - be unable to parse the surrogate and result in an error
+ #
+ # Therefore, choose your custom info type name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
+ # Bucketing transformation can provide all of this functionality,
+ # but requires more configuration. This message is provided as a convenience to
+ # the user for simple bucketing strategies.
+ #
+ # The transformed value will be a hyphenated string of
+ # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
+ # all values that are within this bucket will be replaced with "10-20".
+ #
+ # This can be used on data of type: double, long.
+ #
+ # If the bound Value type differs from the type of data
+ # being transformed, we will first attempt converting the type of the data to
+ # be transformed to match the type of the bound before comparing.
+ #
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
+ # grouped together into a single bucket; for example if `lower_bound` = 10,
+ # then all values less than 10 are replaced with the value “-10”. [Required].
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
+ # grouped together into a single bucket; for example if `upper_bound` = 89,
+ # then all values greater than 89 are replaced with the value “89+”.
+ # [Required].
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
+ # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
+ # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
+ # portion of the value.
+ "partToExtract": "A String",
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
+ # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
+ # to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
+ # results in the same shift for the same context and crypto_key.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
+ # [Required]
+ "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
+ # range (inclusive ends). Negative means shift to earlier in time. Must not
+ # be more than 365250 days (1000 years) each direction.
+ #
+ # For example, 3 means shift date to at most 3 days into the future.
+ # [Required]
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
+ # If set, must also set method. If set, shift will be consistent for the
+ # given context.
+ "name": "A String", # Name describing the field.
+ },
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ ],
+ },
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
+ # (FPE) with the FFX mode of operation; however when used in the
+ # `ReidentifyContent` API method, it serves the opposite function by reversing
+ # the surrogate back into the original identifier. The identifier must be
+ # encoded as ASCII. For a given crypto key and context, the same identifier
+ # will be replaced with the same surrogate. Identifiers must be at least two
+ # characters long. In the case that the identifier is the empty string, it will
+ # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
+ # more.
+ #
+ # Note: We recommend using CryptoDeterministicConfig for all use cases which
+ # do not require preserving the input alphabet space and size, plus warrant
+ # referential integrity.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
+ "commonAlphabet": "A String",
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
+ # that the FFX mode natively supports. This happens before/after
+ # encryption/decryption.
+ # Each character listed must appear only once.
+ # Number of characters must be in the range [2, 62].
+ # This must be encoded as ASCII.
+ # The order of characters does not matter.
+ "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
+ # identifier in two different contexts won't be given the same surrogate. If
+ # the context is not set, a default tweak will be used.
+ #
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 1. the field is not present when transforming a given value,
+ #
+ # a default tweak will be used.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ # Currently, the referenced field may be of value type integer or string.
+ #
+ # The tweak is constructed as a sequence of bytes in big endian byte order
+ # such that:
+ #
+ # - a 64 bit integer is encoded followed by a single byte of value 1
+ # - a string is encoded in UTF-8 format followed by a single byte of value 2
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom infoType followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: info_type_name(surrogate_character_count):surrogate
+ #
+ # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom infoType
+ # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
+ # This facilitates reversal of the surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this infoType must
+ # not occur naturally anywhere in your data; otherwise, inspection may
+ # find a surrogate that does not correspond to an actual identifier.
+ # Therefore, choose your custom infoType name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`.
+ "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ },
+ "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
+ # this transformation to apply to all findings that correspond to
+ # infoTypes that were requested in `InspectConfig`.
+ { # Type of information detected by the API.
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ ],
+ },
+ ],
+ },
+ "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
+ # For example, if your string is 555-555-5555 and you ask us to skip `-` and
+ # mask 5 chars with * we would produce ***-*55-5555.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String",
+ "charactersToSkip": "A String",
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
+ # alphabetic string such as name, or "0" for a numeric string such as ZIP
+ # code or credit card number. String must have length 1. If not supplied, we
+ # will default to "*" for strings, 0 for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # '0', number_to_mask is 14, and `reverse_order` is false, then
+ # 1234-5678-9012-3456 -> 00000000000000-3456
+ # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
+ # is true, then 12345 -> 12***
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
+ # input. Outputs a base64 encoded representation of the encrypted output.
+ # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
+ # referential integrity such that the same identifier in two different
+ # contexts will be given a distinct surrogate. The context is appended to
+ # plaintext value being encrypted. On decryption the provided context is
+ # validated against the value used during encryption. If a context was
+ # provided during encryption, same context must be provided during decryption
+ # as well.
+ #
+ # If the context is not set, plaintext would be used as is for encryption.
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 2. the field is not present when transforming a given value,
+ #
+ # plaintext would be used as is for encryption.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom info type followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: <info type name>(<surrogate character count>):<surrogate>
+ #
+ # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom info type 'Surrogate'. This facilitates reversal of the
+ # surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this info type must
+ # not occur naturally anywhere in your data; otherwise, inspection may either
+ #
+ # - reverse a surrogate that does not correspond to an actual identifier
+ # - be unable to parse the surrogate and result in an error
+ #
+ # Therefore, choose your custom info type name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
+ # Bucketing transformation can provide all of this functionality,
+ # but requires more configuration. This message is provided as a convenience to
+ # the user for simple bucketing strategies.
+ #
+ # The transformed value will be a hyphenated string of
+ # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
+ # all values that are within this bucket will be replaced with "10-20".
+ #
+ # This can be used on data of type: double, long.
+ #
+ # If the bound Value type differs from the type of data
+ # being transformed, we will first attempt converting the type of the data to
+ # be transformed to match the type of the bound before comparing.
+ #
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
+ # grouped together into a single bucket; for example if `lower_bound` = 10,
+ # then all values less than 10 are replaced with the value “-10”. [Required].
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
+ # grouped together into a single bucket; for example if `upper_bound` = 89,
+ # then all values greater than 89 are replaced with the value “89+”.
+ # [Required].
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
+ # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
+ # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
+ # portion of the value.
+ "partToExtract": "A String",
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
+ # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
+ # to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
+ # results in the same shift for the same context and crypto_key.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
+ # [Required]
+ "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
+ # range (inclusive ends). Negative means shift to earlier in time. Must not
+ # be more than 365250 days (1000 years) each direction.
+ #
+ # For example, 3 means shift date to at most 3 days into the future.
+ # [Required]
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
+ # If set, must also set method. If set, shift will be consistent for the
+ # given context.
+ "name": "A String", # Name describing the field.
+ },
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ ],
+ },
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
+ # (FPE) with the FFX mode of operation; however when used in the
+ # `ReidentifyContent` API method, it serves the opposite function by reversing
+ # the surrogate back into the original identifier. The identifier must be
+ # encoded as ASCII. For a given crypto key and context, the same identifier
+ # will be replaced with the same surrogate. Identifiers must be at least two
+ # characters long. In the case that the identifier is the empty string, it will
+ # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
+ # more.
+ #
+ # Note: We recommend using CryptoDeterministicConfig for all use cases which
+ # do not require preserving the input alphabet space and size, plus warrant
+ # referential integrity.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
+ "commonAlphabet": "A String",
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
+ # that the FFX mode natively supports. This happens before/after
+ # encryption/decryption.
+ # Each character listed must appear only once.
+ # Number of characters must be in the range [2, 62].
+ # This must be encoded as ASCII.
+ # The order of characters does not matter.
+ "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
+ # identifier in two different contexts won't be given the same surrogate. If
+ # the context is not set, a default tweak will be used.
+ #
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 1. the field is not present when transforming a given value,
+ #
+ # a default tweak will be used.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ # Currently, the referenced field may be of value type integer or string.
+ #
+ # The tweak is constructed as a sequence of bytes in big endian byte order
+ # such that:
+ #
+ # - a 64 bit integer is encoded followed by a single byte of value 1
+ # - a string is encoded in UTF-8 format followed by a single byte of value 2
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom infoType followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: info_type_name(surrogate_character_count):surrogate
+ #
+ # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom infoType
+ # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
+ # This facilitates reversal of the surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this infoType must
+ # not occur naturally anywhere in your data; otherwise, inspection may
+ # find a surrogate that does not correspond to an actual identifier.
+ # Therefore, choose your custom infoType name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`.
+ "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ },
+ "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
+ # given `RecordCondition`. The conditions are allowed to reference fields
+ # that are not used in the actual transformation. [optional]
+ #
+ # Example Use Cases:
+ #
+ # - Apply a different bucket transformation to an age column if the zip code
+ # column for the same record is within a specific range.
+ # - Redact a field if the date of birth field is greater than 85.
+ # a field.
+ "expressions": { # An expression, consisting or an operator and conditions. # An expression.
+ "conditions": { # A collection of conditions.
+ "conditions": [
+ { # The field type of `value` and `field` do not need to match to be
+ # considered equal, but not all comparisons are possible.
+ # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
+ # but all other comparisons are invalid with incompatible types.
+ # A `value` of type:
+ #
+ # - `string` can be compared against all other types
+ # - `boolean` can only be compared against other booleans
+ # - `integer` can be compared against doubles or a string if the string value
+ # can be parsed as an integer.
+ # - `double` can be compared against integers or a string if the string can
+ # be parsed as a double.
+ # - `Timestamp` can be compared against strings in RFC 3339 date string
+ # format.
+ # - `TimeOfDay` can be compared against timestamps and strings in the format
+ # of 'HH:mm:ss'.
+ #
+ # If we fail to compare do to type mismatch, a warning will be given and
+ # the condition will evaluate to false.
+ "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
+ "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
+ "name": "A String", # Name describing the field.
+ },
+ "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ ],
+ },
+ "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
+ # only supported value is `AND`.
+ },
+ },
+ "fields": [ # Input field(s) to apply the transformation to. [required]
+ { # General identifier of a data field in a storage service.
+ "name": "A String", # Name describing the field.
+ },
+ ],
+ },
+ ],
+ },
+ },
+ "createTime": "A String", # The creation timestamp of a inspectTemplate, output only field.
+ "name": "A String", # The template name. Output only.
+ #
+ # The template will have one of the following formats:
+ # `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR
+ # `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`
+ }</pre>
+</div>
+
+<div class="method">
+ <code class="details" id="delete">delete(name, x__xgafv=None)</code>
+ <pre>Deletes a DeidentifyTemplate.
+See https://cloud.google.com/dlp/docs/creating-templates-deid to learn
+more.
+
+Args:
+ name: string, Resource name of the organization and deidentify template to be deleted,
+for example `organizations/433245324/deidentifyTemplates/432452342` or
+projects/project-id/deidentifyTemplates/432452342. (required)
+ x__xgafv: string, V1 error format.
+ Allowed values
+ 1 - v1 error format
+ 2 - v2 error format
+
+Returns:
+ An object of the form:
+
+ { # A generic empty message that you can re-use to avoid defining duplicated
+ # empty messages in your APIs. A typical example is to use it as the request
+ # or the response type of an API method. For instance:
+ #
+ # service Foo {
+ # rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);
+ # }
+ #
+ # The JSON representation for `Empty` is empty JSON object `{}`.
+ }</pre>
+</div>
+
+<div class="method">
+ <code class="details" id="get">get(name, x__xgafv=None)</code>
+ <pre>Gets a DeidentifyTemplate.
+See https://cloud.google.com/dlp/docs/creating-templates-deid to learn
+more.
+
+Args:
+ name: string, Resource name of the organization and deidentify template to be read, for
+example `organizations/433245324/deidentifyTemplates/432452342` or
+projects/project-id/deidentifyTemplates/432452342. (required)
+ x__xgafv: string, V1 error format.
+ Allowed values
+ 1 - v1 error format
+ 2 - v2 error format
+
+Returns:
+ An object of the form:
+
+ { # The DeidentifyTemplates contains instructions on how to deidentify content.
+ # See https://cloud.google.com/dlp/docs/concepts-templates to learn more.
+ "updateTime": "A String", # The last update timestamp of a inspectTemplate, output only field.
+ "displayName": "A String", # Display name (max 256 chars).
+ "description": "A String", # Short description (max 256 chars).
+ "deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////
+ "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text
+ # transformation everywhere.
+ # apply various `PrimitiveTransformation`s to each finding, where the
+ # transformation is applied to only values that were identified as a specific
+ # info_type.
+ "transformations": [ # Transformation for each infoType. Cannot specify more than one
+ # for a given infoType. [required]
+ { # A transformation to apply to text that is identified as a specific
+ # info_type.
+ "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
+ # For example, if your string is 555-555-5555 and you ask us to skip `-` and
+ # mask 5 chars with * we would produce ***-*55-5555.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String",
+ "charactersToSkip": "A String",
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
+ # alphabetic string such as name, or "0" for a numeric string such as ZIP
+ # code or credit card number. String must have length 1. If not supplied, we
+ # will default to "*" for strings, 0 for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # '0', number_to_mask is 14, and `reverse_order` is false, then
+ # 1234-5678-9012-3456 -> 00000000000000-3456
+ # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
+ # is true, then 12345 -> 12***
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
+ # input. Outputs a base64 encoded representation of the encrypted output.
+ # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
+ # referential integrity such that the same identifier in two different
+ # contexts will be given a distinct surrogate. The context is appended to
+ # plaintext value being encrypted. On decryption the provided context is
+ # validated against the value used during encryption. If a context was
+ # provided during encryption, same context must be provided during decryption
+ # as well.
+ #
+ # If the context is not set, plaintext would be used as is for encryption.
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 2. the field is not present when transforming a given value,
+ #
+ # plaintext would be used as is for encryption.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom info type followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: <info type name>(<surrogate character count>):<surrogate>
+ #
+ # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom info type 'Surrogate'. This facilitates reversal of the
+ # surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this info type must
+ # not occur naturally anywhere in your data; otherwise, inspection may either
+ #
+ # - reverse a surrogate that does not correspond to an actual identifier
+ # - be unable to parse the surrogate and result in an error
+ #
+ # Therefore, choose your custom info type name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
+ # Bucketing transformation can provide all of this functionality,
+ # but requires more configuration. This message is provided as a convenience to
+ # the user for simple bucketing strategies.
+ #
+ # The transformed value will be a hyphenated string of
+ # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
+ # all values that are within this bucket will be replaced with "10-20".
+ #
+ # This can be used on data of type: double, long.
+ #
+ # If the bound Value type differs from the type of data
+ # being transformed, we will first attempt converting the type of the data to
+ # be transformed to match the type of the bound before comparing.
+ #
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
+ # grouped together into a single bucket; for example if `lower_bound` = 10,
+ # then all values less than 10 are replaced with the value “-10”. [Required].
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
+ # grouped together into a single bucket; for example if `upper_bound` = 89,
+ # then all values greater than 89 are replaced with the value “89+”.
+ # [Required].
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
+ # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
+ # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
+ # portion of the value.
+ "partToExtract": "A String",
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
+ # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
+ # to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
+ # results in the same shift for the same context and crypto_key.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
+ # [Required]
+ "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
+ # range (inclusive ends). Negative means shift to earlier in time. Must not
+ # be more than 365250 days (1000 years) each direction.
+ #
+ # For example, 3 means shift date to at most 3 days into the future.
+ # [Required]
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
+ # If set, must also set method. If set, shift will be consistent for the
+ # given context.
+ "name": "A String", # Name describing the field.
+ },
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ ],
+ },
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
+ # (FPE) with the FFX mode of operation; however when used in the
+ # `ReidentifyContent` API method, it serves the opposite function by reversing
+ # the surrogate back into the original identifier. The identifier must be
+ # encoded as ASCII. For a given crypto key and context, the same identifier
+ # will be replaced with the same surrogate. Identifiers must be at least two
+ # characters long. In the case that the identifier is the empty string, it will
+ # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
+ # more.
+ #
+ # Note: We recommend using CryptoDeterministicConfig for all use cases which
+ # do not require preserving the input alphabet space and size, plus warrant
+ # referential integrity.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
+ "commonAlphabet": "A String",
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
+ # that the FFX mode natively supports. This happens before/after
+ # encryption/decryption.
+ # Each character listed must appear only once.
+ # Number of characters must be in the range [2, 62].
+ # This must be encoded as ASCII.
+ # The order of characters does not matter.
+ "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
+ # identifier in two different contexts won't be given the same surrogate. If
+ # the context is not set, a default tweak will be used.
+ #
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 1. the field is not present when transforming a given value,
+ #
+ # a default tweak will be used.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ # Currently, the referenced field may be of value type integer or string.
+ #
+ # The tweak is constructed as a sequence of bytes in big endian byte order
+ # such that:
+ #
+ # - a 64 bit integer is encoded followed by a single byte of value 1
+ # - a string is encoded in UTF-8 format followed by a single byte of value 2
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom infoType followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: info_type_name(surrogate_character_count):surrogate
+ #
+ # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom infoType
+ # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
+ # This facilitates reversal of the surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this infoType must
+ # not occur naturally anywhere in your data; otherwise, inspection may
+ # find a surrogate that does not correspond to an actual identifier.
+ # Therefore, choose your custom infoType name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`.
+ "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ },
+ "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
+ # this transformation to apply to all findings that correspond to
+ # infoTypes that were requested in `InspectConfig`.
+ { # Type of information detected by the API.
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ ],
+ },
+ ],
+ },
+ "recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to
+ # specific locations within structured datasets, such as transforming
+ # a column within a table.
+ # table.
+ "recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that
+ # match any suppression rule are omitted from the output [optional].
+ { # Configuration to suppress records whose suppression conditions evaluate to
+ # true.
+ "condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
+ # evaluated to be suppressed from the transformed content.
+ # a field.
+ "expressions": { # An expression, consisting or an operator and conditions. # An expression.
+ "conditions": { # A collection of conditions.
+ "conditions": [
+ { # The field type of `value` and `field` do not need to match to be
+ # considered equal, but not all comparisons are possible.
+ # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
+ # but all other comparisons are invalid with incompatible types.
+ # A `value` of type:
+ #
+ # - `string` can be compared against all other types
+ # - `boolean` can only be compared against other booleans
+ # - `integer` can be compared against doubles or a string if the string value
+ # can be parsed as an integer.
+ # - `double` can be compared against integers or a string if the string can
+ # be parsed as a double.
+ # - `Timestamp` can be compared against strings in RFC 3339 date string
+ # format.
+ # - `TimeOfDay` can be compared against timestamps and strings in the format
+ # of 'HH:mm:ss'.
+ #
+ # If we fail to compare do to type mismatch, a warning will be given and
+ # the condition will evaluate to false.
+ "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
+ "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
+ "name": "A String", # Name describing the field.
+ },
+ "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ ],
+ },
+ "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
+ # only supported value is `AND`.
+ },
+ },
+ },
+ ],
+ "fieldTransformations": [ # Transform the record by applying various field transformations.
+ { # The transformation to apply to the field.
+ "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
+ # transform content that matches an `InfoType`.
+ # apply various `PrimitiveTransformation`s to each finding, where the
+ # transformation is applied to only values that were identified as a specific
+ # info_type.
+ "transformations": [ # Transformation for each infoType. Cannot specify more than one
+ # for a given infoType. [required]
+ { # A transformation to apply to text that is identified as a specific
+ # info_type.
+ "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
+ # For example, if your string is 555-555-5555 and you ask us to skip `-` and
+ # mask 5 chars with * we would produce ***-*55-5555.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String",
+ "charactersToSkip": "A String",
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
+ # alphabetic string such as name, or "0" for a numeric string such as ZIP
+ # code or credit card number. String must have length 1. If not supplied, we
+ # will default to "*" for strings, 0 for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # '0', number_to_mask is 14, and `reverse_order` is false, then
+ # 1234-5678-9012-3456 -> 00000000000000-3456
+ # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
+ # is true, then 12345 -> 12***
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
+ # input. Outputs a base64 encoded representation of the encrypted output.
+ # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
+ # referential integrity such that the same identifier in two different
+ # contexts will be given a distinct surrogate. The context is appended to
+ # plaintext value being encrypted. On decryption the provided context is
+ # validated against the value used during encryption. If a context was
+ # provided during encryption, same context must be provided during decryption
+ # as well.
+ #
+ # If the context is not set, plaintext would be used as is for encryption.
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 2. the field is not present when transforming a given value,
+ #
+ # plaintext would be used as is for encryption.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom info type followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: <info type name>(<surrogate character count>):<surrogate>
+ #
+ # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom info type 'Surrogate'. This facilitates reversal of the
+ # surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this info type must
+ # not occur naturally anywhere in your data; otherwise, inspection may either
+ #
+ # - reverse a surrogate that does not correspond to an actual identifier
+ # - be unable to parse the surrogate and result in an error
+ #
+ # Therefore, choose your custom info type name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
+ # Bucketing transformation can provide all of this functionality,
+ # but requires more configuration. This message is provided as a convenience to
+ # the user for simple bucketing strategies.
+ #
+ # The transformed value will be a hyphenated string of
+ # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
+ # all values that are within this bucket will be replaced with "10-20".
+ #
+ # This can be used on data of type: double, long.
+ #
+ # If the bound Value type differs from the type of data
+ # being transformed, we will first attempt converting the type of the data to
+ # be transformed to match the type of the bound before comparing.
+ #
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
+ # grouped together into a single bucket; for example if `lower_bound` = 10,
+ # then all values less than 10 are replaced with the value “-10”. [Required].
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
+ # grouped together into a single bucket; for example if `upper_bound` = 89,
+ # then all values greater than 89 are replaced with the value “89+”.
+ # [Required].
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
+ # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
+ # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
+ # portion of the value.
+ "partToExtract": "A String",
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
+ # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
+ # to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
+ # results in the same shift for the same context and crypto_key.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
+ # [Required]
+ "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
+ # range (inclusive ends). Negative means shift to earlier in time. Must not
+ # be more than 365250 days (1000 years) each direction.
+ #
+ # For example, 3 means shift date to at most 3 days into the future.
+ # [Required]
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
+ # If set, must also set method. If set, shift will be consistent for the
+ # given context.
+ "name": "A String", # Name describing the field.
+ },
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ ],
+ },
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
+ # (FPE) with the FFX mode of operation; however when used in the
+ # `ReidentifyContent` API method, it serves the opposite function by reversing
+ # the surrogate back into the original identifier. The identifier must be
+ # encoded as ASCII. For a given crypto key and context, the same identifier
+ # will be replaced with the same surrogate. Identifiers must be at least two
+ # characters long. In the case that the identifier is the empty string, it will
+ # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
+ # more.
+ #
+ # Note: We recommend using CryptoDeterministicConfig for all use cases which
+ # do not require preserving the input alphabet space and size, plus warrant
+ # referential integrity.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
+ "commonAlphabet": "A String",
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
+ # that the FFX mode natively supports. This happens before/after
+ # encryption/decryption.
+ # Each character listed must appear only once.
+ # Number of characters must be in the range [2, 62].
+ # This must be encoded as ASCII.
+ # The order of characters does not matter.
+ "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
+ # identifier in two different contexts won't be given the same surrogate. If
+ # the context is not set, a default tweak will be used.
+ #
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 1. the field is not present when transforming a given value,
+ #
+ # a default tweak will be used.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ # Currently, the referenced field may be of value type integer or string.
+ #
+ # The tweak is constructed as a sequence of bytes in big endian byte order
+ # such that:
+ #
+ # - a 64 bit integer is encoded followed by a single byte of value 1
+ # - a string is encoded in UTF-8 format followed by a single byte of value 2
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom infoType followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: info_type_name(surrogate_character_count):surrogate
+ #
+ # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom infoType
+ # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
+ # This facilitates reversal of the surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this infoType must
+ # not occur naturally anywhere in your data; otherwise, inspection may
+ # find a surrogate that does not correspond to an actual identifier.
+ # Therefore, choose your custom infoType name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`.
+ "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ },
+ "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
+ # this transformation to apply to all findings that correspond to
+ # infoTypes that were requested in `InspectConfig`.
+ { # Type of information detected by the API.
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ ],
+ },
+ ],
+ },
+ "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
+ # For example, if your string is 555-555-5555 and you ask us to skip `-` and
+ # mask 5 chars with * we would produce ***-*55-5555.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String",
+ "charactersToSkip": "A String",
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
+ # alphabetic string such as name, or "0" for a numeric string such as ZIP
+ # code or credit card number. String must have length 1. If not supplied, we
+ # will default to "*" for strings, 0 for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # '0', number_to_mask is 14, and `reverse_order` is false, then
+ # 1234-5678-9012-3456 -> 00000000000000-3456
+ # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
+ # is true, then 12345 -> 12***
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
+ # input. Outputs a base64 encoded representation of the encrypted output.
+ # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
+ # referential integrity such that the same identifier in two different
+ # contexts will be given a distinct surrogate. The context is appended to
+ # plaintext value being encrypted. On decryption the provided context is
+ # validated against the value used during encryption. If a context was
+ # provided during encryption, same context must be provided during decryption
+ # as well.
+ #
+ # If the context is not set, plaintext would be used as is for encryption.
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 2. the field is not present when transforming a given value,
+ #
+ # plaintext would be used as is for encryption.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom info type followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: <info type name>(<surrogate character count>):<surrogate>
+ #
+ # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom info type 'Surrogate'. This facilitates reversal of the
+ # surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this info type must
+ # not occur naturally anywhere in your data; otherwise, inspection may either
+ #
+ # - reverse a surrogate that does not correspond to an actual identifier
+ # - be unable to parse the surrogate and result in an error
+ #
+ # Therefore, choose your custom info type name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
+ # Bucketing transformation can provide all of this functionality,
+ # but requires more configuration. This message is provided as a convenience to
+ # the user for simple bucketing strategies.
+ #
+ # The transformed value will be a hyphenated string of
+ # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
+ # all values that are within this bucket will be replaced with "10-20".
+ #
+ # This can be used on data of type: double, long.
+ #
+ # If the bound Value type differs from the type of data
+ # being transformed, we will first attempt converting the type of the data to
+ # be transformed to match the type of the bound before comparing.
+ #
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
+ # grouped together into a single bucket; for example if `lower_bound` = 10,
+ # then all values less than 10 are replaced with the value “-10”. [Required].
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
+ # grouped together into a single bucket; for example if `upper_bound` = 89,
+ # then all values greater than 89 are replaced with the value “89+”.
+ # [Required].
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
+ # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
+ # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
+ # portion of the value.
+ "partToExtract": "A String",
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
+ # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
+ # to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
+ # results in the same shift for the same context and crypto_key.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
+ # [Required]
+ "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
+ # range (inclusive ends). Negative means shift to earlier in time. Must not
+ # be more than 365250 days (1000 years) each direction.
+ #
+ # For example, 3 means shift date to at most 3 days into the future.
+ # [Required]
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
+ # If set, must also set method. If set, shift will be consistent for the
+ # given context.
+ "name": "A String", # Name describing the field.
+ },
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ ],
+ },
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
+ # (FPE) with the FFX mode of operation; however when used in the
+ # `ReidentifyContent` API method, it serves the opposite function by reversing
+ # the surrogate back into the original identifier. The identifier must be
+ # encoded as ASCII. For a given crypto key and context, the same identifier
+ # will be replaced with the same surrogate. Identifiers must be at least two
+ # characters long. In the case that the identifier is the empty string, it will
+ # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
+ # more.
+ #
+ # Note: We recommend using CryptoDeterministicConfig for all use cases which
+ # do not require preserving the input alphabet space and size, plus warrant
+ # referential integrity.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
+ "commonAlphabet": "A String",
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
+ # that the FFX mode natively supports. This happens before/after
+ # encryption/decryption.
+ # Each character listed must appear only once.
+ # Number of characters must be in the range [2, 62].
+ # This must be encoded as ASCII.
+ # The order of characters does not matter.
+ "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
+ # identifier in two different contexts won't be given the same surrogate. If
+ # the context is not set, a default tweak will be used.
+ #
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 1. the field is not present when transforming a given value,
+ #
+ # a default tweak will be used.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ # Currently, the referenced field may be of value type integer or string.
+ #
+ # The tweak is constructed as a sequence of bytes in big endian byte order
+ # such that:
+ #
+ # - a 64 bit integer is encoded followed by a single byte of value 1
+ # - a string is encoded in UTF-8 format followed by a single byte of value 2
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom infoType followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: info_type_name(surrogate_character_count):surrogate
+ #
+ # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom infoType
+ # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
+ # This facilitates reversal of the surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this infoType must
+ # not occur naturally anywhere in your data; otherwise, inspection may
+ # find a surrogate that does not correspond to an actual identifier.
+ # Therefore, choose your custom infoType name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`.
+ "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ },
+ "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
+ # given `RecordCondition`. The conditions are allowed to reference fields
+ # that are not used in the actual transformation. [optional]
+ #
+ # Example Use Cases:
+ #
+ # - Apply a different bucket transformation to an age column if the zip code
+ # column for the same record is within a specific range.
+ # - Redact a field if the date of birth field is greater than 85.
+ # a field.
+ "expressions": { # An expression, consisting or an operator and conditions. # An expression.
+ "conditions": { # A collection of conditions.
+ "conditions": [
+ { # The field type of `value` and `field` do not need to match to be
+ # considered equal, but not all comparisons are possible.
+ # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
+ # but all other comparisons are invalid with incompatible types.
+ # A `value` of type:
+ #
+ # - `string` can be compared against all other types
+ # - `boolean` can only be compared against other booleans
+ # - `integer` can be compared against doubles or a string if the string value
+ # can be parsed as an integer.
+ # - `double` can be compared against integers or a string if the string can
+ # be parsed as a double.
+ # - `Timestamp` can be compared against strings in RFC 3339 date string
+ # format.
+ # - `TimeOfDay` can be compared against timestamps and strings in the format
+ # of 'HH:mm:ss'.
+ #
+ # If we fail to compare do to type mismatch, a warning will be given and
+ # the condition will evaluate to false.
+ "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
+ "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
+ "name": "A String", # Name describing the field.
+ },
+ "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ ],
+ },
+ "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
+ # only supported value is `AND`.
+ },
+ },
+ "fields": [ # Input field(s) to apply the transformation to. [required]
+ { # General identifier of a data field in a storage service.
+ "name": "A String", # Name describing the field.
+ },
+ ],
+ },
+ ],
+ },
+ },
+ "createTime": "A String", # The creation timestamp of a inspectTemplate, output only field.
+ "name": "A String", # The template name. Output only.
+ #
+ # The template will have one of the following formats:
+ # `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR
+ # `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`
+ }</pre>
+</div>
+
+<div class="method">
+ <code class="details" id="list">list(parent, orderBy=None, pageToken=None, x__xgafv=None, pageSize=None)</code>
+ <pre>Lists DeidentifyTemplates.
+See https://cloud.google.com/dlp/docs/creating-templates-deid to learn
+more.
+
+Args:
+ parent: string, The parent resource name, for example projects/my-project-id or
+organizations/my-org-id. (required)
+ orderBy: string, Optional comma separated list of fields to order by,
+followed by `asc` or `desc` postfix. This list is case-insensitive,
+default sorting order is ascending, redundant space characters are
+insignificant.
+
+Example: `name asc,update_time, create_time desc`
+
+Supported fields are:
+
+- `create_time`: corresponds to time the template was created.
+- `update_time`: corresponds to time the template was last updated.
+- `name`: corresponds to template's name.
+- `display_name`: corresponds to template's display name.
+ pageToken: string, Optional page token to continue retrieval. Comes from previous call
+to `ListDeidentifyTemplates`.
+ x__xgafv: string, V1 error format.
+ Allowed values
+ 1 - v1 error format
+ 2 - v2 error format
+ pageSize: integer, Optional size of the page, can be limited by server. If zero server returns
+a page of max size 100.
+
+Returns:
+ An object of the form:
+
+ { # Response message for ListDeidentifyTemplates.
+ "nextPageToken": "A String", # If the next page is available then the next page token to be used
+ # in following ListDeidentifyTemplates request.
+ "deidentifyTemplates": [ # List of deidentify templates, up to page_size in
+ # ListDeidentifyTemplatesRequest.
+ { # The DeidentifyTemplates contains instructions on how to deidentify content.
+ # See https://cloud.google.com/dlp/docs/concepts-templates to learn more.
+ "updateTime": "A String", # The last update timestamp of a inspectTemplate, output only field.
+ "displayName": "A String", # Display name (max 256 chars).
+ "description": "A String", # Short description (max 256 chars).
+ "deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////
+ "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text
+ # transformation everywhere.
+ # apply various `PrimitiveTransformation`s to each finding, where the
+ # transformation is applied to only values that were identified as a specific
+ # info_type.
+ "transformations": [ # Transformation for each infoType. Cannot specify more than one
+ # for a given infoType. [required]
+ { # A transformation to apply to text that is identified as a specific
+ # info_type.
+ "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
+ # For example, if your string is 555-555-5555 and you ask us to skip `-` and
+ # mask 5 chars with * we would produce ***-*55-5555.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String",
+ "charactersToSkip": "A String",
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
+ # alphabetic string such as name, or "0" for a numeric string such as ZIP
+ # code or credit card number. String must have length 1. If not supplied, we
+ # will default to "*" for strings, 0 for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # '0', number_to_mask is 14, and `reverse_order` is false, then
+ # 1234-5678-9012-3456 -> 00000000000000-3456
+ # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
+ # is true, then 12345 -> 12***
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
+ # input. Outputs a base64 encoded representation of the encrypted output.
+ # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
+ # referential integrity such that the same identifier in two different
+ # contexts will be given a distinct surrogate. The context is appended to
+ # plaintext value being encrypted. On decryption the provided context is
+ # validated against the value used during encryption. If a context was
+ # provided during encryption, same context must be provided during decryption
+ # as well.
+ #
+ # If the context is not set, plaintext would be used as is for encryption.
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 2. the field is not present when transforming a given value,
+ #
+ # plaintext would be used as is for encryption.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom info type followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: <info type name>(<surrogate character count>):<surrogate>
+ #
+ # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom info type 'Surrogate'. This facilitates reversal of the
+ # surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this info type must
+ # not occur naturally anywhere in your data; otherwise, inspection may either
+ #
+ # - reverse a surrogate that does not correspond to an actual identifier
+ # - be unable to parse the surrogate and result in an error
+ #
+ # Therefore, choose your custom info type name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
+ # Bucketing transformation can provide all of this functionality,
+ # but requires more configuration. This message is provided as a convenience to
+ # the user for simple bucketing strategies.
+ #
+ # The transformed value will be a hyphenated string of
+ # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
+ # all values that are within this bucket will be replaced with "10-20".
+ #
+ # This can be used on data of type: double, long.
+ #
+ # If the bound Value type differs from the type of data
+ # being transformed, we will first attempt converting the type of the data to
+ # be transformed to match the type of the bound before comparing.
+ #
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
+ # grouped together into a single bucket; for example if `lower_bound` = 10,
+ # then all values less than 10 are replaced with the value “-10”. [Required].
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
+ # grouped together into a single bucket; for example if `upper_bound` = 89,
+ # then all values greater than 89 are replaced with the value “89+”.
+ # [Required].
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
+ # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
+ # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
+ # portion of the value.
+ "partToExtract": "A String",
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
+ # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
+ # to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
+ # results in the same shift for the same context and crypto_key.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
+ # [Required]
+ "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
+ # range (inclusive ends). Negative means shift to earlier in time. Must not
+ # be more than 365250 days (1000 years) each direction.
+ #
+ # For example, 3 means shift date to at most 3 days into the future.
+ # [Required]
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
+ # If set, must also set method. If set, shift will be consistent for the
+ # given context.
+ "name": "A String", # Name describing the field.
+ },
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ ],
+ },
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
+ # (FPE) with the FFX mode of operation; however when used in the
+ # `ReidentifyContent` API method, it serves the opposite function by reversing
+ # the surrogate back into the original identifier. The identifier must be
+ # encoded as ASCII. For a given crypto key and context, the same identifier
+ # will be replaced with the same surrogate. Identifiers must be at least two
+ # characters long. In the case that the identifier is the empty string, it will
+ # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
+ # more.
+ #
+ # Note: We recommend using CryptoDeterministicConfig for all use cases which
+ # do not require preserving the input alphabet space and size, plus warrant
+ # referential integrity.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
+ "commonAlphabet": "A String",
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
+ # that the FFX mode natively supports. This happens before/after
+ # encryption/decryption.
+ # Each character listed must appear only once.
+ # Number of characters must be in the range [2, 62].
+ # This must be encoded as ASCII.
+ # The order of characters does not matter.
+ "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
+ # identifier in two different contexts won't be given the same surrogate. If
+ # the context is not set, a default tweak will be used.
+ #
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 1. the field is not present when transforming a given value,
+ #
+ # a default tweak will be used.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ # Currently, the referenced field may be of value type integer or string.
+ #
+ # The tweak is constructed as a sequence of bytes in big endian byte order
+ # such that:
+ #
+ # - a 64 bit integer is encoded followed by a single byte of value 1
+ # - a string is encoded in UTF-8 format followed by a single byte of value 2
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom infoType followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: info_type_name(surrogate_character_count):surrogate
+ #
+ # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom infoType
+ # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
+ # This facilitates reversal of the surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this infoType must
+ # not occur naturally anywhere in your data; otherwise, inspection may
+ # find a surrogate that does not correspond to an actual identifier.
+ # Therefore, choose your custom infoType name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`.
+ "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ },
+ "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
+ # this transformation to apply to all findings that correspond to
+ # infoTypes that were requested in `InspectConfig`.
+ { # Type of information detected by the API.
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ ],
+ },
+ ],
+ },
+ "recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to
+ # specific locations within structured datasets, such as transforming
+ # a column within a table.
+ # table.
+ "recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that
+ # match any suppression rule are omitted from the output [optional].
+ { # Configuration to suppress records whose suppression conditions evaluate to
+ # true.
+ "condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
+ # evaluated to be suppressed from the transformed content.
+ # a field.
+ "expressions": { # An expression, consisting or an operator and conditions. # An expression.
+ "conditions": { # A collection of conditions.
+ "conditions": [
+ { # The field type of `value` and `field` do not need to match to be
+ # considered equal, but not all comparisons are possible.
+ # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
+ # but all other comparisons are invalid with incompatible types.
+ # A `value` of type:
+ #
+ # - `string` can be compared against all other types
+ # - `boolean` can only be compared against other booleans
+ # - `integer` can be compared against doubles or a string if the string value
+ # can be parsed as an integer.
+ # - `double` can be compared against integers or a string if the string can
+ # be parsed as a double.
+ # - `Timestamp` can be compared against strings in RFC 3339 date string
+ # format.
+ # - `TimeOfDay` can be compared against timestamps and strings in the format
+ # of 'HH:mm:ss'.
+ #
+ # If we fail to compare do to type mismatch, a warning will be given and
+ # the condition will evaluate to false.
+ "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
+ "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
+ "name": "A String", # Name describing the field.
+ },
+ "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ ],
+ },
+ "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
+ # only supported value is `AND`.
+ },
+ },
+ },
+ ],
+ "fieldTransformations": [ # Transform the record by applying various field transformations.
+ { # The transformation to apply to the field.
+ "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
+ # transform content that matches an `InfoType`.
+ # apply various `PrimitiveTransformation`s to each finding, where the
+ # transformation is applied to only values that were identified as a specific
+ # info_type.
+ "transformations": [ # Transformation for each infoType. Cannot specify more than one
+ # for a given infoType. [required]
+ { # A transformation to apply to text that is identified as a specific
+ # info_type.
+ "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
+ # For example, if your string is 555-555-5555 and you ask us to skip `-` and
+ # mask 5 chars with * we would produce ***-*55-5555.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String",
+ "charactersToSkip": "A String",
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
+ # alphabetic string such as name, or "0" for a numeric string such as ZIP
+ # code or credit card number. String must have length 1. If not supplied, we
+ # will default to "*" for strings, 0 for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # '0', number_to_mask is 14, and `reverse_order` is false, then
+ # 1234-5678-9012-3456 -> 00000000000000-3456
+ # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
+ # is true, then 12345 -> 12***
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
+ # input. Outputs a base64 encoded representation of the encrypted output.
+ # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
+ # referential integrity such that the same identifier in two different
+ # contexts will be given a distinct surrogate. The context is appended to
+ # plaintext value being encrypted. On decryption the provided context is
+ # validated against the value used during encryption. If a context was
+ # provided during encryption, same context must be provided during decryption
+ # as well.
+ #
+ # If the context is not set, plaintext would be used as is for encryption.
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 2. the field is not present when transforming a given value,
+ #
+ # plaintext would be used as is for encryption.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom info type followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: <info type name>(<surrogate character count>):<surrogate>
+ #
+ # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom info type 'Surrogate'. This facilitates reversal of the
+ # surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this info type must
+ # not occur naturally anywhere in your data; otherwise, inspection may either
+ #
+ # - reverse a surrogate that does not correspond to an actual identifier
+ # - be unable to parse the surrogate and result in an error
+ #
+ # Therefore, choose your custom info type name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
+ # Bucketing transformation can provide all of this functionality,
+ # but requires more configuration. This message is provided as a convenience to
+ # the user for simple bucketing strategies.
+ #
+ # The transformed value will be a hyphenated string of
+ # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
+ # all values that are within this bucket will be replaced with "10-20".
+ #
+ # This can be used on data of type: double, long.
+ #
+ # If the bound Value type differs from the type of data
+ # being transformed, we will first attempt converting the type of the data to
+ # be transformed to match the type of the bound before comparing.
+ #
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
+ # grouped together into a single bucket; for example if `lower_bound` = 10,
+ # then all values less than 10 are replaced with the value “-10”. [Required].
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
+ # grouped together into a single bucket; for example if `upper_bound` = 89,
+ # then all values greater than 89 are replaced with the value “89+”.
+ # [Required].
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
+ # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
+ # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
+ # portion of the value.
+ "partToExtract": "A String",
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
+ # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
+ # to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
+ # results in the same shift for the same context and crypto_key.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
+ # [Required]
+ "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
+ # range (inclusive ends). Negative means shift to earlier in time. Must not
+ # be more than 365250 days (1000 years) each direction.
+ #
+ # For example, 3 means shift date to at most 3 days into the future.
+ # [Required]
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
+ # If set, must also set method. If set, shift will be consistent for the
+ # given context.
+ "name": "A String", # Name describing the field.
+ },
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ ],
+ },
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
+ # (FPE) with the FFX mode of operation; however when used in the
+ # `ReidentifyContent` API method, it serves the opposite function by reversing
+ # the surrogate back into the original identifier. The identifier must be
+ # encoded as ASCII. For a given crypto key and context, the same identifier
+ # will be replaced with the same surrogate. Identifiers must be at least two
+ # characters long. In the case that the identifier is the empty string, it will
+ # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
+ # more.
+ #
+ # Note: We recommend using CryptoDeterministicConfig for all use cases which
+ # do not require preserving the input alphabet space and size, plus warrant
+ # referential integrity.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
+ "commonAlphabet": "A String",
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
+ # that the FFX mode natively supports. This happens before/after
+ # encryption/decryption.
+ # Each character listed must appear only once.
+ # Number of characters must be in the range [2, 62].
+ # This must be encoded as ASCII.
+ # The order of characters does not matter.
+ "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
+ # identifier in two different contexts won't be given the same surrogate. If
+ # the context is not set, a default tweak will be used.
+ #
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 1. the field is not present when transforming a given value,
+ #
+ # a default tweak will be used.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ # Currently, the referenced field may be of value type integer or string.
+ #
+ # The tweak is constructed as a sequence of bytes in big endian byte order
+ # such that:
+ #
+ # - a 64 bit integer is encoded followed by a single byte of value 1
+ # - a string is encoded in UTF-8 format followed by a single byte of value 2
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom infoType followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: info_type_name(surrogate_character_count):surrogate
+ #
+ # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom infoType
+ # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
+ # This facilitates reversal of the surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this infoType must
+ # not occur naturally anywhere in your data; otherwise, inspection may
+ # find a surrogate that does not correspond to an actual identifier.
+ # Therefore, choose your custom infoType name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`.
+ "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ },
+ "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
+ # this transformation to apply to all findings that correspond to
+ # infoTypes that were requested in `InspectConfig`.
+ { # Type of information detected by the API.
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ ],
+ },
+ ],
+ },
+ "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
+ # For example, if your string is 555-555-5555 and you ask us to skip `-` and
+ # mask 5 chars with * we would produce ***-*55-5555.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String",
+ "charactersToSkip": "A String",
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
+ # alphabetic string such as name, or "0" for a numeric string such as ZIP
+ # code or credit card number. String must have length 1. If not supplied, we
+ # will default to "*" for strings, 0 for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # '0', number_to_mask is 14, and `reverse_order` is false, then
+ # 1234-5678-9012-3456 -> 00000000000000-3456
+ # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
+ # is true, then 12345 -> 12***
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
+ # input. Outputs a base64 encoded representation of the encrypted output.
+ # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
+ # referential integrity such that the same identifier in two different
+ # contexts will be given a distinct surrogate. The context is appended to
+ # plaintext value being encrypted. On decryption the provided context is
+ # validated against the value used during encryption. If a context was
+ # provided during encryption, same context must be provided during decryption
+ # as well.
+ #
+ # If the context is not set, plaintext would be used as is for encryption.
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 2. the field is not present when transforming a given value,
+ #
+ # plaintext would be used as is for encryption.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom info type followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: <info type name>(<surrogate character count>):<surrogate>
+ #
+ # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom info type 'Surrogate'. This facilitates reversal of the
+ # surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this info type must
+ # not occur naturally anywhere in your data; otherwise, inspection may either
+ #
+ # - reverse a surrogate that does not correspond to an actual identifier
+ # - be unable to parse the surrogate and result in an error
+ #
+ # Therefore, choose your custom info type name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
+ # Bucketing transformation can provide all of this functionality,
+ # but requires more configuration. This message is provided as a convenience to
+ # the user for simple bucketing strategies.
+ #
+ # The transformed value will be a hyphenated string of
+ # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
+ # all values that are within this bucket will be replaced with "10-20".
+ #
+ # This can be used on data of type: double, long.
+ #
+ # If the bound Value type differs from the type of data
+ # being transformed, we will first attempt converting the type of the data to
+ # be transformed to match the type of the bound before comparing.
+ #
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
+ # grouped together into a single bucket; for example if `lower_bound` = 10,
+ # then all values less than 10 are replaced with the value “-10”. [Required].
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
+ # grouped together into a single bucket; for example if `upper_bound` = 89,
+ # then all values greater than 89 are replaced with the value “89+”.
+ # [Required].
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
+ # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
+ # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
+ # portion of the value.
+ "partToExtract": "A String",
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
+ # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
+ # to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
+ # results in the same shift for the same context and crypto_key.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
+ # [Required]
+ "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
+ # range (inclusive ends). Negative means shift to earlier in time. Must not
+ # be more than 365250 days (1000 years) each direction.
+ #
+ # For example, 3 means shift date to at most 3 days into the future.
+ # [Required]
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
+ # If set, must also set method. If set, shift will be consistent for the
+ # given context.
+ "name": "A String", # Name describing the field.
+ },
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ ],
+ },
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
+ # (FPE) with the FFX mode of operation; however when used in the
+ # `ReidentifyContent` API method, it serves the opposite function by reversing
+ # the surrogate back into the original identifier. The identifier must be
+ # encoded as ASCII. For a given crypto key and context, the same identifier
+ # will be replaced with the same surrogate. Identifiers must be at least two
+ # characters long. In the case that the identifier is the empty string, it will
+ # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
+ # more.
+ #
+ # Note: We recommend using CryptoDeterministicConfig for all use cases which
+ # do not require preserving the input alphabet space and size, plus warrant
+ # referential integrity.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
+ "commonAlphabet": "A String",
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
+ # that the FFX mode natively supports. This happens before/after
+ # encryption/decryption.
+ # Each character listed must appear only once.
+ # Number of characters must be in the range [2, 62].
+ # This must be encoded as ASCII.
+ # The order of characters does not matter.
+ "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
+ # identifier in two different contexts won't be given the same surrogate. If
+ # the context is not set, a default tweak will be used.
+ #
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 1. the field is not present when transforming a given value,
+ #
+ # a default tweak will be used.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ # Currently, the referenced field may be of value type integer or string.
+ #
+ # The tweak is constructed as a sequence of bytes in big endian byte order
+ # such that:
+ #
+ # - a 64 bit integer is encoded followed by a single byte of value 1
+ # - a string is encoded in UTF-8 format followed by a single byte of value 2
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom infoType followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: info_type_name(surrogate_character_count):surrogate
+ #
+ # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom infoType
+ # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
+ # This facilitates reversal of the surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this infoType must
+ # not occur naturally anywhere in your data; otherwise, inspection may
+ # find a surrogate that does not correspond to an actual identifier.
+ # Therefore, choose your custom infoType name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`.
+ "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ },
+ "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
+ # given `RecordCondition`. The conditions are allowed to reference fields
+ # that are not used in the actual transformation. [optional]
+ #
+ # Example Use Cases:
+ #
+ # - Apply a different bucket transformation to an age column if the zip code
+ # column for the same record is within a specific range.
+ # - Redact a field if the date of birth field is greater than 85.
+ # a field.
+ "expressions": { # An expression, consisting or an operator and conditions. # An expression.
+ "conditions": { # A collection of conditions.
+ "conditions": [
+ { # The field type of `value` and `field` do not need to match to be
+ # considered equal, but not all comparisons are possible.
+ # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
+ # but all other comparisons are invalid with incompatible types.
+ # A `value` of type:
+ #
+ # - `string` can be compared against all other types
+ # - `boolean` can only be compared against other booleans
+ # - `integer` can be compared against doubles or a string if the string value
+ # can be parsed as an integer.
+ # - `double` can be compared against integers or a string if the string can
+ # be parsed as a double.
+ # - `Timestamp` can be compared against strings in RFC 3339 date string
+ # format.
+ # - `TimeOfDay` can be compared against timestamps and strings in the format
+ # of 'HH:mm:ss'.
+ #
+ # If we fail to compare do to type mismatch, a warning will be given and
+ # the condition will evaluate to false.
+ "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
+ "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
+ "name": "A String", # Name describing the field.
+ },
+ "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ ],
+ },
+ "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
+ # only supported value is `AND`.
+ },
+ },
+ "fields": [ # Input field(s) to apply the transformation to. [required]
+ { # General identifier of a data field in a storage service.
+ "name": "A String", # Name describing the field.
+ },
+ ],
+ },
+ ],
+ },
+ },
+ "createTime": "A String", # The creation timestamp of a inspectTemplate, output only field.
+ "name": "A String", # The template name. Output only.
+ #
+ # The template will have one of the following formats:
+ # `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR
+ # `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`
+ },
+ ],
+ }</pre>
+</div>
+
+<div class="method">
+ <code class="details" id="list_next">list_next(previous_request, previous_response)</code>
+ <pre>Retrieves the next page of results.
+
+Args:
+ previous_request: The request for the previous page. (required)
+ previous_response: The response from the request for the previous page. (required)
+
+Returns:
+ A request object that you can call 'execute()' on to request the next
+ page. Returns None if there are no more items in the collection.
+ </pre>
+</div>
+
+<div class="method">
+ <code class="details" id="patch">patch(name, body, x__xgafv=None)</code>
+ <pre>Updates the DeidentifyTemplate.
+See https://cloud.google.com/dlp/docs/creating-templates-deid to learn
+more.
+
+Args:
+ name: string, Resource name of organization and deidentify template to be updated, for
+example `organizations/433245324/deidentifyTemplates/432452342` or
+projects/project-id/deidentifyTemplates/432452342. (required)
+ body: object, The request body. (required)
+ The object takes the form of:
+
+{ # Request message for UpdateDeidentifyTemplate.
+ "deidentifyTemplate": { # The DeidentifyTemplates contains instructions on how to deidentify content. # New DeidentifyTemplate value.
+ # See https://cloud.google.com/dlp/docs/concepts-templates to learn more.
+ "updateTime": "A String", # The last update timestamp of a inspectTemplate, output only field.
+ "displayName": "A String", # Display name (max 256 chars).
+ "description": "A String", # Short description (max 256 chars).
+ "deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////
+ "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text
+ # transformation everywhere.
+ # apply various `PrimitiveTransformation`s to each finding, where the
+ # transformation is applied to only values that were identified as a specific
+ # info_type.
+ "transformations": [ # Transformation for each infoType. Cannot specify more than one
+ # for a given infoType. [required]
+ { # A transformation to apply to text that is identified as a specific
+ # info_type.
+ "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
+ # For example, if your string is 555-555-5555 and you ask us to skip `-` and
+ # mask 5 chars with * we would produce ***-*55-5555.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String",
+ "charactersToSkip": "A String",
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
+ # alphabetic string such as name, or "0" for a numeric string such as ZIP
+ # code or credit card number. String must have length 1. If not supplied, we
+ # will default to "*" for strings, 0 for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # '0', number_to_mask is 14, and `reverse_order` is false, then
+ # 1234-5678-9012-3456 -> 00000000000000-3456
+ # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
+ # is true, then 12345 -> 12***
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
+ # input. Outputs a base64 encoded representation of the encrypted output.
+ # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
+ # referential integrity such that the same identifier in two different
+ # contexts will be given a distinct surrogate. The context is appended to
+ # plaintext value being encrypted. On decryption the provided context is
+ # validated against the value used during encryption. If a context was
+ # provided during encryption, same context must be provided during decryption
+ # as well.
+ #
+ # If the context is not set, plaintext would be used as is for encryption.
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 2. the field is not present when transforming a given value,
+ #
+ # plaintext would be used as is for encryption.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom info type followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: <info type name>(<surrogate character count>):<surrogate>
+ #
+ # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom info type 'Surrogate'. This facilitates reversal of the
+ # surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this info type must
+ # not occur naturally anywhere in your data; otherwise, inspection may either
+ #
+ # - reverse a surrogate that does not correspond to an actual identifier
+ # - be unable to parse the surrogate and result in an error
+ #
+ # Therefore, choose your custom info type name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
+ # Bucketing transformation can provide all of this functionality,
+ # but requires more configuration. This message is provided as a convenience to
+ # the user for simple bucketing strategies.
+ #
+ # The transformed value will be a hyphenated string of
+ # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
+ # all values that are within this bucket will be replaced with "10-20".
+ #
+ # This can be used on data of type: double, long.
+ #
+ # If the bound Value type differs from the type of data
+ # being transformed, we will first attempt converting the type of the data to
+ # be transformed to match the type of the bound before comparing.
+ #
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
+ # grouped together into a single bucket; for example if `lower_bound` = 10,
+ # then all values less than 10 are replaced with the value “-10”. [Required].
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
+ # grouped together into a single bucket; for example if `upper_bound` = 89,
+ # then all values greater than 89 are replaced with the value “89+”.
+ # [Required].
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
+ # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
+ # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
+ # portion of the value.
+ "partToExtract": "A String",
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
+ # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
+ # to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
+ # results in the same shift for the same context and crypto_key.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
+ # [Required]
+ "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
+ # range (inclusive ends). Negative means shift to earlier in time. Must not
+ # be more than 365250 days (1000 years) each direction.
+ #
+ # For example, 3 means shift date to at most 3 days into the future.
+ # [Required]
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
+ # If set, must also set method. If set, shift will be consistent for the
+ # given context.
+ "name": "A String", # Name describing the field.
+ },
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ ],
+ },
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
+ # (FPE) with the FFX mode of operation; however when used in the
+ # `ReidentifyContent` API method, it serves the opposite function by reversing
+ # the surrogate back into the original identifier. The identifier must be
+ # encoded as ASCII. For a given crypto key and context, the same identifier
+ # will be replaced with the same surrogate. Identifiers must be at least two
+ # characters long. In the case that the identifier is the empty string, it will
+ # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
+ # more.
+ #
+ # Note: We recommend using CryptoDeterministicConfig for all use cases which
+ # do not require preserving the input alphabet space and size, plus warrant
+ # referential integrity.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
+ "commonAlphabet": "A String",
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
+ # that the FFX mode natively supports. This happens before/after
+ # encryption/decryption.
+ # Each character listed must appear only once.
+ # Number of characters must be in the range [2, 62].
+ # This must be encoded as ASCII.
+ # The order of characters does not matter.
+ "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
+ # identifier in two different contexts won't be given the same surrogate. If
+ # the context is not set, a default tweak will be used.
+ #
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 1. the field is not present when transforming a given value,
+ #
+ # a default tweak will be used.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ # Currently, the referenced field may be of value type integer or string.
+ #
+ # The tweak is constructed as a sequence of bytes in big endian byte order
+ # such that:
+ #
+ # - a 64 bit integer is encoded followed by a single byte of value 1
+ # - a string is encoded in UTF-8 format followed by a single byte of value 2
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom infoType followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: info_type_name(surrogate_character_count):surrogate
+ #
+ # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom infoType
+ # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
+ # This facilitates reversal of the surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this infoType must
+ # not occur naturally anywhere in your data; otherwise, inspection may
+ # find a surrogate that does not correspond to an actual identifier.
+ # Therefore, choose your custom infoType name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`.
+ "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ },
+ "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
+ # this transformation to apply to all findings that correspond to
+ # infoTypes that were requested in `InspectConfig`.
+ { # Type of information detected by the API.
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ ],
+ },
+ ],
+ },
+ "recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to
+ # specific locations within structured datasets, such as transforming
+ # a column within a table.
+ # table.
+ "recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that
+ # match any suppression rule are omitted from the output [optional].
+ { # Configuration to suppress records whose suppression conditions evaluate to
+ # true.
+ "condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
+ # evaluated to be suppressed from the transformed content.
+ # a field.
+ "expressions": { # An expression, consisting or an operator and conditions. # An expression.
+ "conditions": { # A collection of conditions.
+ "conditions": [
+ { # The field type of `value` and `field` do not need to match to be
+ # considered equal, but not all comparisons are possible.
+ # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
+ # but all other comparisons are invalid with incompatible types.
+ # A `value` of type:
+ #
+ # - `string` can be compared against all other types
+ # - `boolean` can only be compared against other booleans
+ # - `integer` can be compared against doubles or a string if the string value
+ # can be parsed as an integer.
+ # - `double` can be compared against integers or a string if the string can
+ # be parsed as a double.
+ # - `Timestamp` can be compared against strings in RFC 3339 date string
+ # format.
+ # - `TimeOfDay` can be compared against timestamps and strings in the format
+ # of 'HH:mm:ss'.
+ #
+ # If we fail to compare do to type mismatch, a warning will be given and
+ # the condition will evaluate to false.
+ "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
+ "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
+ "name": "A String", # Name describing the field.
+ },
+ "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ ],
+ },
+ "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
+ # only supported value is `AND`.
+ },
+ },
+ },
+ ],
+ "fieldTransformations": [ # Transform the record by applying various field transformations.
+ { # The transformation to apply to the field.
+ "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
+ # transform content that matches an `InfoType`.
+ # apply various `PrimitiveTransformation`s to each finding, where the
+ # transformation is applied to only values that were identified as a specific
+ # info_type.
+ "transformations": [ # Transformation for each infoType. Cannot specify more than one
+ # for a given infoType. [required]
+ { # A transformation to apply to text that is identified as a specific
+ # info_type.
+ "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
+ # For example, if your string is 555-555-5555 and you ask us to skip `-` and
+ # mask 5 chars with * we would produce ***-*55-5555.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String",
+ "charactersToSkip": "A String",
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
+ # alphabetic string such as name, or "0" for a numeric string such as ZIP
+ # code or credit card number. String must have length 1. If not supplied, we
+ # will default to "*" for strings, 0 for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # '0', number_to_mask is 14, and `reverse_order` is false, then
+ # 1234-5678-9012-3456 -> 00000000000000-3456
+ # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
+ # is true, then 12345 -> 12***
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
+ # input. Outputs a base64 encoded representation of the encrypted output.
+ # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
+ # referential integrity such that the same identifier in two different
+ # contexts will be given a distinct surrogate. The context is appended to
+ # plaintext value being encrypted. On decryption the provided context is
+ # validated against the value used during encryption. If a context was
+ # provided during encryption, same context must be provided during decryption
+ # as well.
+ #
+ # If the context is not set, plaintext would be used as is for encryption.
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 2. the field is not present when transforming a given value,
+ #
+ # plaintext would be used as is for encryption.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom info type followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: <info type name>(<surrogate character count>):<surrogate>
+ #
+ # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom info type 'Surrogate'. This facilitates reversal of the
+ # surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this info type must
+ # not occur naturally anywhere in your data; otherwise, inspection may either
+ #
+ # - reverse a surrogate that does not correspond to an actual identifier
+ # - be unable to parse the surrogate and result in an error
+ #
+ # Therefore, choose your custom info type name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
+ # Bucketing transformation can provide all of this functionality,
+ # but requires more configuration. This message is provided as a convenience to
+ # the user for simple bucketing strategies.
+ #
+ # The transformed value will be a hyphenated string of
+ # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
+ # all values that are within this bucket will be replaced with "10-20".
+ #
+ # This can be used on data of type: double, long.
+ #
+ # If the bound Value type differs from the type of data
+ # being transformed, we will first attempt converting the type of the data to
+ # be transformed to match the type of the bound before comparing.
+ #
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
+ # grouped together into a single bucket; for example if `lower_bound` = 10,
+ # then all values less than 10 are replaced with the value “-10”. [Required].
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
+ # grouped together into a single bucket; for example if `upper_bound` = 89,
+ # then all values greater than 89 are replaced with the value “89+”.
+ # [Required].
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
+ # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
+ # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
+ # portion of the value.
+ "partToExtract": "A String",
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
+ # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
+ # to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
+ # results in the same shift for the same context and crypto_key.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
+ # [Required]
+ "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
+ # range (inclusive ends). Negative means shift to earlier in time. Must not
+ # be more than 365250 days (1000 years) each direction.
+ #
+ # For example, 3 means shift date to at most 3 days into the future.
+ # [Required]
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
+ # If set, must also set method. If set, shift will be consistent for the
+ # given context.
+ "name": "A String", # Name describing the field.
+ },
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ ],
+ },
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
+ # (FPE) with the FFX mode of operation; however when used in the
+ # `ReidentifyContent` API method, it serves the opposite function by reversing
+ # the surrogate back into the original identifier. The identifier must be
+ # encoded as ASCII. For a given crypto key and context, the same identifier
+ # will be replaced with the same surrogate. Identifiers must be at least two
+ # characters long. In the case that the identifier is the empty string, it will
+ # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
+ # more.
+ #
+ # Note: We recommend using CryptoDeterministicConfig for all use cases which
+ # do not require preserving the input alphabet space and size, plus warrant
+ # referential integrity.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
+ "commonAlphabet": "A String",
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
+ # that the FFX mode natively supports. This happens before/after
+ # encryption/decryption.
+ # Each character listed must appear only once.
+ # Number of characters must be in the range [2, 62].
+ # This must be encoded as ASCII.
+ # The order of characters does not matter.
+ "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
+ # identifier in two different contexts won't be given the same surrogate. If
+ # the context is not set, a default tweak will be used.
+ #
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 1. the field is not present when transforming a given value,
+ #
+ # a default tweak will be used.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ # Currently, the referenced field may be of value type integer or string.
+ #
+ # The tweak is constructed as a sequence of bytes in big endian byte order
+ # such that:
+ #
+ # - a 64 bit integer is encoded followed by a single byte of value 1
+ # - a string is encoded in UTF-8 format followed by a single byte of value 2
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom infoType followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: info_type_name(surrogate_character_count):surrogate
+ #
+ # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom infoType
+ # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
+ # This facilitates reversal of the surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this infoType must
+ # not occur naturally anywhere in your data; otherwise, inspection may
+ # find a surrogate that does not correspond to an actual identifier.
+ # Therefore, choose your custom infoType name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`.
+ "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ },
+ "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
+ # this transformation to apply to all findings that correspond to
+ # infoTypes that were requested in `InspectConfig`.
+ { # Type of information detected by the API.
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ ],
+ },
+ ],
+ },
+ "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
+ # For example, if your string is 555-555-5555 and you ask us to skip `-` and
+ # mask 5 chars with * we would produce ***-*55-5555.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String",
+ "charactersToSkip": "A String",
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
+ # alphabetic string such as name, or "0" for a numeric string such as ZIP
+ # code or credit card number. String must have length 1. If not supplied, we
+ # will default to "*" for strings, 0 for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # '0', number_to_mask is 14, and `reverse_order` is false, then
+ # 1234-5678-9012-3456 -> 00000000000000-3456
+ # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
+ # is true, then 12345 -> 12***
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
+ # input. Outputs a base64 encoded representation of the encrypted output.
+ # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
+ # referential integrity such that the same identifier in two different
+ # contexts will be given a distinct surrogate. The context is appended to
+ # plaintext value being encrypted. On decryption the provided context is
+ # validated against the value used during encryption. If a context was
+ # provided during encryption, same context must be provided during decryption
+ # as well.
+ #
+ # If the context is not set, plaintext would be used as is for encryption.
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 2. the field is not present when transforming a given value,
+ #
+ # plaintext would be used as is for encryption.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom info type followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: <info type name>(<surrogate character count>):<surrogate>
+ #
+ # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom info type 'Surrogate'. This facilitates reversal of the
+ # surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this info type must
+ # not occur naturally anywhere in your data; otherwise, inspection may either
+ #
+ # - reverse a surrogate that does not correspond to an actual identifier
+ # - be unable to parse the surrogate and result in an error
+ #
+ # Therefore, choose your custom info type name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
+ # Bucketing transformation can provide all of this functionality,
+ # but requires more configuration. This message is provided as a convenience to
+ # the user for simple bucketing strategies.
+ #
+ # The transformed value will be a hyphenated string of
+ # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
+ # all values that are within this bucket will be replaced with "10-20".
+ #
+ # This can be used on data of type: double, long.
+ #
+ # If the bound Value type differs from the type of data
+ # being transformed, we will first attempt converting the type of the data to
+ # be transformed to match the type of the bound before comparing.
+ #
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
+ # grouped together into a single bucket; for example if `lower_bound` = 10,
+ # then all values less than 10 are replaced with the value “-10”. [Required].
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
+ # grouped together into a single bucket; for example if `upper_bound` = 89,
+ # then all values greater than 89 are replaced with the value “89+”.
+ # [Required].
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
+ # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
+ # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
+ # portion of the value.
+ "partToExtract": "A String",
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
+ # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
+ # to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
+ # results in the same shift for the same context and crypto_key.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
+ # [Required]
+ "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
+ # range (inclusive ends). Negative means shift to earlier in time. Must not
+ # be more than 365250 days (1000 years) each direction.
+ #
+ # For example, 3 means shift date to at most 3 days into the future.
+ # [Required]
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
+ # If set, must also set method. If set, shift will be consistent for the
+ # given context.
+ "name": "A String", # Name describing the field.
+ },
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ ],
+ },
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
+ # (FPE) with the FFX mode of operation; however when used in the
+ # `ReidentifyContent` API method, it serves the opposite function by reversing
+ # the surrogate back into the original identifier. The identifier must be
+ # encoded as ASCII. For a given crypto key and context, the same identifier
+ # will be replaced with the same surrogate. Identifiers must be at least two
+ # characters long. In the case that the identifier is the empty string, it will
+ # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
+ # more.
+ #
+ # Note: We recommend using CryptoDeterministicConfig for all use cases which
+ # do not require preserving the input alphabet space and size, plus warrant
+ # referential integrity.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
+ "commonAlphabet": "A String",
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
+ # that the FFX mode natively supports. This happens before/after
+ # encryption/decryption.
+ # Each character listed must appear only once.
+ # Number of characters must be in the range [2, 62].
+ # This must be encoded as ASCII.
+ # The order of characters does not matter.
+ "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
+ # identifier in two different contexts won't be given the same surrogate. If
+ # the context is not set, a default tweak will be used.
+ #
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 1. the field is not present when transforming a given value,
+ #
+ # a default tweak will be used.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ # Currently, the referenced field may be of value type integer or string.
+ #
+ # The tweak is constructed as a sequence of bytes in big endian byte order
+ # such that:
+ #
+ # - a 64 bit integer is encoded followed by a single byte of value 1
+ # - a string is encoded in UTF-8 format followed by a single byte of value 2
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom infoType followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: info_type_name(surrogate_character_count):surrogate
+ #
+ # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom infoType
+ # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
+ # This facilitates reversal of the surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this infoType must
+ # not occur naturally anywhere in your data; otherwise, inspection may
+ # find a surrogate that does not correspond to an actual identifier.
+ # Therefore, choose your custom infoType name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`.
+ "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ },
+ "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
+ # given `RecordCondition`. The conditions are allowed to reference fields
+ # that are not used in the actual transformation. [optional]
+ #
+ # Example Use Cases:
+ #
+ # - Apply a different bucket transformation to an age column if the zip code
+ # column for the same record is within a specific range.
+ # - Redact a field if the date of birth field is greater than 85.
+ # a field.
+ "expressions": { # An expression, consisting or an operator and conditions. # An expression.
+ "conditions": { # A collection of conditions.
+ "conditions": [
+ { # The field type of `value` and `field` do not need to match to be
+ # considered equal, but not all comparisons are possible.
+ # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
+ # but all other comparisons are invalid with incompatible types.
+ # A `value` of type:
+ #
+ # - `string` can be compared against all other types
+ # - `boolean` can only be compared against other booleans
+ # - `integer` can be compared against doubles or a string if the string value
+ # can be parsed as an integer.
+ # - `double` can be compared against integers or a string if the string can
+ # be parsed as a double.
+ # - `Timestamp` can be compared against strings in RFC 3339 date string
+ # format.
+ # - `TimeOfDay` can be compared against timestamps and strings in the format
+ # of 'HH:mm:ss'.
+ #
+ # If we fail to compare do to type mismatch, a warning will be given and
+ # the condition will evaluate to false.
+ "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
+ "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
+ "name": "A String", # Name describing the field.
+ },
+ "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ ],
+ },
+ "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
+ # only supported value is `AND`.
+ },
+ },
+ "fields": [ # Input field(s) to apply the transformation to. [required]
+ { # General identifier of a data field in a storage service.
+ "name": "A String", # Name describing the field.
+ },
+ ],
+ },
+ ],
+ },
+ },
+ "createTime": "A String", # The creation timestamp of a inspectTemplate, output only field.
+ "name": "A String", # The template name. Output only.
+ #
+ # The template will have one of the following formats:
+ # `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR
+ # `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`
+ },
+ "updateMask": "A String", # Mask to control which fields get updated.
+ }
+
+ x__xgafv: string, V1 error format.
+ Allowed values
+ 1 - v1 error format
+ 2 - v2 error format
+
+Returns:
+ An object of the form:
+
+ { # The DeidentifyTemplates contains instructions on how to deidentify content.
+ # See https://cloud.google.com/dlp/docs/concepts-templates to learn more.
+ "updateTime": "A String", # The last update timestamp of a inspectTemplate, output only field.
+ "displayName": "A String", # Display name (max 256 chars).
+ "description": "A String", # Short description (max 256 chars).
+ "deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////
+ "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text
+ # transformation everywhere.
+ # apply various `PrimitiveTransformation`s to each finding, where the
+ # transformation is applied to only values that were identified as a specific
+ # info_type.
+ "transformations": [ # Transformation for each infoType. Cannot specify more than one
+ # for a given infoType. [required]
+ { # A transformation to apply to text that is identified as a specific
+ # info_type.
+ "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
+ # For example, if your string is 555-555-5555 and you ask us to skip `-` and
+ # mask 5 chars with * we would produce ***-*55-5555.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String",
+ "charactersToSkip": "A String",
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
+ # alphabetic string such as name, or "0" for a numeric string such as ZIP
+ # code or credit card number. String must have length 1. If not supplied, we
+ # will default to "*" for strings, 0 for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # '0', number_to_mask is 14, and `reverse_order` is false, then
+ # 1234-5678-9012-3456 -> 00000000000000-3456
+ # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
+ # is true, then 12345 -> 12***
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
+ # input. Outputs a base64 encoded representation of the encrypted output.
+ # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
+ # referential integrity such that the same identifier in two different
+ # contexts will be given a distinct surrogate. The context is appended to
+ # plaintext value being encrypted. On decryption the provided context is
+ # validated against the value used during encryption. If a context was
+ # provided during encryption, same context must be provided during decryption
+ # as well.
+ #
+ # If the context is not set, plaintext would be used as is for encryption.
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 2. the field is not present when transforming a given value,
+ #
+ # plaintext would be used as is for encryption.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom info type followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: <info type name>(<surrogate character count>):<surrogate>
+ #
+ # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom info type 'Surrogate'. This facilitates reversal of the
+ # surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this info type must
+ # not occur naturally anywhere in your data; otherwise, inspection may either
+ #
+ # - reverse a surrogate that does not correspond to an actual identifier
+ # - be unable to parse the surrogate and result in an error
+ #
+ # Therefore, choose your custom info type name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
+ # Bucketing transformation can provide all of this functionality,
+ # but requires more configuration. This message is provided as a convenience to
+ # the user for simple bucketing strategies.
+ #
+ # The transformed value will be a hyphenated string of
+ # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
+ # all values that are within this bucket will be replaced with "10-20".
+ #
+ # This can be used on data of type: double, long.
+ #
+ # If the bound Value type differs from the type of data
+ # being transformed, we will first attempt converting the type of the data to
+ # be transformed to match the type of the bound before comparing.
+ #
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
+ # grouped together into a single bucket; for example if `lower_bound` = 10,
+ # then all values less than 10 are replaced with the value “-10”. [Required].
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
+ # grouped together into a single bucket; for example if `upper_bound` = 89,
+ # then all values greater than 89 are replaced with the value “89+”.
+ # [Required].
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
+ # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
+ # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
+ # portion of the value.
+ "partToExtract": "A String",
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
+ # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
+ # to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
+ # results in the same shift for the same context and crypto_key.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
+ # [Required]
+ "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
+ # range (inclusive ends). Negative means shift to earlier in time. Must not
+ # be more than 365250 days (1000 years) each direction.
+ #
+ # For example, 3 means shift date to at most 3 days into the future.
+ # [Required]
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
+ # If set, must also set method. If set, shift will be consistent for the
+ # given context.
+ "name": "A String", # Name describing the field.
+ },
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ ],
+ },
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
+ # (FPE) with the FFX mode of operation; however when used in the
+ # `ReidentifyContent` API method, it serves the opposite function by reversing
+ # the surrogate back into the original identifier. The identifier must be
+ # encoded as ASCII. For a given crypto key and context, the same identifier
+ # will be replaced with the same surrogate. Identifiers must be at least two
+ # characters long. In the case that the identifier is the empty string, it will
+ # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
+ # more.
+ #
+ # Note: We recommend using CryptoDeterministicConfig for all use cases which
+ # do not require preserving the input alphabet space and size, plus warrant
+ # referential integrity.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
+ "commonAlphabet": "A String",
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
+ # that the FFX mode natively supports. This happens before/after
+ # encryption/decryption.
+ # Each character listed must appear only once.
+ # Number of characters must be in the range [2, 62].
+ # This must be encoded as ASCII.
+ # The order of characters does not matter.
+ "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
+ # identifier in two different contexts won't be given the same surrogate. If
+ # the context is not set, a default tweak will be used.
+ #
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 1. the field is not present when transforming a given value,
+ #
+ # a default tweak will be used.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ # Currently, the referenced field may be of value type integer or string.
+ #
+ # The tweak is constructed as a sequence of bytes in big endian byte order
+ # such that:
+ #
+ # - a 64 bit integer is encoded followed by a single byte of value 1
+ # - a string is encoded in UTF-8 format followed by a single byte of value 2
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom infoType followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: info_type_name(surrogate_character_count):surrogate
+ #
+ # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom infoType
+ # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
+ # This facilitates reversal of the surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this infoType must
+ # not occur naturally anywhere in your data; otherwise, inspection may
+ # find a surrogate that does not correspond to an actual identifier.
+ # Therefore, choose your custom infoType name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`.
+ "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ },
+ "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
+ # this transformation to apply to all findings that correspond to
+ # infoTypes that were requested in `InspectConfig`.
+ { # Type of information detected by the API.
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ ],
+ },
+ ],
+ },
+ "recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to
+ # specific locations within structured datasets, such as transforming
+ # a column within a table.
+ # table.
+ "recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that
+ # match any suppression rule are omitted from the output [optional].
+ { # Configuration to suppress records whose suppression conditions evaluate to
+ # true.
+ "condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
+ # evaluated to be suppressed from the transformed content.
+ # a field.
+ "expressions": { # An expression, consisting or an operator and conditions. # An expression.
+ "conditions": { # A collection of conditions.
+ "conditions": [
+ { # The field type of `value` and `field` do not need to match to be
+ # considered equal, but not all comparisons are possible.
+ # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
+ # but all other comparisons are invalid with incompatible types.
+ # A `value` of type:
+ #
+ # - `string` can be compared against all other types
+ # - `boolean` can only be compared against other booleans
+ # - `integer` can be compared against doubles or a string if the string value
+ # can be parsed as an integer.
+ # - `double` can be compared against integers or a string if the string can
+ # be parsed as a double.
+ # - `Timestamp` can be compared against strings in RFC 3339 date string
+ # format.
+ # - `TimeOfDay` can be compared against timestamps and strings in the format
+ # of 'HH:mm:ss'.
+ #
+ # If we fail to compare do to type mismatch, a warning will be given and
+ # the condition will evaluate to false.
+ "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
+ "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
+ "name": "A String", # Name describing the field.
+ },
+ "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ ],
+ },
+ "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
+ # only supported value is `AND`.
+ },
+ },
+ },
+ ],
+ "fieldTransformations": [ # Transform the record by applying various field transformations.
+ { # The transformation to apply to the field.
+ "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
+ # transform content that matches an `InfoType`.
+ # apply various `PrimitiveTransformation`s to each finding, where the
+ # transformation is applied to only values that were identified as a specific
+ # info_type.
+ "transformations": [ # Transformation for each infoType. Cannot specify more than one
+ # for a given infoType. [required]
+ { # A transformation to apply to text that is identified as a specific
+ # info_type.
+ "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
+ # For example, if your string is 555-555-5555 and you ask us to skip `-` and
+ # mask 5 chars with * we would produce ***-*55-5555.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String",
+ "charactersToSkip": "A String",
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
+ # alphabetic string such as name, or "0" for a numeric string such as ZIP
+ # code or credit card number. String must have length 1. If not supplied, we
+ # will default to "*" for strings, 0 for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # '0', number_to_mask is 14, and `reverse_order` is false, then
+ # 1234-5678-9012-3456 -> 00000000000000-3456
+ # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
+ # is true, then 12345 -> 12***
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
+ # input. Outputs a base64 encoded representation of the encrypted output.
+ # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
+ # referential integrity such that the same identifier in two different
+ # contexts will be given a distinct surrogate. The context is appended to
+ # plaintext value being encrypted. On decryption the provided context is
+ # validated against the value used during encryption. If a context was
+ # provided during encryption, same context must be provided during decryption
+ # as well.
+ #
+ # If the context is not set, plaintext would be used as is for encryption.
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 2. the field is not present when transforming a given value,
+ #
+ # plaintext would be used as is for encryption.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom info type followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: <info type name>(<surrogate character count>):<surrogate>
+ #
+ # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom info type 'Surrogate'. This facilitates reversal of the
+ # surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this info type must
+ # not occur naturally anywhere in your data; otherwise, inspection may either
+ #
+ # - reverse a surrogate that does not correspond to an actual identifier
+ # - be unable to parse the surrogate and result in an error
+ #
+ # Therefore, choose your custom info type name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
+ # Bucketing transformation can provide all of this functionality,
+ # but requires more configuration. This message is provided as a convenience to
+ # the user for simple bucketing strategies.
+ #
+ # The transformed value will be a hyphenated string of
+ # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
+ # all values that are within this bucket will be replaced with "10-20".
+ #
+ # This can be used on data of type: double, long.
+ #
+ # If the bound Value type differs from the type of data
+ # being transformed, we will first attempt converting the type of the data to
+ # be transformed to match the type of the bound before comparing.
+ #
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
+ # grouped together into a single bucket; for example if `lower_bound` = 10,
+ # then all values less than 10 are replaced with the value “-10”. [Required].
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
+ # grouped together into a single bucket; for example if `upper_bound` = 89,
+ # then all values greater than 89 are replaced with the value “89+”.
+ # [Required].
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
+ # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
+ # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
+ # portion of the value.
+ "partToExtract": "A String",
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
+ # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
+ # to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
+ # results in the same shift for the same context and crypto_key.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
+ # [Required]
+ "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
+ # range (inclusive ends). Negative means shift to earlier in time. Must not
+ # be more than 365250 days (1000 years) each direction.
+ #
+ # For example, 3 means shift date to at most 3 days into the future.
+ # [Required]
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
+ # If set, must also set method. If set, shift will be consistent for the
+ # given context.
+ "name": "A String", # Name describing the field.
+ },
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ ],
+ },
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
+ # (FPE) with the FFX mode of operation; however when used in the
+ # `ReidentifyContent` API method, it serves the opposite function by reversing
+ # the surrogate back into the original identifier. The identifier must be
+ # encoded as ASCII. For a given crypto key and context, the same identifier
+ # will be replaced with the same surrogate. Identifiers must be at least two
+ # characters long. In the case that the identifier is the empty string, it will
+ # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
+ # more.
+ #
+ # Note: We recommend using CryptoDeterministicConfig for all use cases which
+ # do not require preserving the input alphabet space and size, plus warrant
+ # referential integrity.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
+ "commonAlphabet": "A String",
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
+ # that the FFX mode natively supports. This happens before/after
+ # encryption/decryption.
+ # Each character listed must appear only once.
+ # Number of characters must be in the range [2, 62].
+ # This must be encoded as ASCII.
+ # The order of characters does not matter.
+ "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
+ # identifier in two different contexts won't be given the same surrogate. If
+ # the context is not set, a default tweak will be used.
+ #
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 1. the field is not present when transforming a given value,
+ #
+ # a default tweak will be used.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ # Currently, the referenced field may be of value type integer or string.
+ #
+ # The tweak is constructed as a sequence of bytes in big endian byte order
+ # such that:
+ #
+ # - a 64 bit integer is encoded followed by a single byte of value 1
+ # - a string is encoded in UTF-8 format followed by a single byte of value 2
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom infoType followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: info_type_name(surrogate_character_count):surrogate
+ #
+ # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom infoType
+ # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
+ # This facilitates reversal of the surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this infoType must
+ # not occur naturally anywhere in your data; otherwise, inspection may
+ # find a surrogate that does not correspond to an actual identifier.
+ # Therefore, choose your custom infoType name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`.
+ "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ },
+ "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
+ # this transformation to apply to all findings that correspond to
+ # infoTypes that were requested in `InspectConfig`.
+ { # Type of information detected by the API.
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ ],
+ },
+ ],
+ },
+ "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
+ # For example, if your string is 555-555-5555 and you ask us to skip `-` and
+ # mask 5 chars with * we would produce ***-*55-5555.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String",
+ "charactersToSkip": "A String",
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
+ # alphabetic string such as name, or "0" for a numeric string such as ZIP
+ # code or credit card number. String must have length 1. If not supplied, we
+ # will default to "*" for strings, 0 for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # '0', number_to_mask is 14, and `reverse_order` is false, then
+ # 1234-5678-9012-3456 -> 00000000000000-3456
+ # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
+ # is true, then 12345 -> 12***
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
+ # input. Outputs a base64 encoded representation of the encrypted output.
+ # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
+ # referential integrity such that the same identifier in two different
+ # contexts will be given a distinct surrogate. The context is appended to
+ # plaintext value being encrypted. On decryption the provided context is
+ # validated against the value used during encryption. If a context was
+ # provided during encryption, same context must be provided during decryption
+ # as well.
+ #
+ # If the context is not set, plaintext would be used as is for encryption.
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 2. the field is not present when transforming a given value,
+ #
+ # plaintext would be used as is for encryption.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom info type followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: <info type name>(<surrogate character count>):<surrogate>
+ #
+ # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom info type 'Surrogate'. This facilitates reversal of the
+ # surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this info type must
+ # not occur naturally anywhere in your data; otherwise, inspection may either
+ #
+ # - reverse a surrogate that does not correspond to an actual identifier
+ # - be unable to parse the surrogate and result in an error
+ #
+ # Therefore, choose your custom info type name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
+ # Bucketing transformation can provide all of this functionality,
+ # but requires more configuration. This message is provided as a convenience to
+ # the user for simple bucketing strategies.
+ #
+ # The transformed value will be a hyphenated string of
+ # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
+ # all values that are within this bucket will be replaced with "10-20".
+ #
+ # This can be used on data of type: double, long.
+ #
+ # If the bound Value type differs from the type of data
+ # being transformed, we will first attempt converting the type of the data to
+ # be transformed to match the type of the bound before comparing.
+ #
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
+ # grouped together into a single bucket; for example if `lower_bound` = 10,
+ # then all values less than 10 are replaced with the value “-10”. [Required].
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
+ # grouped together into a single bucket; for example if `upper_bound` = 89,
+ # then all values greater than 89 are replaced with the value “89+”.
+ # [Required].
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
+ # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
+ # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
+ # portion of the value.
+ "partToExtract": "A String",
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
+ # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
+ # to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
+ # results in the same shift for the same context and crypto_key.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
+ # [Required]
+ "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
+ # range (inclusive ends). Negative means shift to earlier in time. Must not
+ # be more than 365250 days (1000 years) each direction.
+ #
+ # For example, 3 means shift date to at most 3 days into the future.
+ # [Required]
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
+ # If set, must also set method. If set, shift will be consistent for the
+ # given context.
+ "name": "A String", # Name describing the field.
+ },
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ ],
+ },
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
+ # (FPE) with the FFX mode of operation; however when used in the
+ # `ReidentifyContent` API method, it serves the opposite function by reversing
+ # the surrogate back into the original identifier. The identifier must be
+ # encoded as ASCII. For a given crypto key and context, the same identifier
+ # will be replaced with the same surrogate. Identifiers must be at least two
+ # characters long. In the case that the identifier is the empty string, it will
+ # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
+ # more.
+ #
+ # Note: We recommend using CryptoDeterministicConfig for all use cases which
+ # do not require preserving the input alphabet space and size, plus warrant
+ # referential integrity.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
+ "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # A 128/192/256 bit key. [required]
+ },
+ "transient": { # Use this to have a random data crypto key generated.
+ # It will be discarded after the request finishes.
+ "name": "A String", # Name of the key. [required]
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
+ "commonAlphabet": "A String",
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
+ # that the FFX mode natively supports. This happens before/after
+ # encryption/decryption.
+ # Each character listed must appear only once.
+ # Number of characters must be in the range [2, 62].
+ # This must be encoded as ASCII.
+ # The order of characters does not matter.
+ "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
+ # identifier in two different contexts won't be given the same surrogate. If
+ # the context is not set, a default tweak will be used.
+ #
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 1. the field is not present when transforming a given value,
+ #
+ # a default tweak will be used.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ # Currently, the referenced field may be of value type integer or string.
+ #
+ # The tweak is constructed as a sequence of bytes in big endian byte order
+ # such that:
+ #
+ # - a 64 bit integer is encoded followed by a single byte of value 1
+ # - a string is encoded in UTF-8 format followed by a single byte of value 2
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom infoType followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: info_type_name(surrogate_character_count):surrogate
+ #
+ # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom infoType
+ # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
+ # This facilitates reversal of the surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this infoType must
+ # not occur naturally anywhere in your data; otherwise, inspection may
+ # find a surrogate that does not correspond to an actual identifier.
+ # Therefore, choose your custom infoType name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # [a-zA-Z0-9_]{1,64}.
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`.
+ "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ },
+ "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
+ # given `RecordCondition`. The conditions are allowed to reference fields
+ # that are not used in the actual transformation. [optional]
+ #
+ # Example Use Cases:
+ #
+ # - Apply a different bucket transformation to an age column if the zip code
+ # column for the same record is within a specific range.
+ # - Redact a field if the date of birth field is greater than 85.
+ # a field.
+ "expressions": { # An expression, consisting or an operator and conditions. # An expression.
+ "conditions": { # A collection of conditions.
+ "conditions": [
+ { # The field type of `value` and `field` do not need to match to be
+ # considered equal, but not all comparisons are possible.
+ # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
+ # but all other comparisons are invalid with incompatible types.
+ # A `value` of type:
+ #
+ # - `string` can be compared against all other types
+ # - `boolean` can only be compared against other booleans
+ # - `integer` can be compared against doubles or a string if the string value
+ # can be parsed as an integer.
+ # - `double` can be compared against integers or a string if the string can
+ # be parsed as a double.
+ # - `Timestamp` can be compared against strings in RFC 3339 date string
+ # format.
+ # - `TimeOfDay` can be compared against timestamps and strings in the format
+ # of 'HH:mm:ss'.
+ #
+ # If we fail to compare do to type mismatch, a warning will be given and
+ # the condition will evaluate to false.
+ "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
+ "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
+ "name": "A String", # Name describing the field.
+ },
+ "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14,
+ "timestampValue": "A String",
+ "dayOfWeekValue": "A String",
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ },
+ "stringValue": "A String",
+ "booleanValue": True or False,
+ "integerValue": "A String",
+ },
+ },
+ ],
+ },
+ "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
+ # only supported value is `AND`.
+ },
+ },
+ "fields": [ # Input field(s) to apply the transformation to. [required]
+ { # General identifier of a data field in a storage service.
+ "name": "A String", # Name describing the field.
+ },
+ ],
+ },
+ ],
+ },
+ },
+ "createTime": "A String", # The creation timestamp of a inspectTemplate, output only field.
+ "name": "A String", # The template name. Output only.
+ #
+ # The template will have one of the following formats:
+ # `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR
+ # `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`
+ }</pre>
+</div>
+
+</body></html>
\ No newline at end of file