docs: update docs/dyn (#1096)
This PR was generated using Autosynth. :rainbow:
Synth log will be available here:
https://source.cloud.google.com/results/invocations/6f0f288a-a1e8-4b2d-a85f-00b1c6150185/targets
- [ ] To automatically regenerate this PR, check this box.
Source-Link: https://github.com/googleapis/synthtool/commit/39b7149da4026765385403632db3c6f63db96b2c
Source-Link: https://github.com/googleapis/synthtool/commit/9a7d9fbb7045c34c9d3d22c1ff766eeae51f04c9
Source-Link: https://github.com/googleapis/synthtool/commit/dc9903a8c30c3662b6098f0e4a97f221d67268b2
Source-Link: https://github.com/googleapis/synthtool/commit/7fcc405a579d5d53a726ff3da1b7c8c08f0f2d58
Source-Link: https://github.com/googleapis/synthtool/commit/d5fc0bcf9ea9789c5b0e3154a9e3b29e5cea6116
Source-Link: https://github.com/googleapis/synthtool/commit/e89175cf074dccc4babb4eca66ae913696e47a71
Source-Link: https://github.com/googleapis/synthtool/commit/7d652819519dfa24da9e14548232e4aaba71a11c
Source-Link: https://github.com/googleapis/synthtool/commit/7db8a6c5ffb12a6e4c2f799c18f00f7f3d60e279
Source-Link: https://github.com/googleapis/synthtool/commit/1f1148d3c7a7a52f0c98077f976bd9b3c948ee2b
Source-Link: https://github.com/googleapis/synthtool/commit/2c8aecedd55b0480fb4e123b6e07fa5b12953862
Source-Link: https://github.com/googleapis/synthtool/commit/3d3e94c4e02370f307a9a200b0c743c3d8d19f29
Source-Link: https://github.com/googleapis/synthtool/commit/c7824ea48ff6d4d42dfae0849aec8a85acd90bd9
Source-Link: https://github.com/googleapis/synthtool/commit/ba9918cd22874245b55734f57470c719b577e591
Source-Link: https://github.com/googleapis/synthtool/commit/b19b401571e77192f8dd38eab5fb2300a0de9324
Source-Link: https://github.com/googleapis/synthtool/commit/6542bd723403513626f61642fc02ddca528409aa
diff --git a/docs/dyn/dlp_v2.projects.content.html b/docs/dyn/dlp_v2.projects.content.html
index 3050e1b..5ba7827 100644
--- a/docs/dyn/dlp_v2.projects.content.html
+++ b/docs/dyn/dlp_v2.projects.content.html
@@ -102,13 +102,10 @@
The object takes the form of:
{ # Request to de-identify a list of items.
- "locationId": "A String", # Deprecated. This field has no effect.
"inspectConfig": { # Configuration description of the scanning process. When used with redactContent only info_types and min_likelihood are currently used. # Configuration for the inspector. Items specified here will override the template referenced by the inspect_template_name argument.
- "contentOptions": [ # List of options defining data content to scan. If empty, text, images, and other content will be included.
- "A String",
- ],
- "minLikelihood": "A String", # Only returns findings equal or above this threshold. The default is POSSIBLE. See https://cloud.google.com/dlp/docs/likelihood to learn more.
"limits": { # Configuration to control the number of findings returned. # Configuration to control the number of findings returned.
+ "maxFindingsPerItem": 42, # Max number of findings that will be returned for each item scanned. When set within `InspectJobConfig`, the maximum returned is 2000 regardless if this is set higher. When set within `InspectContentRequest`, this field is ignored.
+ "maxFindingsPerRequest": 42, # Max number of findings that will be returned per request/job. When set within `InspectContentRequest`, the maximum returned is 2000 regardless if this is set higher.
"maxFindingsPerInfoType": [ # Configuration of findings limit given for specified infoTypes.
{ # Max findings configuration per infoType, per content item or long running DlpJob.
"infoType": { # Type of information detected by the API. # Type of information the findings limit applies to. Only one limit per info_type should be provided. If InfoTypeLimit does not have an info_type, the DLP API applies the limit against all info_types that are found but not specified in another InfoTypeLimit.
@@ -117,37 +114,19 @@
"maxFindings": 42, # Max findings limit for the given infoType.
},
],
- "maxFindingsPerItem": 42, # Max number of findings that will be returned for each item scanned. When set within `InspectJobConfig`, the maximum returned is 2000 regardless if this is set higher. When set within `InspectContentRequest`, this field is ignored.
- "maxFindingsPerRequest": 42, # Max number of findings that will be returned per request/job. When set within `InspectContentRequest`, the maximum returned is 2000 regardless if this is set higher.
},
- "infoTypes": [ # Restricts what info_types to look for. The values must correspond to InfoType values returned by ListInfoTypes or listed at https://cloud.google.com/dlp/docs/infotypes-reference. When no InfoTypes or CustomInfoTypes are specified in a request, the system may automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated. If you need precise control and predictability as to what detectors are run you should specify specific InfoTypes listed in the reference, otherwise a default list will be used, which may change over time.
- { # Type of information detected by the API.
- "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
- },
- ],
- "includeQuote": True or False, # When true, a contextual quote from the data that triggered a finding is included in the response; see Finding.quote.
"ruleSet": [ # Set of rules to apply to the findings for this InspectConfig. Exclusion rules, contained in the set are executed in the end, other rules are executed in the order they are specified for each info type.
{ # Rule set for modifying a set of infoTypes to alter behavior under certain circumstances, depending on the specific details of the rules within the set.
"rules": [ # Set of rules to be applied to infoTypes. The rules are applied in order.
{ # A single inspection rule to be applied to infoTypes, specified in `InspectionRuleSet`.
"exclusionRule": { # The rule that specifies conditions when findings of infoTypes specified in `InspectionRuleSet` are removed from results. # Exclusion rule.
- "dictionary": { # Custom information type based on a dictionary of words or phrases. This can be used to match sensitive information specific to the data, such as a list of employee IDs or job titles. Dictionary words are case-insensitive and all characters other than letters and digits in the unicode [Basic Multilingual Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane) will be replaced with whitespace when scanning for matches, so the dictionary phrase "Sam Johnson" will match all three phrases "sam johnson", "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters surrounding any match must be of a different type than the adjacent characters within the word, so letters must be next to non-letters and digits next to non-digits. For example, the dictionary word "jen" will match the first three letters of the text "jen123" but will return no matches for "jennifer". Dictionary words containing a large number of characters that are not letters or digits may result in unexpected findings because such characters are treated as whitespace. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. For dictionaries that do not fit within these constraints, consider using `LargeCustomDictionaryConfig` in the `StoredInfoType` API. # Dictionary which defines the rule.
- "cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file is accepted.
- "path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage. Example: gs://[BUCKET_NAME]/dictionary.txt
- },
- "wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.
- "words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]
- "A String",
- ],
- },
- },
+ "matchingType": "A String", # How the rule is applied, see MatchingType documentation for details.
"regex": { # Message defining a custom regular expression. # Regular expression which defines the rule.
"groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.
42,
],
"pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub.
},
- "matchingType": "A String", # How the rule is applied, see MatchingType documentation for details.
"excludeInfoTypes": { # List of exclude infoTypes. # Set of infoTypes for which findings would affect this rule.
"infoTypes": [ # InfoType list in ExclusionRule rule drops a finding when it overlaps or contained within with a finding of an infoType from this list. For example, for `InspectionRuleSet.info_types` containing "PHONE_NUMBER"` and `exclusion_rule` containing `exclude_info_types.info_types` with "EMAIL_ADDRESS" the phone number findings are dropped if they overlap with EMAIL_ADDRESS finding. That leads to "555-222-2222@example.org" to generate only a single finding, namely email address.
{ # Type of information detected by the API.
@@ -155,12 +134,18 @@
},
],
},
+ "dictionary": { # Custom information type based on a dictionary of words or phrases. This can be used to match sensitive information specific to the data, such as a list of employee IDs or job titles. Dictionary words are case-insensitive and all characters other than letters and digits in the unicode [Basic Multilingual Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane) will be replaced with whitespace when scanning for matches, so the dictionary phrase "Sam Johnson" will match all three phrases "sam johnson", "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters surrounding any match must be of a different type than the adjacent characters within the word, so letters must be next to non-letters and digits next to non-digits. For example, the dictionary word "jen" will match the first three letters of the text "jen123" but will return no matches for "jennifer". Dictionary words containing a large number of characters that are not letters or digits may result in unexpected findings because such characters are treated as whitespace. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. For dictionaries that do not fit within these constraints, consider using `LargeCustomDictionaryConfig` in the `StoredInfoType` API. # Dictionary which defines the rule.
+ "wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.
+ "words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]
+ "A String",
+ ],
+ },
+ "cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file is accepted.
+ "path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage. Example: gs://[BUCKET_NAME]/dictionary.txt
+ },
+ },
},
"hotwordRule": { # The rule that adjusts the likelihood of findings within a certain proximity of hotwords. # Hotword-based detection rule.
- "proximity": { # Message for specifying a window around a finding to apply a detection rule. # Proximity of the finding within which the entire hotword must reside. The total length of the window cannot exceed 1000 characters. Note that the finding itself will be included in the window, so that hotwords may be used to match substrings of the finding itself. For example, the certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be adjusted upwards if the area code is known to be the local area code of a company office using the hotword regex "\(xxx\)", where "xxx" is the area code in question.
- "windowBefore": 42, # Number of characters before the finding to consider.
- "windowAfter": 42, # Number of characters after the finding to consider.
- },
"hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.
"groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.
42,
@@ -171,6 +156,10 @@
"fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.
"relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of levels. For example, if a finding would be `POSSIBLE` without the detection rule and `relative_likelihood` is 1, then it is upgraded to `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`. Likelihood may never drop below `VERY_UNLIKELY` or exceed `VERY_LIKELY`, so applying an adjustment of 1 followed by an adjustment of -1 when base likelihood is `VERY_LIKELY` will result in a final likelihood of `LIKELY`.
},
+ "proximity": { # Message for specifying a window around a finding to apply a detection rule. # Proximity of the finding within which the entire hotword must reside. The total length of the window cannot exceed 1000 characters. Note that the finding itself will be included in the window, so that hotwords may be used to match substrings of the finding itself. For example, the certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be adjusted upwards if the area code is known to be the local area code of a company office using the hotword regex "\(xxx\)", where "xxx" is the area code in question.
+ "windowAfter": 42, # Number of characters after the finding to consider.
+ "windowBefore": 42, # Number of characters before the finding to consider.
+ },
},
},
],
@@ -181,28 +170,25 @@
],
},
],
+ "excludeInfoTypes": True or False, # When true, excludes type information of the findings.
"customInfoTypes": [ # CustomInfoTypes provided by the user. See https://cloud.google.com/dlp/docs/creating-custom-infotypes to learn more.
{ # Custom information type provided by the user. Used to find domain-specific sensitive information configurable to the data in question.
+ "likelihood": "A String", # Likelihood to return for this CustomInfoType. This base value can be altered by a detection rule if the finding meets the criteria specified by the rule. Defaults to `VERY_LIKELY` if not specified.
"infoType": { # Type of information detected by the API. # CustomInfoType can either be a new infoType, or an extension of built-in infoType, when the name matches one of existing infoTypes and that infoType is specified in `InspectContent.info_types` field. Specifying the latter adds findings to the one detected by the system. If built-in info type is not specified in `InspectContent.info_types` list then the name is treated as a custom info type.
"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
},
- "storedType": { # A reference to a StoredInfoType to use with scanning. # Load an existing `StoredInfoType` resource for use in `InspectDataSource`. Not currently supported in `InspectContent`.
- "createTime": "A String", # Timestamp indicating when the version of the `StoredInfoType` used for inspection was created. Output-only field, populated by the system.
- "name": "A String", # Resource name of the requested `StoredInfoType`, for example `organizations/433245324/storedInfoTypes/432452342` or `projects/project-id/storedInfoTypes/432452342`.
- },
+ "exclusionType": "A String", # If set to EXCLUSION_TYPE_EXCLUDE this infoType will not cause a finding to be returned. It still can be used for rules matching.
"regex": { # Message defining a custom regular expression. # Regular expression based CustomInfoType.
"groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.
42,
],
"pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub.
},
+ "surrogateType": { # Message for detecting output from deidentification transformations such as [`CryptoReplaceFfxFpeConfig`](https://cloud.google.com/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#cryptoreplaceffxfpeconfig). These types of transformations are those that perform pseudonymization, thereby producing a "surrogate" as output. This should be used in conjunction with a field on the transformation such as `surrogate_info_type`. This CustomInfoType does not support the use of `detection_rules`. # Message for detecting output from deidentification transformations that support reversing.
+ },
"detectionRules": [ # Set of detection rules to apply to all findings of this CustomInfoType. Rules are applied in order that they are specified. Not supported for the `surrogate_type` CustomInfoType.
{ # Deprecated; use `InspectionRuleSet` instead. Rule for modifying a `CustomInfoType` to alter behavior under certain circumstances, depending on the specific details of the rule. Not supported for the `surrogate_type` custom infoType.
"hotwordRule": { # The rule that adjusts the likelihood of findings within a certain proximity of hotwords. # Hotword-based detection rule.
- "proximity": { # Message for specifying a window around a finding to apply a detection rule. # Proximity of the finding within which the entire hotword must reside. The total length of the window cannot exceed 1000 characters. Note that the finding itself will be included in the window, so that hotwords may be used to match substrings of the finding itself. For example, the certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be adjusted upwards if the area code is known to be the local area code of a company office using the hotword regex "\(xxx\)", where "xxx" is the area code in question.
- "windowBefore": 42, # Number of characters before the finding to consider.
- "windowAfter": 42, # Number of characters after the finding to consider.
- },
"hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.
"groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.
42,
@@ -213,43 +199,96 @@
"fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.
"relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of levels. For example, if a finding would be `POSSIBLE` without the detection rule and `relative_likelihood` is 1, then it is upgraded to `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`. Likelihood may never drop below `VERY_UNLIKELY` or exceed `VERY_LIKELY`, so applying an adjustment of 1 followed by an adjustment of -1 when base likelihood is `VERY_LIKELY` will result in a final likelihood of `LIKELY`.
},
+ "proximity": { # Message for specifying a window around a finding to apply a detection rule. # Proximity of the finding within which the entire hotword must reside. The total length of the window cannot exceed 1000 characters. Note that the finding itself will be included in the window, so that hotwords may be used to match substrings of the finding itself. For example, the certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be adjusted upwards if the area code is known to be the local area code of a company office using the hotword regex "\(xxx\)", where "xxx" is the area code in question.
+ "windowAfter": 42, # Number of characters after the finding to consider.
+ "windowBefore": 42, # Number of characters before the finding to consider.
+ },
},
},
],
+ "storedType": { # A reference to a StoredInfoType to use with scanning. # Load an existing `StoredInfoType` resource for use in `InspectDataSource`. Not currently supported in `InspectContent`.
+ "createTime": "A String", # Timestamp indicating when the version of the `StoredInfoType` used for inspection was created. Output-only field, populated by the system.
+ "name": "A String", # Resource name of the requested `StoredInfoType`, for example `organizations/433245324/storedInfoTypes/432452342` or `projects/project-id/storedInfoTypes/432452342`.
+ },
"dictionary": { # Custom information type based on a dictionary of words or phrases. This can be used to match sensitive information specific to the data, such as a list of employee IDs or job titles. Dictionary words are case-insensitive and all characters other than letters and digits in the unicode [Basic Multilingual Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane) will be replaced with whitespace when scanning for matches, so the dictionary phrase "Sam Johnson" will match all three phrases "sam johnson", "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters surrounding any match must be of a different type than the adjacent characters within the word, so letters must be next to non-letters and digits next to non-digits. For example, the dictionary word "jen" will match the first three letters of the text "jen123" but will return no matches for "jennifer". Dictionary words containing a large number of characters that are not letters or digits may result in unexpected findings because such characters are treated as whitespace. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. For dictionaries that do not fit within these constraints, consider using `LargeCustomDictionaryConfig` in the `StoredInfoType` API. # A list of phrases to detect as a CustomInfoType.
- "cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file is accepted.
- "path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage. Example: gs://[BUCKET_NAME]/dictionary.txt
- },
"wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.
"words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]
"A String",
],
},
+ "cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file is accepted.
+ "path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage. Example: gs://[BUCKET_NAME]/dictionary.txt
+ },
},
- "surrogateType": { # Message for detecting output from deidentification transformations such as [`CryptoReplaceFfxFpeConfig`](https://cloud.google.com/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#cryptoreplaceffxfpeconfig). These types of transformations are those that perform pseudonymization, thereby producing a "surrogate" as output. This should be used in conjunction with a field on the transformation such as `surrogate_info_type`. This CustomInfoType does not support the use of `detection_rules`. # Message for detecting output from deidentification transformations that support reversing.
- },
- "exclusionType": "A String", # If set to EXCLUSION_TYPE_EXCLUDE this infoType will not cause a finding to be returned. It still can be used for rules matching.
- "likelihood": "A String", # Likelihood to return for this CustomInfoType. This base value can be altered by a detection rule if the finding meets the criteria specified by the rule. Defaults to `VERY_LIKELY` if not specified.
},
],
- "excludeInfoTypes": True or False, # When true, excludes type information of the findings.
+ "contentOptions": [ # List of options defining data content to scan. If empty, text, images, and other content will be included.
+ "A String",
+ ],
+ "includeQuote": True or False, # When true, a contextual quote from the data that triggered a finding is included in the response; see Finding.quote.
+ "infoTypes": [ # Restricts what info_types to look for. The values must correspond to InfoType values returned by ListInfoTypes or listed at https://cloud.google.com/dlp/docs/infotypes-reference. When no InfoTypes or CustomInfoTypes are specified in a request, the system may automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated. If you need precise control and predictability as to what detectors are run you should specify specific InfoTypes listed in the reference, otherwise a default list will be used, which may change over time.
+ { # Type of information detected by the API.
+ "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
+ },
+ ],
+ "minLikelihood": "A String", # Only returns findings equal or above this threshold. The default is POSSIBLE. See https://cloud.google.com/dlp/docs/likelihood to learn more.
},
+ "inspectTemplateName": "A String", # Template to use. Any configuration directly specified in inspect_config will override those set in the template. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged.
+ "item": { # Container structure for the content to inspect. # The item to de-identify. Will be treated as text.
+ "byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.
+ "type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.
+ "data": "A String", # Content data to inspect or redact.
+ },
+ "value": "A String", # String data to inspect or redact.
+ "table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more. # Structured content for inspection. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more.
+ "rows": [ # Rows of the table.
+ { # Values of the row.
+ "values": [ # Individual cells.
+ { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ ],
+ },
+ ],
+ "headers": [ # Headers of the table.
+ { # General identifier of a data field in a storage service.
+ "name": "A String", # Name describing the field.
+ },
+ ],
+ },
+ },
+ "deidentifyTemplateName": "A String", # Template to use. Any configuration directly specified in deidentify_config will override those set in the template. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged.
+ "locationId": "A String", # Deprecated. This field has no effect.
"deidentifyConfig": { # The configuration that controls how the data will change. # Configuration for the de-identification of the content item. Items specified here will override the template referenced by the deidentify_template_name argument.
"transformationErrorHandling": { # How to handle transformation errors during de-identification. A transformation error occurs when the requested transformation is incompatible with the data. For example, trying to de-identify an IP address using a `DateShift` transformation would result in a transformation error, since date info cannot be extracted from an IP address. Information about any incompatible transformations, and how they were handled, is returned in the response as part of the `TransformationOverviews`. # Mode for handling transformation errors. If left unspecified, the default mode is `TransformationErrorHandling.ThrowError`.
- "leaveUntransformed": { # Skips the data without modifying it if the requested transformation would cause an error. For example, if a `DateShift` transformation were applied an an IP address, this mode would leave the IP address unchanged in the response. # Ignore errors
- },
"throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error
},
+ "leaveUntransformed": { # Skips the data without modifying it if the requested transformation would cause an error. For example, if a `DateShift` transformation were applied an an IP address, this mode would leave the IP address unchanged in the response. # Ignore errors
+ },
},
"infoTypeTransformations": { # A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type. # Treat the dataset as free-form text and apply the same free text transformation everywhere.
"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one for a given infoType.
{ # A transformation to apply to text that is identified as a specific info_type.
"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
"wrappedKey": "A String", # Required. The wrapped data crypto key.
@@ -257,12 +296,124 @@
"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
"key": "A String", # Required. A 128/192/256 bit key.
},
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
+ "name": "A String", # Name describing the field.
+ },
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
+ "partToExtract": "A String", # The part of the time to keep.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ "replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ "min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ },
+ ],
+ },
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
+ "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
},
"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.
"name": "A String", # Name describing the field.
},
- "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
- "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
+ "newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
},
},
"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask
@@ -272,15 +423,12 @@
"charactersToSkip": "A String", # Characters to not transform when masking.
},
],
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.
"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
},
"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
"wrappedKey": "A String", # Required. The wrapped data crypto key.
@@ -288,182 +436,75 @@
"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
"key": "A String", # Required. A 128/192/256 bit key.
},
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
- "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
- "name": "A String", # Name describing the field.
- },
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
},
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
- "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
- "wrappedKey": "A String", # Required. The wrapped data crypto key.
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
- "key": "A String", # Required. A 128/192/256 bit key.
- },
},
- "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
- "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
- },
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- },
- ],
},
"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe
- "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
- "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
- "wrappedKey": "A String", # Required. The wrapped data crypto key.
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
- "key": "A String", # Required. A 128/192/256 bit key.
- },
- },
- "commonAlphabet": "A String", # Common alphabets.
"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
},
+ "commonAlphabet": "A String", # Common alphabets.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2
"name": "A String", # Name describing the field.
},
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
- "partToExtract": "A String", # The part of the time to keep.
- },
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/
},
"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing
+ "lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
"upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
},
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
"timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- },
- "replaceConfig": { # Replace each input value with a given `Value`. # Replace
- "newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
},
"dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
"booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
},
},
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact
- },
},
"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`.
{ # Type of information detected by the API.
@@ -474,22 +515,53 @@
],
},
"recordTransformations": { # A type of transformation that is applied over structured data such as a table. # Treat the dataset as structured. Transformations can be applied to specific locations within structured datasets, such as transforming a column within a table.
+ "recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that match any suppression rule are omitted from the output.
+ { # Configuration to suppress records whose suppression conditions evaluate to true.
+ "condition": { # A condition for determining whether a transformation should be applied to a field. # A condition that when it evaluates to true will result in the record being evaluated to be suppressed from the transformed content.
+ "expressions": { # An expression, consisting or an operator and conditions. # An expression.
+ "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.
+ "conditions": { # A collection of conditions. # Conditions to apply to the expression.
+ "conditions": [ # A collection of conditions.
+ { # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.
+ "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
+ "name": "A String", # Name describing the field.
+ },
+ "value": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
+ },
+ ],
+ },
+ },
+ },
+ },
+ ],
"fieldTransformations": [ # Transform the record by applying various field transformations.
{ # The transformation to apply to the field.
- "fields": [ # Required. Input field(s) to apply the transformation to.
- { # General identifier of a data field in a storage service.
- "name": "A String", # Name describing the field.
- },
- ],
"infoTypeTransformations": { # A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type. # Treat the contents of the field as free text, and selectively transform content that matches an `InfoType`.
"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one for a given infoType.
{ # A transformation to apply to text that is identified as a specific info_type.
"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
"wrappedKey": "A String", # Required. The wrapped data crypto key.
@@ -497,12 +569,124 @@
"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
"key": "A String", # Required. A 128/192/256 bit key.
},
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
+ "name": "A String", # Name describing the field.
+ },
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
+ "partToExtract": "A String", # The part of the time to keep.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ "replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ "min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ },
+ ],
+ },
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
+ "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
},
"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.
"name": "A String", # Name describing the field.
},
- "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
- "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
+ "newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
},
},
"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask
@@ -512,15 +696,12 @@
"charactersToSkip": "A String", # Characters to not transform when masking.
},
],
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.
"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
},
"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
"wrappedKey": "A String", # Required. The wrapped data crypto key.
@@ -528,182 +709,75 @@
"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
"key": "A String", # Required. A 128/192/256 bit key.
},
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
- "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
- "name": "A String", # Name describing the field.
- },
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
},
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
- "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
- "wrappedKey": "A String", # Required. The wrapped data crypto key.
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
- "key": "A String", # Required. A 128/192/256 bit key.
- },
},
- "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
- "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
- },
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- },
- ],
},
"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe
- "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
- "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
- "wrappedKey": "A String", # Required. The wrapped data crypto key.
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
- "key": "A String", # Required. A 128/192/256 bit key.
- },
- },
- "commonAlphabet": "A String", # Common alphabets.
"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
},
+ "commonAlphabet": "A String", # Common alphabets.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2
"name": "A String", # Name describing the field.
},
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
- "partToExtract": "A String", # The part of the time to keep.
- },
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/
},
"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing
+ "lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
"upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
},
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
"timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- },
- "replaceConfig": { # Replace each input value with a given `Value`. # Replace
- "newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
},
"dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
"booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
},
},
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact
- },
},
"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`.
{ # Type of information detected by the API.
@@ -713,12 +787,15 @@
},
],
},
+ "fields": [ # Required. Input field(s) to apply the transformation to.
+ { # General identifier of a data field in a storage service.
+ "name": "A String", # Name describing the field.
+ },
+ ],
"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
"wrappedKey": "A String", # Required. The wrapped data crypto key.
@@ -726,12 +803,124 @@
"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
"key": "A String", # Required. A 128/192/256 bit key.
},
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
+ "name": "A String", # Name describing the field.
+ },
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
+ "partToExtract": "A String", # The part of the time to keep.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ "replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ "min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ },
+ ],
+ },
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
+ "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
},
"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.
"name": "A String", # Name describing the field.
},
- "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
- "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
+ "newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
},
},
"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask
@@ -741,15 +930,12 @@
"charactersToSkip": "A String", # Characters to not transform when masking.
},
],
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.
"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
},
"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
"wrappedKey": "A String", # Required. The wrapped data crypto key.
@@ -757,182 +943,75 @@
"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
"key": "A String", # Required. A 128/192/256 bit key.
},
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
- "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
- "name": "A String", # Name describing the field.
- },
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
},
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
- "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
- "wrappedKey": "A String", # Required. The wrapped data crypto key.
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
- "key": "A String", # Required. A 128/192/256 bit key.
- },
},
- "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
- "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
- },
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- },
- ],
},
"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe
- "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
- "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
- "wrappedKey": "A String", # Required. The wrapped data crypto key.
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
- "key": "A String", # Required. A 128/192/256 bit key.
- },
- },
- "commonAlphabet": "A String", # Common alphabets.
"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
},
+ "commonAlphabet": "A String", # Common alphabets.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2
"name": "A String", # Name describing the field.
},
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
- "partToExtract": "A String", # The part of the time to keep.
- },
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/
},
"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing
+ "lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
"upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
},
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
"timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- },
- "replaceConfig": { # Replace each input value with a given `Value`. # Replace
- "newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
},
"dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
"booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
},
},
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact
- },
},
"condition": { # A condition for determining whether a transformation should be applied to a field. # Only apply the transformation if the condition evaluates to true for the given `RecordCondition`. The conditions are allowed to reference fields that are not used in the actual transformation. Example Use Cases: - Apply a different bucket transformation to an age column if the zip code column for the same record is within a specific range. - Redact a field if the date of birth field is greater than 85.
"expressions": { # An expression, consisting or an operator and conditions. # An expression.
@@ -940,67 +1019,29 @@
"conditions": { # A collection of conditions. # Conditions to apply to the expression.
"conditions": [ # A collection of conditions.
{ # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.
- "value": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
"name": "A String", # Name describing the field.
},
- },
- ],
- },
- },
- },
- },
- ],
- "recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that match any suppression rule are omitted from the output.
- { # Configuration to suppress records whose suppression conditions evaluate to true.
- "condition": { # A condition for determining whether a transformation should be applied to a field. # A condition that when it evaluates to true will result in the record being evaluated to be suppressed from the transformed content.
- "expressions": { # An expression, consisting or an operator and conditions. # An expression.
- "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.
- "conditions": { # A collection of conditions. # Conditions to apply to the expression.
- "conditions": [ # A collection of conditions.
- { # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.
"value": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
},
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
"timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
},
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
},
"operator": "A String", # Required. Operator used to compare the field or infoType to the value.
- "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
- "name": "A String", # Name describing the field.
- },
},
],
},
@@ -1010,47 +1051,6 @@
],
},
},
- "deidentifyTemplateName": "A String", # Template to use. Any configuration directly specified in deidentify_config will override those set in the template. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged.
- "item": { # Container structure for the content to inspect. # The item to de-identify. Will be treated as text.
- "value": "A String", # String data to inspect or redact.
- "table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more. # Structured content for inspection. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more.
- "headers": [ # Headers of the table.
- { # General identifier of a data field in a storage service.
- "name": "A String", # Name describing the field.
- },
- ],
- "rows": [ # Rows of the table.
- { # Values of the row.
- "values": [ # Individual cells.
- { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- ],
- },
- ],
- },
- "byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.
- "type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.
- "data": "A String", # Content data to inspect or redact.
- },
- },
- "inspectTemplateName": "A String", # Template to use. Any configuration directly specified in inspect_config will override those set in the template. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged.
}
x__xgafv: string, V1 error format.
@@ -1063,767 +1063,83 @@
{ # Results of de-identifying a ContentItem.
"item": { # Container structure for the content to inspect. # The de-identified item.
+ "byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.
+ "type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.
+ "data": "A String", # Content data to inspect or redact.
+ },
"value": "A String", # String data to inspect or redact.
"table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more. # Structured content for inspection. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more.
+ "rows": [ # Rows of the table.
+ { # Values of the row.
+ "values": [ # Individual cells.
+ { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ ],
+ },
+ ],
"headers": [ # Headers of the table.
{ # General identifier of a data field in a storage service.
"name": "A String", # Name describing the field.
},
],
- "rows": [ # Rows of the table.
- { # Values of the row.
- "values": [ # Individual cells.
- { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- ],
- },
- ],
- },
- "byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.
- "type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.
- "data": "A String", # Content data to inspect or redact.
},
},
"overview": { # Overview of the modifications that occurred. # An overview of the changes that were made on the `item`.
"transformedBytes": "A String", # Total size in bytes that were transformed in some way.
"transformationSummaries": [ # Transformations applied to the dataset.
{ # Summary of a single transformation. Only one of 'transformation', 'field_transformation', or 'record_suppress' will be set.
- "fieldTransformations": [ # The field transformation that was applied. If multiple field transformations are requested for a single field, this list will contain all of them; otherwise, only one is supplied.
- { # The transformation to apply to the field.
- "fields": [ # Required. Input field(s) to apply the transformation to.
- { # General identifier of a data field in a storage service.
- "name": "A String", # Name describing the field.
- },
- ],
- "infoTypeTransformations": { # A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type. # Treat the contents of the field as free text, and selectively transform content that matches an `InfoType`.
- "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one for a given infoType.
- { # A transformation to apply to text that is identified as a specific info_type.
- "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
- "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
- "wrappedKey": "A String", # Required. The wrapped data crypto key.
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
- "key": "A String", # Required. A 128/192/256 bit key.
- },
- },
- "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.
- "name": "A String", # Name describing the field.
- },
- "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
- "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
- },
+ "recordSuppress": { # Configuration to suppress records whose suppression conditions evaluate to true. # The specific suppression option these stats apply to.
+ "condition": { # A condition for determining whether a transformation should be applied to a field. # A condition that when it evaluates to true will result in the record being evaluated to be suppressed from the transformed content.
+ "expressions": { # An expression, consisting or an operator and conditions. # An expression.
+ "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.
+ "conditions": { # A collection of conditions. # Conditions to apply to the expression.
+ "conditions": [ # A collection of conditions.
+ { # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.
+ "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
+ "name": "A String", # Name describing the field.
},
- "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask
- "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.
- { # Characters to skip when doing deidentification of a value. These will be left alone and skipped.
- "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation.
- "charactersToSkip": "A String", # Characters to not transform when masking.
- },
- ],
- "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.
- "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
- },
- "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
- "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
- "wrappedKey": "A String", # Required. The wrapped data crypto key.
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
- "key": "A String", # Required. A 128/192/256 bit key.
- },
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
- "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
- "name": "A String", # Name describing the field.
- },
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
- "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
- "wrappedKey": "A String", # Required. The wrapped data crypto key.
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
- "key": "A String", # Required. A 128/192/256 bit key.
- },
- },
- "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
- "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
- },
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- },
- ],
- },
- "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe
- "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
- "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
- "wrappedKey": "A String", # Required. The wrapped data crypto key.
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
- "key": "A String", # Required. A 128/192/256 bit key.
- },
- },
- "commonAlphabet": "A String", # Common alphabets.
- "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
- "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE
- "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
- },
- "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2
- "name": "A String", # Name describing the field.
- },
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
- "partToExtract": "A String", # The part of the time to keep.
- },
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
- },
- "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing
- "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
- "upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- },
- "replaceConfig": { # Replace each input value with a given `Value`. # Replace
- "newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- },
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact
- },
- },
- "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`.
- { # Type of information detected by the API.
- "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
- },
- ],
- },
- ],
- },
- "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
- "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
- "wrappedKey": "A String", # Required. The wrapped data crypto key.
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
- "key": "A String", # Required. A 128/192/256 bit key.
- },
- },
- "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.
- "name": "A String", # Name describing the field.
- },
- "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
- "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
- },
- },
- "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask
- "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.
- { # Characters to skip when doing deidentification of a value. These will be left alone and skipped.
- "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation.
- "charactersToSkip": "A String", # Characters to not transform when masking.
- },
- ],
- "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.
- "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
- },
- "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
- "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
- "wrappedKey": "A String", # Required. The wrapped data crypto key.
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
- "key": "A String", # Required. A 128/192/256 bit key.
- },
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
- "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
- "name": "A String", # Name describing the field.
- },
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
- "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
- "wrappedKey": "A String", # Required. The wrapped data crypto key.
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
- "key": "A String", # Required. A 128/192/256 bit key.
- },
- },
- "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
- "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
- },
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
+ "value": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
},
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
"timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
},
"dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
"booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
},
+ "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
},
],
},
- "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe
- "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
- "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
- "wrappedKey": "A String", # Required. The wrapped data crypto key.
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
- "key": "A String", # Required. A 128/192/256 bit key.
- },
- },
- "commonAlphabet": "A String", # Common alphabets.
- "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
- "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE
- "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
- },
- "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2
- "name": "A String", # Name describing the field.
- },
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
- "partToExtract": "A String", # The part of the time to keep.
- },
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
- },
- "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing
- "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
- "upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- },
- "replaceConfig": { # Replace each input value with a given `Value`. # Replace
- "newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- },
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact
- },
- },
- "condition": { # A condition for determining whether a transformation should be applied to a field. # Only apply the transformation if the condition evaluates to true for the given `RecordCondition`. The conditions are allowed to reference fields that are not used in the actual transformation. Example Use Cases: - Apply a different bucket transformation to an age column if the zip code column for the same record is within a specific range. - Redact a field if the date of birth field is greater than 85.
- "expressions": { # An expression, consisting or an operator and conditions. # An expression.
- "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.
- "conditions": { # A collection of conditions. # Conditions to apply to the expression.
- "conditions": [ # A collection of conditions.
- { # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.
- "value": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
- "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
- "name": "A String", # Name describing the field.
- },
- },
- ],
- },
- },
},
},
- ],
- "transformation": { # A rule for transforming a value. # The specific transformation these stats apply to.
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
- "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
- "wrappedKey": "A String", # Required. The wrapped data crypto key.
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
- "key": "A String", # Required. A 128/192/256 bit key.
- },
- },
- "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.
- "name": "A String", # Name describing the field.
- },
- "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
- "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
- },
- },
- "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask
- "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.
- { # Characters to skip when doing deidentification of a value. These will be left alone and skipped.
- "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation.
- "charactersToSkip": "A String", # Characters to not transform when masking.
- },
- ],
- "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.
- "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
- },
- "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
- "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
- "wrappedKey": "A String", # Required. The wrapped data crypto key.
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
- "key": "A String", # Required. A 128/192/256 bit key.
- },
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
- "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
- "name": "A String", # Name describing the field.
- },
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
- "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
- "wrappedKey": "A String", # Required. The wrapped data crypto key.
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
- "key": "A String", # Required. A 128/192/256 bit key.
- },
- },
- "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
- "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
- },
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- },
- ],
- },
- "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe
- "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
- "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
- "wrappedKey": "A String", # Required. The wrapped data crypto key.
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
- "key": "A String", # Required. A 128/192/256 bit key.
- },
- },
- "commonAlphabet": "A String", # Common alphabets.
- "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
- "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE
- "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
- },
- "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2
- "name": "A String", # Name describing the field.
- },
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
- "partToExtract": "A String", # The part of the time to keep.
- },
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
- },
- "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing
- "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
- "upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- },
- "replaceConfig": { # Replace each input value with a given `Value`. # Replace
- "newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- },
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact
- },
- },
- "infoType": { # Type of information detected by the API. # Set if the transformation was limited to a specific InfoType.
- "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
},
"results": [ # Collection of all transformations that took place or had an error.
{ # A collection that informs the user the number of times a particular `TransformationResultCode` and error details occurred.
@@ -1835,43 +1151,727 @@
"field": { # General identifier of a data field in a storage service. # Set if the transformation was limited to a specific FieldId.
"name": "A String", # Name describing the field.
},
- "recordSuppress": { # Configuration to suppress records whose suppression conditions evaluate to true. # The specific suppression option these stats apply to.
- "condition": { # A condition for determining whether a transformation should be applied to a field. # A condition that when it evaluates to true will result in the record being evaluated to be suppressed from the transformed content.
- "expressions": { # An expression, consisting or an operator and conditions. # An expression.
- "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.
- "conditions": { # A collection of conditions. # Conditions to apply to the expression.
- "conditions": [ # A collection of conditions.
- { # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.
- "value": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
- "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
- "name": "A String", # Name describing the field.
- },
- },
- ],
+ "infoType": { # Type of information detected by the API. # Set if the transformation was limited to a specific InfoType.
+ "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
+ },
+ "transformation": { # A rule for transforming a value. # The specific transformation these stats apply to.
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
+ "name": "A String", # Name describing the field.
+ },
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
+ "partToExtract": "A String", # The part of the time to keep.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ "replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ "min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ },
+ ],
+ },
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
+ "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
+ },
+ "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.
+ "name": "A String", # Name describing the field.
+ },
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
+ "newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ },
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.
+ { # Characters to skip when doing deidentification of a value. These will be left alone and skipped.
+ "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation.
+ "charactersToSkip": "A String", # Characters to not transform when masking.
+ },
+ ],
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
+ "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
+ },
+ "commonAlphabet": "A String", # Common alphabets.
+ "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2
+ "name": "A String", # Name describing the field.
+ },
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing
+ "lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
+ "upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
},
},
},
"transformedBytes": "A String", # Total size in bytes that were transformed in some way.
+ "fieldTransformations": [ # The field transformation that was applied. If multiple field transformations are requested for a single field, this list will contain all of them; otherwise, only one is supplied.
+ { # The transformation to apply to the field.
+ "infoTypeTransformations": { # A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type. # Treat the contents of the field as free text, and selectively transform content that matches an `InfoType`.
+ "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one for a given infoType.
+ { # A transformation to apply to text that is identified as a specific info_type.
+ "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
+ "name": "A String", # Name describing the field.
+ },
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
+ "partToExtract": "A String", # The part of the time to keep.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ "replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ "min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ },
+ ],
+ },
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
+ "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
+ },
+ "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.
+ "name": "A String", # Name describing the field.
+ },
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
+ "newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ },
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.
+ { # Characters to skip when doing deidentification of a value. These will be left alone and skipped.
+ "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation.
+ "charactersToSkip": "A String", # Characters to not transform when masking.
+ },
+ ],
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
+ "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
+ },
+ "commonAlphabet": "A String", # Common alphabets.
+ "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2
+ "name": "A String", # Name describing the field.
+ },
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing
+ "lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
+ "upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ },
+ },
+ "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`.
+ { # Type of information detected by the API.
+ "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
+ },
+ ],
+ },
+ ],
+ },
+ "fields": [ # Required. Input field(s) to apply the transformation to.
+ { # General identifier of a data field in a storage service.
+ "name": "A String", # Name describing the field.
+ },
+ ],
+ "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
+ "name": "A String", # Name describing the field.
+ },
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
+ "partToExtract": "A String", # The part of the time to keep.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ "replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ "min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ },
+ ],
+ },
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
+ "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
+ },
+ "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.
+ "name": "A String", # Name describing the field.
+ },
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
+ "newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ },
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.
+ { # Characters to skip when doing deidentification of a value. These will be left alone and skipped.
+ "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation.
+ "charactersToSkip": "A String", # Characters to not transform when masking.
+ },
+ ],
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
+ "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
+ },
+ "commonAlphabet": "A String", # Common alphabets.
+ "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2
+ "name": "A String", # Name describing the field.
+ },
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing
+ "lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
+ "upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ },
+ },
+ "condition": { # A condition for determining whether a transformation should be applied to a field. # Only apply the transformation if the condition evaluates to true for the given `RecordCondition`. The conditions are allowed to reference fields that are not used in the actual transformation. Example Use Cases: - Apply a different bucket transformation to an age column if the zip code column for the same record is within a specific range. - Redact a field if the date of birth field is greater than 85.
+ "expressions": { # An expression, consisting or an operator and conditions. # An expression.
+ "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.
+ "conditions": { # A collection of conditions. # Conditions to apply to the expression.
+ "conditions": [ # A collection of conditions.
+ { # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.
+ "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
+ "name": "A String", # Name describing the field.
+ },
+ "value": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
+ },
+ ],
+ },
+ },
+ },
+ },
+ ],
},
],
},
@@ -1888,52 +1888,12 @@
The object takes the form of:
{ # Request to search for potentially sensitive info in a ContentItem.
- "item": { # Container structure for the content to inspect. # The item to inspect.
- "value": "A String", # String data to inspect or redact.
- "table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more. # Structured content for inspection. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more.
- "headers": [ # Headers of the table.
- { # General identifier of a data field in a storage service.
- "name": "A String", # Name describing the field.
- },
- ],
- "rows": [ # Rows of the table.
- { # Values of the row.
- "values": [ # Individual cells.
- { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- ],
- },
- ],
- },
- "byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.
- "type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.
- "data": "A String", # Content data to inspect or redact.
- },
- },
"locationId": "A String", # Deprecated. This field has no effect.
+ "inspectTemplateName": "A String", # Template to use. Any configuration directly specified in inspect_config will override those set in the template. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged.
"inspectConfig": { # Configuration description of the scanning process. When used with redactContent only info_types and min_likelihood are currently used. # Configuration for the inspector. What specified here will override the template referenced by the inspect_template_name argument.
- "contentOptions": [ # List of options defining data content to scan. If empty, text, images, and other content will be included.
- "A String",
- ],
- "minLikelihood": "A String", # Only returns findings equal or above this threshold. The default is POSSIBLE. See https://cloud.google.com/dlp/docs/likelihood to learn more.
"limits": { # Configuration to control the number of findings returned. # Configuration to control the number of findings returned.
+ "maxFindingsPerItem": 42, # Max number of findings that will be returned for each item scanned. When set within `InspectJobConfig`, the maximum returned is 2000 regardless if this is set higher. When set within `InspectContentRequest`, this field is ignored.
+ "maxFindingsPerRequest": 42, # Max number of findings that will be returned per request/job. When set within `InspectContentRequest`, the maximum returned is 2000 regardless if this is set higher.
"maxFindingsPerInfoType": [ # Configuration of findings limit given for specified infoTypes.
{ # Max findings configuration per infoType, per content item or long running DlpJob.
"infoType": { # Type of information detected by the API. # Type of information the findings limit applies to. Only one limit per info_type should be provided. If InfoTypeLimit does not have an info_type, the DLP API applies the limit against all info_types that are found but not specified in another InfoTypeLimit.
@@ -1942,37 +1902,19 @@
"maxFindings": 42, # Max findings limit for the given infoType.
},
],
- "maxFindingsPerItem": 42, # Max number of findings that will be returned for each item scanned. When set within `InspectJobConfig`, the maximum returned is 2000 regardless if this is set higher. When set within `InspectContentRequest`, this field is ignored.
- "maxFindingsPerRequest": 42, # Max number of findings that will be returned per request/job. When set within `InspectContentRequest`, the maximum returned is 2000 regardless if this is set higher.
},
- "infoTypes": [ # Restricts what info_types to look for. The values must correspond to InfoType values returned by ListInfoTypes or listed at https://cloud.google.com/dlp/docs/infotypes-reference. When no InfoTypes or CustomInfoTypes are specified in a request, the system may automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated. If you need precise control and predictability as to what detectors are run you should specify specific InfoTypes listed in the reference, otherwise a default list will be used, which may change over time.
- { # Type of information detected by the API.
- "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
- },
- ],
- "includeQuote": True or False, # When true, a contextual quote from the data that triggered a finding is included in the response; see Finding.quote.
"ruleSet": [ # Set of rules to apply to the findings for this InspectConfig. Exclusion rules, contained in the set are executed in the end, other rules are executed in the order they are specified for each info type.
{ # Rule set for modifying a set of infoTypes to alter behavior under certain circumstances, depending on the specific details of the rules within the set.
"rules": [ # Set of rules to be applied to infoTypes. The rules are applied in order.
{ # A single inspection rule to be applied to infoTypes, specified in `InspectionRuleSet`.
"exclusionRule": { # The rule that specifies conditions when findings of infoTypes specified in `InspectionRuleSet` are removed from results. # Exclusion rule.
- "dictionary": { # Custom information type based on a dictionary of words or phrases. This can be used to match sensitive information specific to the data, such as a list of employee IDs or job titles. Dictionary words are case-insensitive and all characters other than letters and digits in the unicode [Basic Multilingual Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane) will be replaced with whitespace when scanning for matches, so the dictionary phrase "Sam Johnson" will match all three phrases "sam johnson", "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters surrounding any match must be of a different type than the adjacent characters within the word, so letters must be next to non-letters and digits next to non-digits. For example, the dictionary word "jen" will match the first three letters of the text "jen123" but will return no matches for "jennifer". Dictionary words containing a large number of characters that are not letters or digits may result in unexpected findings because such characters are treated as whitespace. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. For dictionaries that do not fit within these constraints, consider using `LargeCustomDictionaryConfig` in the `StoredInfoType` API. # Dictionary which defines the rule.
- "cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file is accepted.
- "path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage. Example: gs://[BUCKET_NAME]/dictionary.txt
- },
- "wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.
- "words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]
- "A String",
- ],
- },
- },
+ "matchingType": "A String", # How the rule is applied, see MatchingType documentation for details.
"regex": { # Message defining a custom regular expression. # Regular expression which defines the rule.
"groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.
42,
],
"pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub.
},
- "matchingType": "A String", # How the rule is applied, see MatchingType documentation for details.
"excludeInfoTypes": { # List of exclude infoTypes. # Set of infoTypes for which findings would affect this rule.
"infoTypes": [ # InfoType list in ExclusionRule rule drops a finding when it overlaps or contained within with a finding of an infoType from this list. For example, for `InspectionRuleSet.info_types` containing "PHONE_NUMBER"` and `exclusion_rule` containing `exclude_info_types.info_types` with "EMAIL_ADDRESS" the phone number findings are dropped if they overlap with EMAIL_ADDRESS finding. That leads to "555-222-2222@example.org" to generate only a single finding, namely email address.
{ # Type of information detected by the API.
@@ -1980,12 +1922,18 @@
},
],
},
+ "dictionary": { # Custom information type based on a dictionary of words or phrases. This can be used to match sensitive information specific to the data, such as a list of employee IDs or job titles. Dictionary words are case-insensitive and all characters other than letters and digits in the unicode [Basic Multilingual Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane) will be replaced with whitespace when scanning for matches, so the dictionary phrase "Sam Johnson" will match all three phrases "sam johnson", "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters surrounding any match must be of a different type than the adjacent characters within the word, so letters must be next to non-letters and digits next to non-digits. For example, the dictionary word "jen" will match the first three letters of the text "jen123" but will return no matches for "jennifer". Dictionary words containing a large number of characters that are not letters or digits may result in unexpected findings because such characters are treated as whitespace. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. For dictionaries that do not fit within these constraints, consider using `LargeCustomDictionaryConfig` in the `StoredInfoType` API. # Dictionary which defines the rule.
+ "wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.
+ "words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]
+ "A String",
+ ],
+ },
+ "cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file is accepted.
+ "path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage. Example: gs://[BUCKET_NAME]/dictionary.txt
+ },
+ },
},
"hotwordRule": { # The rule that adjusts the likelihood of findings within a certain proximity of hotwords. # Hotword-based detection rule.
- "proximity": { # Message for specifying a window around a finding to apply a detection rule. # Proximity of the finding within which the entire hotword must reside. The total length of the window cannot exceed 1000 characters. Note that the finding itself will be included in the window, so that hotwords may be used to match substrings of the finding itself. For example, the certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be adjusted upwards if the area code is known to be the local area code of a company office using the hotword regex "\(xxx\)", where "xxx" is the area code in question.
- "windowBefore": 42, # Number of characters before the finding to consider.
- "windowAfter": 42, # Number of characters after the finding to consider.
- },
"hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.
"groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.
42,
@@ -1996,6 +1944,10 @@
"fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.
"relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of levels. For example, if a finding would be `POSSIBLE` without the detection rule and `relative_likelihood` is 1, then it is upgraded to `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`. Likelihood may never drop below `VERY_UNLIKELY` or exceed `VERY_LIKELY`, so applying an adjustment of 1 followed by an adjustment of -1 when base likelihood is `VERY_LIKELY` will result in a final likelihood of `LIKELY`.
},
+ "proximity": { # Message for specifying a window around a finding to apply a detection rule. # Proximity of the finding within which the entire hotword must reside. The total length of the window cannot exceed 1000 characters. Note that the finding itself will be included in the window, so that hotwords may be used to match substrings of the finding itself. For example, the certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be adjusted upwards if the area code is known to be the local area code of a company office using the hotword regex "\(xxx\)", where "xxx" is the area code in question.
+ "windowAfter": 42, # Number of characters after the finding to consider.
+ "windowBefore": 42, # Number of characters before the finding to consider.
+ },
},
},
],
@@ -2006,28 +1958,25 @@
],
},
],
+ "excludeInfoTypes": True or False, # When true, excludes type information of the findings.
"customInfoTypes": [ # CustomInfoTypes provided by the user. See https://cloud.google.com/dlp/docs/creating-custom-infotypes to learn more.
{ # Custom information type provided by the user. Used to find domain-specific sensitive information configurable to the data in question.
+ "likelihood": "A String", # Likelihood to return for this CustomInfoType. This base value can be altered by a detection rule if the finding meets the criteria specified by the rule. Defaults to `VERY_LIKELY` if not specified.
"infoType": { # Type of information detected by the API. # CustomInfoType can either be a new infoType, or an extension of built-in infoType, when the name matches one of existing infoTypes and that infoType is specified in `InspectContent.info_types` field. Specifying the latter adds findings to the one detected by the system. If built-in info type is not specified in `InspectContent.info_types` list then the name is treated as a custom info type.
"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
},
- "storedType": { # A reference to a StoredInfoType to use with scanning. # Load an existing `StoredInfoType` resource for use in `InspectDataSource`. Not currently supported in `InspectContent`.
- "createTime": "A String", # Timestamp indicating when the version of the `StoredInfoType` used for inspection was created. Output-only field, populated by the system.
- "name": "A String", # Resource name of the requested `StoredInfoType`, for example `organizations/433245324/storedInfoTypes/432452342` or `projects/project-id/storedInfoTypes/432452342`.
- },
+ "exclusionType": "A String", # If set to EXCLUSION_TYPE_EXCLUDE this infoType will not cause a finding to be returned. It still can be used for rules matching.
"regex": { # Message defining a custom regular expression. # Regular expression based CustomInfoType.
"groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.
42,
],
"pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub.
},
+ "surrogateType": { # Message for detecting output from deidentification transformations such as [`CryptoReplaceFfxFpeConfig`](https://cloud.google.com/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#cryptoreplaceffxfpeconfig). These types of transformations are those that perform pseudonymization, thereby producing a "surrogate" as output. This should be used in conjunction with a field on the transformation such as `surrogate_info_type`. This CustomInfoType does not support the use of `detection_rules`. # Message for detecting output from deidentification transformations that support reversing.
+ },
"detectionRules": [ # Set of detection rules to apply to all findings of this CustomInfoType. Rules are applied in order that they are specified. Not supported for the `surrogate_type` CustomInfoType.
{ # Deprecated; use `InspectionRuleSet` instead. Rule for modifying a `CustomInfoType` to alter behavior under certain circumstances, depending on the specific details of the rule. Not supported for the `surrogate_type` custom infoType.
"hotwordRule": { # The rule that adjusts the likelihood of findings within a certain proximity of hotwords. # Hotword-based detection rule.
- "proximity": { # Message for specifying a window around a finding to apply a detection rule. # Proximity of the finding within which the entire hotword must reside. The total length of the window cannot exceed 1000 characters. Note that the finding itself will be included in the window, so that hotwords may be used to match substrings of the finding itself. For example, the certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be adjusted upwards if the area code is known to be the local area code of a company office using the hotword regex "\(xxx\)", where "xxx" is the area code in question.
- "windowBefore": 42, # Number of characters before the finding to consider.
- "windowAfter": 42, # Number of characters after the finding to consider.
- },
"hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.
"groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.
42,
@@ -2038,28 +1987,79 @@
"fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.
"relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of levels. For example, if a finding would be `POSSIBLE` without the detection rule and `relative_likelihood` is 1, then it is upgraded to `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`. Likelihood may never drop below `VERY_UNLIKELY` or exceed `VERY_LIKELY`, so applying an adjustment of 1 followed by an adjustment of -1 when base likelihood is `VERY_LIKELY` will result in a final likelihood of `LIKELY`.
},
+ "proximity": { # Message for specifying a window around a finding to apply a detection rule. # Proximity of the finding within which the entire hotword must reside. The total length of the window cannot exceed 1000 characters. Note that the finding itself will be included in the window, so that hotwords may be used to match substrings of the finding itself. For example, the certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be adjusted upwards if the area code is known to be the local area code of a company office using the hotword regex "\(xxx\)", where "xxx" is the area code in question.
+ "windowAfter": 42, # Number of characters after the finding to consider.
+ "windowBefore": 42, # Number of characters before the finding to consider.
+ },
},
},
],
+ "storedType": { # A reference to a StoredInfoType to use with scanning. # Load an existing `StoredInfoType` resource for use in `InspectDataSource`. Not currently supported in `InspectContent`.
+ "createTime": "A String", # Timestamp indicating when the version of the `StoredInfoType` used for inspection was created. Output-only field, populated by the system.
+ "name": "A String", # Resource name of the requested `StoredInfoType`, for example `organizations/433245324/storedInfoTypes/432452342` or `projects/project-id/storedInfoTypes/432452342`.
+ },
"dictionary": { # Custom information type based on a dictionary of words or phrases. This can be used to match sensitive information specific to the data, such as a list of employee IDs or job titles. Dictionary words are case-insensitive and all characters other than letters and digits in the unicode [Basic Multilingual Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane) will be replaced with whitespace when scanning for matches, so the dictionary phrase "Sam Johnson" will match all three phrases "sam johnson", "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters surrounding any match must be of a different type than the adjacent characters within the word, so letters must be next to non-letters and digits next to non-digits. For example, the dictionary word "jen" will match the first three letters of the text "jen123" but will return no matches for "jennifer". Dictionary words containing a large number of characters that are not letters or digits may result in unexpected findings because such characters are treated as whitespace. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. For dictionaries that do not fit within these constraints, consider using `LargeCustomDictionaryConfig` in the `StoredInfoType` API. # A list of phrases to detect as a CustomInfoType.
- "cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file is accepted.
- "path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage. Example: gs://[BUCKET_NAME]/dictionary.txt
- },
"wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.
"words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]
"A String",
],
},
+ "cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file is accepted.
+ "path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage. Example: gs://[BUCKET_NAME]/dictionary.txt
+ },
},
- "surrogateType": { # Message for detecting output from deidentification transformations such as [`CryptoReplaceFfxFpeConfig`](https://cloud.google.com/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#cryptoreplaceffxfpeconfig). These types of transformations are those that perform pseudonymization, thereby producing a "surrogate" as output. This should be used in conjunction with a field on the transformation such as `surrogate_info_type`. This CustomInfoType does not support the use of `detection_rules`. # Message for detecting output from deidentification transformations that support reversing.
- },
- "exclusionType": "A String", # If set to EXCLUSION_TYPE_EXCLUDE this infoType will not cause a finding to be returned. It still can be used for rules matching.
- "likelihood": "A String", # Likelihood to return for this CustomInfoType. This base value can be altered by a detection rule if the finding meets the criteria specified by the rule. Defaults to `VERY_LIKELY` if not specified.
},
],
- "excludeInfoTypes": True or False, # When true, excludes type information of the findings.
+ "contentOptions": [ # List of options defining data content to scan. If empty, text, images, and other content will be included.
+ "A String",
+ ],
+ "includeQuote": True or False, # When true, a contextual quote from the data that triggered a finding is included in the response; see Finding.quote.
+ "infoTypes": [ # Restricts what info_types to look for. The values must correspond to InfoType values returned by ListInfoTypes or listed at https://cloud.google.com/dlp/docs/infotypes-reference. When no InfoTypes or CustomInfoTypes are specified in a request, the system may automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated. If you need precise control and predictability as to what detectors are run you should specify specific InfoTypes listed in the reference, otherwise a default list will be used, which may change over time.
+ { # Type of information detected by the API.
+ "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
+ },
+ ],
+ "minLikelihood": "A String", # Only returns findings equal or above this threshold. The default is POSSIBLE. See https://cloud.google.com/dlp/docs/likelihood to learn more.
},
- "inspectTemplateName": "A String", # Template to use. Any configuration directly specified in inspect_config will override those set in the template. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged.
+ "item": { # Container structure for the content to inspect. # The item to inspect.
+ "byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.
+ "type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.
+ "data": "A String", # Content data to inspect or redact.
+ },
+ "value": "A String", # String data to inspect or redact.
+ "table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more. # Structured content for inspection. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more.
+ "rows": [ # Rows of the table.
+ { # Values of the row.
+ "values": [ # Individual cells.
+ { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ ],
+ },
+ ],
+ "headers": [ # Headers of the table.
+ { # General identifier of a data field in a storage service.
+ "name": "A String", # Name describing the field.
+ },
+ ],
+ },
+ },
}
x__xgafv: string, V1 error format.
@@ -2072,30 +2072,44 @@
{ # Results of inspecting an item.
"result": { # All the findings for a single scanned item. # The findings.
- "findingsTruncated": True or False, # If true, then this item might have more findings than were returned, and the findings returned are an arbitrary subset of all findings. The findings list might be truncated because the input items were too large, or because the server reached the maximum amount of resources allowed for a single API call. For best results, divide the input into smaller batches.
"findings": [ # List of findings for an item.
{ # Represents a piece of potentially sensitive content.
- "likelihood": "A String", # Confidence of how likely it is that the `info_type` is correct.
- "jobCreateTime": "A String", # Time the job started that produced this finding.
- "name": "A String", # Resource name in format projects/{project}/locations/{location}/findings/{finding} Populated only when viewing persisted findings.
- "triggerName": "A String", # Job trigger name, if applicable, for this finding.
- "location": { # Specifies the location of the finding. # Where the content was found.
- "byteRange": { # Generic half-open interval [start, end) # Zero-based byte offsets delimiting the finding. These are relative to the finding's containing element. Note that when the content is not textual, this references the UTF-8 encoded textual representation of the content. Omitted if content is an image.
- "end": "A String", # Index of the last character of the range (exclusive).
- "start": "A String", # Index of the first character of the range (inclusive).
+ "quoteInfo": { # Message for infoType-dependent details parsed from quote. # Contains data parsed from quotes. Only populated if include_quote was set to true and a supported infoType was requested. Currently supported infoTypes: DATE, DATE_OF_BIRTH and TIME.
+ "dateTime": { # Message for a date time object. e.g. 2018-01-01, 5th August. # The date time indicated by the quote.
+ "dayOfWeek": "A String", # Day of week
+ "time": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # Time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "timeZone": { # Time zone of the date time object. # Time zone
+ "offsetMinutes": 42, # Set only if the offset can be determined. Positive for time ahead of UTC. E.g. For "UTC-9", this value is -540.
+ },
+ "date": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # One or more of the following must be set. Must be a valid date or time value.
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
},
+ },
+ "location": { # Specifies the location of the finding. # Where the content was found.
"codepointRange": { # Generic half-open interval [start, end) # Unicode character offsets delimiting the finding. These are relative to the finding's containing element. Provided when the content is text.
- "end": "A String", # Index of the last character of the range (exclusive).
"start": "A String", # Index of the first character of the range (inclusive).
+ "end": "A String", # Index of the last character of the range (exclusive).
},
"container": { # Represents a container that may contain DLP findings. Examples of a container include a file, table, or database record. # Information about the container where this finding occurred, if available.
- "type": "A String", # Container type, for example BigQuery or Google Cloud Storage.
- "projectId": "A String", # Project where the finding was found. Can be different from the project that owns the finding.
- "version": "A String", # Findings container version, if available ("generation" for Google Cloud Storage).
"updateTime": "A String", # Findings container modification timestamp, if applicable. For Google Cloud Storage contains last file modification timestamp. For BigQuery table contains last_modified_time property. For Datastore - not populated.
- "relativePath": "A String", # The rest of the path after the root. Examples: - For BigQuery table `project_id:dataset_id.table_id`, the relative path is `table_id` - Google Cloud Storage file `gs://bucket/folder/filename.txt`, the relative path is `folder/filename.txt`
- "fullPath": "A String", # A string representation of the full container name. Examples: - BigQuery: 'Project:DataSetId.TableId' - Google Cloud Storage: 'gs://Bucket/folders/filename.txt'
+ "version": "A String", # Findings container version, if available ("generation" for Google Cloud Storage).
+ "type": "A String", # Container type, for example BigQuery or Google Cloud Storage.
"rootPath": "A String", # The root of the container. Examples: - For BigQuery table `project_id:dataset_id.table_id`, the root is `dataset_id` - For Google Cloud Storage file `gs://bucket/folder/filename.txt`, the root is `gs://bucket`
+ "projectId": "A String", # Project where the finding was found. Can be different from the project that owns the finding.
+ "fullPath": "A String", # A string representation of the full container name. Examples: - BigQuery: 'Project:DataSetId.TableId' - Google Cloud Storage: 'gs://Bucket/folders/filename.txt'
+ "relativePath": "A String", # The rest of the path after the root. Examples: - For BigQuery table `project_id:dataset_id.table_id`, the relative path is `table_id` - Google Cloud Storage file `gs://bucket/folder/filename.txt`, the relative path is `folder/filename.txt`
+ },
+ "byteRange": { # Generic half-open interval [start, end) # Zero-based byte offsets delimiting the finding. These are relative to the finding's containing element. Note that when the content is not textual, this references the UTF-8 encoded textual representation of the content. Omitted if content is an image.
+ "start": "A String", # Index of the first character of the range (inclusive).
+ "end": "A String", # Index of the last character of the range (exclusive).
},
"contentLocations": [ # List of nested objects pointing to the precise location of the finding within the file or record.
{ # Precise location of the finding within a document, record, image, or metadata container.
@@ -2106,33 +2120,8 @@
},
"type": "A String", # Type of metadata containing the finding.
},
- "documentLocation": { # Location of a finding within a document. # Location data for document files.
- "fileOffset": "A String", # Offset of the line, from the beginning of the file, where the finding is located.
- },
- "containerName": "A String", # Name of the container where the finding is located. The top level name is the source file name or table name. Names of some common storage containers are formatted as follows: * BigQuery tables: `{project_id}:{dataset_id}.{table_id}` * Cloud Storage files: `gs://{bucket}/{path}` * Datastore namespace: {namespace} Nested names could be absent if the embedded object has no string identifier (for an example an image contained within a document).
- "imageLocation": { # Location of the finding within an image. # Location within an image's pixels.
- "boundingBoxes": [ # Bounding boxes locating the pixels within the image containing the finding.
- { # Bounding box encompassing detected text within an image.
- "width": 42, # Width of the bounding box in pixels.
- "height": 42, # Height of the bounding box in pixels.
- "left": 42, # Left coordinate of the bounding box. (0,0) is upper left.
- "top": 42, # Top coordinate of the bounding box. (0,0) is upper left.
- },
- ],
- },
"recordLocation": { # Location of a finding within a row or record. # Location within a row or record of a database table.
- "fieldId": { # General identifier of a data field in a storage service. # Field id of the field containing the finding.
- "name": "A String", # Name describing the field.
- },
"recordKey": { # Message for a unique key indicating a record that contains a finding. # Key of the finding.
- "bigQueryKey": { # Row key for identifying a record in BigQuery table.
- "rowNumber": "A String", # Row number inferred at the time the table was scanned. This value is nondeterministic, cannot be queried, and may be null for inspection jobs. To locate findings within a table, specify `inspect_job.storage_config.big_query_options.identifying_fields` in `CreateDlpJobRequest`.
- "tableReference": { # Message defining the location of a BigQuery table. A table is uniquely identified by its project_id, dataset_id, and table_name. Within a query a table is often referenced with a string in the format of: `:.` or `..`. # Complete BigQuery table reference.
- "datasetId": "A String", # Dataset ID of the table.
- "tableId": "A String", # Name of the table.
- "projectId": "A String", # The Google Cloud Platform project ID of the project containing the table. If omitted, project ID is inferred from the API call.
- },
- },
"idValues": [ # Values of identifying columns in the given row. Order of values matches the order of `identifying_fields` specified in the scanning request.
"A String",
],
@@ -2140,58 +2129,69 @@
"entityKey": { # A unique identifier for a Datastore entity. If a key's partition ID or any of its path kinds or names are reserved/read-only, the key is reserved/read-only. A reserved/read-only key is forbidden in certain documented contexts. # Datastore entity key.
"path": [ # The entity path. An entity path consists of one or more elements composed of a kind and a string or numerical identifier, which identify entities. The first element identifies a _root entity_, the second element identifies a _child_ of the root entity, the third element identifies a child of the second entity, and so forth. The entities identified by all prefixes of the path are called the element's _ancestors_. A path can never be empty, and a path can have at most 100 elements.
{ # A (kind, ID/name) pair used to construct a key path. If either name or ID is set, the element is complete. If neither is set, the element is incomplete.
- "id": "A String", # The auto-allocated ID of the entity. Never equal to zero. Values less than zero are discouraged and may not be supported in the future.
- "name": "A String", # The name of the entity. A name matching regex `__.*__` is reserved/read-only. A name must not be more than 1500 bytes when UTF-8 encoded. Cannot be `""`.
"kind": "A String", # The kind of the entity. A kind matching regex `__.*__` is reserved/read-only. A kind must not contain more than 1500 bytes when UTF-8 encoded. Cannot be `""`.
+ "name": "A String", # The name of the entity. A name matching regex `__.*__` is reserved/read-only. A name must not be more than 1500 bytes when UTF-8 encoded. Cannot be `""`.
+ "id": "A String", # The auto-allocated ID of the entity. Never equal to zero. Values less than zero are discouraged and may not be supported in the future.
},
],
"partitionId": { # Datastore partition ID. A partition ID identifies a grouping of entities. The grouping is always by project and namespace, however the namespace ID may be empty. A partition ID contains several dimensions: project ID and namespace ID. # Entities are partitioned into subsets, currently identified by a project ID and namespace ID. Queries are scoped to a single partition.
- "namespaceId": "A String", # If not empty, the ID of the namespace to which the entities belong.
"projectId": "A String", # The ID of the project to which the entities belong.
+ "namespaceId": "A String", # If not empty, the ID of the namespace to which the entities belong.
},
},
},
+ "bigQueryKey": { # Row key for identifying a record in BigQuery table.
+ "tableReference": { # Message defining the location of a BigQuery table. A table is uniquely identified by its project_id, dataset_id, and table_name. Within a query a table is often referenced with a string in the format of: `:.` or `..`. # Complete BigQuery table reference.
+ "datasetId": "A String", # Dataset ID of the table.
+ "tableId": "A String", # Name of the table.
+ "projectId": "A String", # The Google Cloud Platform project ID of the project containing the table. If omitted, project ID is inferred from the API call.
+ },
+ "rowNumber": "A String", # Row number inferred at the time the table was scanned. This value is nondeterministic, cannot be queried, and may be null for inspection jobs. To locate findings within a table, specify `inspect_job.storage_config.big_query_options.identifying_fields` in `CreateDlpJobRequest`.
+ },
+ },
+ "fieldId": { # General identifier of a data field in a storage service. # Field id of the field containing the finding.
+ "name": "A String", # Name describing the field.
},
"tableLocation": { # Location of a finding within a table. # Location within a `ContentItem.Table`.
"rowIndex": "A String", # The zero-based index of the row where the finding is located. Only populated for resources that have a natural ordering, not BigQuery. In BigQuery, to identify the row a finding came from, populate BigQueryOptions.identifying_fields with your primary key column names and when you store the findings the value of those columns will be stored inside of Finding.
},
},
+ "imageLocation": { # Location of the finding within an image. # Location within an image's pixels.
+ "boundingBoxes": [ # Bounding boxes locating the pixels within the image containing the finding.
+ { # Bounding box encompassing detected text within an image.
+ "height": 42, # Height of the bounding box in pixels.
+ "top": 42, # Top coordinate of the bounding box. (0,0) is upper left.
+ "left": 42, # Left coordinate of the bounding box. (0,0) is upper left.
+ "width": 42, # Width of the bounding box in pixels.
+ },
+ ],
+ },
+ "documentLocation": { # Location of a finding within a document. # Location data for document files.
+ "fileOffset": "A String", # Offset of the line, from the beginning of the file, where the finding is located.
+ },
"containerVersion": "A String", # Findings container version, if available ("generation" for Google Cloud Storage).
+ "containerName": "A String", # Name of the container where the finding is located. The top level name is the source file name or table name. Names of some common storage containers are formatted as follows: * BigQuery tables: `{project_id}:{dataset_id}.{table_id}` * Cloud Storage files: `gs://{bucket}/{path}` * Datastore namespace: {namespace} Nested names could be absent if the embedded object has no string identifier (for an example an image contained within a document).
},
],
},
- "quoteInfo": { # Message for infoType-dependent details parsed from quote. # Contains data parsed from quotes. Only populated if include_quote was set to true and a supported infoType was requested. Currently supported infoTypes: DATE, DATE_OF_BIRTH and TIME.
- "dateTime": { # Message for a date time object. e.g. 2018-01-01, 5th August. # The date time indicated by the quote.
- "date": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # One or more of the following must be set. Must be a valid date or time value.
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "time": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # Time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "timeZone": { # Time zone of the date time object. # Time zone
- "offsetMinutes": 42, # Set only if the offset can be determined. Positive for time ahead of UTC. E.g. For "UTC-9", this value is -540.
- },
- "dayOfWeek": "A String", # Day of week
- },
- },
"quote": "A String", # The content that was found. Even if the content is not textual, it may be converted to a textual representation here. Provided if `include_quote` is true and the finding is less than or equal to 4096 bytes long. If the finding exceeds 4096 bytes in length, the quote may be omitted.
+ "findingId": "A String", # The unique finding id.
+ "name": "A String", # Resource name in format projects/{project}/locations/{location}/findings/{finding} Populated only when viewing persisted findings.
"infoType": { # Type of information detected by the API. # The type of content that might have been found. Provided if `excluded_types` is false.
"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
},
- "jobName": "A String", # The job that stored the finding.
- "findingId": "A String", # The unique finding id.
- "resourceName": "A String", # The job that stored the finding.
- "createTime": "A String", # Timestamp when finding was detected.
+ "jobCreateTime": "A String", # Time the job started that produced this finding.
"labels": { # The labels associated with this `Finding`. Label keys must be between 1 and 63 characters long and must conform to the following regular expression: `[a-z]([-a-z0-9]*[a-z0-9])?`. Label values must be between 0 and 63 characters long and must conform to the regular expression `([a-z]([-a-z0-9]*[a-z0-9])?)?`. No more than 10 labels can be associated with a given finding. Examples: * `"environment" : "production"` * `"pipeline" : "etl"`
"a_key": "A String",
},
+ "resourceName": "A String", # The job that stored the finding.
+ "triggerName": "A String", # Job trigger name, if applicable, for this finding.
+ "createTime": "A String", # Timestamp when finding was detected.
+ "likelihood": "A String", # Confidence of how likely it is that the `info_type` is correct.
+ "jobName": "A String", # The job that stored the finding.
},
],
+ "findingsTruncated": True or False, # If true, then this item might have more findings than were returned, and the findings returned are an arbitrary subset of all findings. The findings list might be truncated because the input items were too large, or because the server reached the maximum amount of resources allowed for a single API call. For best results, divide the input into smaller batches.
},
}</pre>
</div>
@@ -2206,24 +2206,20 @@
The object takes the form of:
{ # Request to re-identify an item.
- "reidentifyTemplateName": "A String", # Template to use. References an instance of `DeidentifyTemplate`. Any configuration directly specified in `reidentify_config` or `inspect_config` will override those set in the template. The `DeidentifyTemplate` used must include only reversible transformations. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged.
- "inspectTemplateName": "A String", # Template to use. Any configuration directly specified in `inspect_config` will override those set in the template. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged.
"reidentifyConfig": { # The configuration that controls how the data will change. # Configuration for the re-identification of the content item. This field shares the same proto message type that is used for de-identification, however its usage here is for the reversal of the previous de-identification. Re-identification is performed by examining the transformations used to de-identify the items and executing the reverse. This requires that only reversible transformations be provided here. The reversible transformations are: - `CryptoDeterministicConfig` - `CryptoReplaceFfxFpeConfig`
"transformationErrorHandling": { # How to handle transformation errors during de-identification. A transformation error occurs when the requested transformation is incompatible with the data. For example, trying to de-identify an IP address using a `DateShift` transformation would result in a transformation error, since date info cannot be extracted from an IP address. Information about any incompatible transformations, and how they were handled, is returned in the response as part of the `TransformationOverviews`. # Mode for handling transformation errors. If left unspecified, the default mode is `TransformationErrorHandling.ThrowError`.
- "leaveUntransformed": { # Skips the data without modifying it if the requested transformation would cause an error. For example, if a `DateShift` transformation were applied an an IP address, this mode would leave the IP address unchanged in the response. # Ignore errors
- },
"throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error
},
+ "leaveUntransformed": { # Skips the data without modifying it if the requested transformation would cause an error. For example, if a `DateShift` transformation were applied an an IP address, this mode would leave the IP address unchanged in the response. # Ignore errors
+ },
},
"infoTypeTransformations": { # A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type. # Treat the dataset as free-form text and apply the same free text transformation everywhere.
"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one for a given infoType.
{ # A transformation to apply to text that is identified as a specific info_type.
"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
"wrappedKey": "A String", # Required. The wrapped data crypto key.
@@ -2231,12 +2227,124 @@
"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
"key": "A String", # Required. A 128/192/256 bit key.
},
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
+ "name": "A String", # Name describing the field.
+ },
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
+ "partToExtract": "A String", # The part of the time to keep.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ "replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ "min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ },
+ ],
+ },
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
+ "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
},
"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.
"name": "A String", # Name describing the field.
},
- "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
- "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
+ "newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
},
},
"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask
@@ -2246,15 +2354,12 @@
"charactersToSkip": "A String", # Characters to not transform when masking.
},
],
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.
"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
},
"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
"wrappedKey": "A String", # Required. The wrapped data crypto key.
@@ -2262,182 +2367,75 @@
"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
"key": "A String", # Required. A 128/192/256 bit key.
},
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
- "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
- "name": "A String", # Name describing the field.
- },
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
},
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
- "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
- "wrappedKey": "A String", # Required. The wrapped data crypto key.
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
- "key": "A String", # Required. A 128/192/256 bit key.
- },
},
- "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
- "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
- },
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- },
- ],
},
"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe
- "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
- "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
- "wrappedKey": "A String", # Required. The wrapped data crypto key.
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
- "key": "A String", # Required. A 128/192/256 bit key.
- },
- },
- "commonAlphabet": "A String", # Common alphabets.
"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
},
+ "commonAlphabet": "A String", # Common alphabets.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2
"name": "A String", # Name describing the field.
},
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
- "partToExtract": "A String", # The part of the time to keep.
- },
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/
},
"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing
+ "lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
"upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
},
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
"timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- },
- "replaceConfig": { # Replace each input value with a given `Value`. # Replace
- "newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
},
"dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
"booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
},
},
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact
- },
},
"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`.
{ # Type of information detected by the API.
@@ -2448,22 +2446,53 @@
],
},
"recordTransformations": { # A type of transformation that is applied over structured data such as a table. # Treat the dataset as structured. Transformations can be applied to specific locations within structured datasets, such as transforming a column within a table.
+ "recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that match any suppression rule are omitted from the output.
+ { # Configuration to suppress records whose suppression conditions evaluate to true.
+ "condition": { # A condition for determining whether a transformation should be applied to a field. # A condition that when it evaluates to true will result in the record being evaluated to be suppressed from the transformed content.
+ "expressions": { # An expression, consisting or an operator and conditions. # An expression.
+ "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.
+ "conditions": { # A collection of conditions. # Conditions to apply to the expression.
+ "conditions": [ # A collection of conditions.
+ { # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.
+ "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
+ "name": "A String", # Name describing the field.
+ },
+ "value": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
+ },
+ ],
+ },
+ },
+ },
+ },
+ ],
"fieldTransformations": [ # Transform the record by applying various field transformations.
{ # The transformation to apply to the field.
- "fields": [ # Required. Input field(s) to apply the transformation to.
- { # General identifier of a data field in a storage service.
- "name": "A String", # Name describing the field.
- },
- ],
"infoTypeTransformations": { # A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type. # Treat the contents of the field as free text, and selectively transform content that matches an `InfoType`.
"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one for a given infoType.
{ # A transformation to apply to text that is identified as a specific info_type.
"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
"wrappedKey": "A String", # Required. The wrapped data crypto key.
@@ -2471,12 +2500,124 @@
"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
"key": "A String", # Required. A 128/192/256 bit key.
},
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
+ "name": "A String", # Name describing the field.
+ },
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
+ "partToExtract": "A String", # The part of the time to keep.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ "replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ "min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ },
+ ],
+ },
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
+ "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
},
"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.
"name": "A String", # Name describing the field.
},
- "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
- "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
+ "newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
},
},
"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask
@@ -2486,15 +2627,12 @@
"charactersToSkip": "A String", # Characters to not transform when masking.
},
],
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.
"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
},
"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
"wrappedKey": "A String", # Required. The wrapped data crypto key.
@@ -2502,182 +2640,75 @@
"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
"key": "A String", # Required. A 128/192/256 bit key.
},
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
- "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
- "name": "A String", # Name describing the field.
- },
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
},
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
- "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
- "wrappedKey": "A String", # Required. The wrapped data crypto key.
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
- "key": "A String", # Required. A 128/192/256 bit key.
- },
},
- "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
- "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
- },
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- },
- ],
},
"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe
- "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
- "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
- "wrappedKey": "A String", # Required. The wrapped data crypto key.
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
- "key": "A String", # Required. A 128/192/256 bit key.
- },
- },
- "commonAlphabet": "A String", # Common alphabets.
"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
},
+ "commonAlphabet": "A String", # Common alphabets.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2
"name": "A String", # Name describing the field.
},
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
- "partToExtract": "A String", # The part of the time to keep.
- },
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/
},
"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing
+ "lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
"upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
},
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
"timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- },
- "replaceConfig": { # Replace each input value with a given `Value`. # Replace
- "newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
},
"dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
"booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
},
},
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact
- },
},
"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`.
{ # Type of information detected by the API.
@@ -2687,12 +2718,15 @@
},
],
},
+ "fields": [ # Required. Input field(s) to apply the transformation to.
+ { # General identifier of a data field in a storage service.
+ "name": "A String", # Name describing the field.
+ },
+ ],
"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
"wrappedKey": "A String", # Required. The wrapped data crypto key.
@@ -2700,12 +2734,124 @@
"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
"key": "A String", # Required. A 128/192/256 bit key.
},
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
+ "name": "A String", # Name describing the field.
+ },
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
+ "partToExtract": "A String", # The part of the time to keep.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ "replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ "min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ },
+ ],
+ },
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
+ "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
},
"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.
"name": "A String", # Name describing the field.
},
- "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
- "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
+ "newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
},
},
"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask
@@ -2715,15 +2861,12 @@
"charactersToSkip": "A String", # Characters to not transform when masking.
},
],
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.
"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
},
"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
"wrappedKey": "A String", # Required. The wrapped data crypto key.
@@ -2731,182 +2874,75 @@
"unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
"key": "A String", # Required. A 128/192/256 bit key.
},
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
- "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
- "name": "A String", # Name describing the field.
- },
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
"transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
"name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
},
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
- "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
- "wrappedKey": "A String", # Required. The wrapped data crypto key.
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
- "key": "A String", # Required. A 128/192/256 bit key.
- },
},
- "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
- "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
- },
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- },
- ],
},
"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe
- "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
- "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
- "wrappedKey": "A String", # Required. The wrapped data crypto key.
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
- "key": "A String", # Required. A 128/192/256 bit key.
- },
- },
- "commonAlphabet": "A String", # Common alphabets.
"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
},
+ "commonAlphabet": "A String", # Common alphabets.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2
"name": "A String", # Name describing the field.
},
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
- "partToExtract": "A String", # The part of the time to keep.
- },
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/
},
"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing
+ "lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
"upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
},
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
"timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- },
- "replaceConfig": { # Replace each input value with a given `Value`. # Replace
- "newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
},
"dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
"booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
},
},
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact
- },
},
"condition": { # A condition for determining whether a transformation should be applied to a field. # Only apply the transformation if the condition evaluates to true for the given `RecordCondition`. The conditions are allowed to reference fields that are not used in the actual transformation. Example Use Cases: - Apply a different bucket transformation to an age column if the zip code column for the same record is within a specific range. - Redact a field if the date of birth field is greater than 85.
"expressions": { # An expression, consisting or an operator and conditions. # An expression.
@@ -2914,67 +2950,29 @@
"conditions": { # A collection of conditions. # Conditions to apply to the expression.
"conditions": [ # A collection of conditions.
{ # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.
- "value": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
"name": "A String", # Name describing the field.
},
- },
- ],
- },
- },
- },
- },
- ],
- "recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that match any suppression rule are omitted from the output.
- { # Configuration to suppress records whose suppression conditions evaluate to true.
- "condition": { # A condition for determining whether a transformation should be applied to a field. # A condition that when it evaluates to true will result in the record being evaluated to be suppressed from the transformed content.
- "expressions": { # An expression, consisting or an operator and conditions. # An expression.
- "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.
- "conditions": { # A collection of conditions. # Conditions to apply to the expression.
- "conditions": [ # A collection of conditions.
- { # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.
"value": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
},
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
"timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
},
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
},
"operator": "A String", # Required. Operator used to compare the field or infoType to the value.
- "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
- "name": "A String", # Name describing the field.
- },
},
],
},
@@ -2984,12 +2982,51 @@
],
},
},
+ "reidentifyTemplateName": "A String", # Template to use. References an instance of `DeidentifyTemplate`. Any configuration directly specified in `reidentify_config` or `inspect_config` will override those set in the template. The `DeidentifyTemplate` used must include only reversible transformations. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged.
+ "inspectTemplateName": "A String", # Template to use. Any configuration directly specified in `inspect_config` will override those set in the template. Singular fields that are set in this request will replace their corresponding fields in the template. Repeated fields are appended. Singular sub-messages and groups are recursively merged.
+ "item": { # Container structure for the content to inspect. # The item to re-identify. Will be treated as text.
+ "byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.
+ "type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.
+ "data": "A String", # Content data to inspect or redact.
+ },
+ "value": "A String", # String data to inspect or redact.
+ "table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more. # Structured content for inspection. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more.
+ "rows": [ # Rows of the table.
+ { # Values of the row.
+ "values": [ # Individual cells.
+ { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ ],
+ },
+ ],
+ "headers": [ # Headers of the table.
+ { # General identifier of a data field in a storage service.
+ "name": "A String", # Name describing the field.
+ },
+ ],
+ },
+ },
"inspectConfig": { # Configuration description of the scanning process. When used with redactContent only info_types and min_likelihood are currently used. # Configuration for the inspector.
- "contentOptions": [ # List of options defining data content to scan. If empty, text, images, and other content will be included.
- "A String",
- ],
- "minLikelihood": "A String", # Only returns findings equal or above this threshold. The default is POSSIBLE. See https://cloud.google.com/dlp/docs/likelihood to learn more.
"limits": { # Configuration to control the number of findings returned. # Configuration to control the number of findings returned.
+ "maxFindingsPerItem": 42, # Max number of findings that will be returned for each item scanned. When set within `InspectJobConfig`, the maximum returned is 2000 regardless if this is set higher. When set within `InspectContentRequest`, this field is ignored.
+ "maxFindingsPerRequest": 42, # Max number of findings that will be returned per request/job. When set within `InspectContentRequest`, the maximum returned is 2000 regardless if this is set higher.
"maxFindingsPerInfoType": [ # Configuration of findings limit given for specified infoTypes.
{ # Max findings configuration per infoType, per content item or long running DlpJob.
"infoType": { # Type of information detected by the API. # Type of information the findings limit applies to. Only one limit per info_type should be provided. If InfoTypeLimit does not have an info_type, the DLP API applies the limit against all info_types that are found but not specified in another InfoTypeLimit.
@@ -2998,37 +3035,19 @@
"maxFindings": 42, # Max findings limit for the given infoType.
},
],
- "maxFindingsPerItem": 42, # Max number of findings that will be returned for each item scanned. When set within `InspectJobConfig`, the maximum returned is 2000 regardless if this is set higher. When set within `InspectContentRequest`, this field is ignored.
- "maxFindingsPerRequest": 42, # Max number of findings that will be returned per request/job. When set within `InspectContentRequest`, the maximum returned is 2000 regardless if this is set higher.
},
- "infoTypes": [ # Restricts what info_types to look for. The values must correspond to InfoType values returned by ListInfoTypes or listed at https://cloud.google.com/dlp/docs/infotypes-reference. When no InfoTypes or CustomInfoTypes are specified in a request, the system may automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated. If you need precise control and predictability as to what detectors are run you should specify specific InfoTypes listed in the reference, otherwise a default list will be used, which may change over time.
- { # Type of information detected by the API.
- "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
- },
- ],
- "includeQuote": True or False, # When true, a contextual quote from the data that triggered a finding is included in the response; see Finding.quote.
"ruleSet": [ # Set of rules to apply to the findings for this InspectConfig. Exclusion rules, contained in the set are executed in the end, other rules are executed in the order they are specified for each info type.
{ # Rule set for modifying a set of infoTypes to alter behavior under certain circumstances, depending on the specific details of the rules within the set.
"rules": [ # Set of rules to be applied to infoTypes. The rules are applied in order.
{ # A single inspection rule to be applied to infoTypes, specified in `InspectionRuleSet`.
"exclusionRule": { # The rule that specifies conditions when findings of infoTypes specified in `InspectionRuleSet` are removed from results. # Exclusion rule.
- "dictionary": { # Custom information type based on a dictionary of words or phrases. This can be used to match sensitive information specific to the data, such as a list of employee IDs or job titles. Dictionary words are case-insensitive and all characters other than letters and digits in the unicode [Basic Multilingual Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane) will be replaced with whitespace when scanning for matches, so the dictionary phrase "Sam Johnson" will match all three phrases "sam johnson", "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters surrounding any match must be of a different type than the adjacent characters within the word, so letters must be next to non-letters and digits next to non-digits. For example, the dictionary word "jen" will match the first three letters of the text "jen123" but will return no matches for "jennifer". Dictionary words containing a large number of characters that are not letters or digits may result in unexpected findings because such characters are treated as whitespace. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. For dictionaries that do not fit within these constraints, consider using `LargeCustomDictionaryConfig` in the `StoredInfoType` API. # Dictionary which defines the rule.
- "cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file is accepted.
- "path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage. Example: gs://[BUCKET_NAME]/dictionary.txt
- },
- "wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.
- "words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]
- "A String",
- ],
- },
- },
+ "matchingType": "A String", # How the rule is applied, see MatchingType documentation for details.
"regex": { # Message defining a custom regular expression. # Regular expression which defines the rule.
"groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.
42,
],
"pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub.
},
- "matchingType": "A String", # How the rule is applied, see MatchingType documentation for details.
"excludeInfoTypes": { # List of exclude infoTypes. # Set of infoTypes for which findings would affect this rule.
"infoTypes": [ # InfoType list in ExclusionRule rule drops a finding when it overlaps or contained within with a finding of an infoType from this list. For example, for `InspectionRuleSet.info_types` containing "PHONE_NUMBER"` and `exclusion_rule` containing `exclude_info_types.info_types` with "EMAIL_ADDRESS" the phone number findings are dropped if they overlap with EMAIL_ADDRESS finding. That leads to "555-222-2222@example.org" to generate only a single finding, namely email address.
{ # Type of information detected by the API.
@@ -3036,12 +3055,18 @@
},
],
},
+ "dictionary": { # Custom information type based on a dictionary of words or phrases. This can be used to match sensitive information specific to the data, such as a list of employee IDs or job titles. Dictionary words are case-insensitive and all characters other than letters and digits in the unicode [Basic Multilingual Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane) will be replaced with whitespace when scanning for matches, so the dictionary phrase "Sam Johnson" will match all three phrases "sam johnson", "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters surrounding any match must be of a different type than the adjacent characters within the word, so letters must be next to non-letters and digits next to non-digits. For example, the dictionary word "jen" will match the first three letters of the text "jen123" but will return no matches for "jennifer". Dictionary words containing a large number of characters that are not letters or digits may result in unexpected findings because such characters are treated as whitespace. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. For dictionaries that do not fit within these constraints, consider using `LargeCustomDictionaryConfig` in the `StoredInfoType` API. # Dictionary which defines the rule.
+ "wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.
+ "words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]
+ "A String",
+ ],
+ },
+ "cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file is accepted.
+ "path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage. Example: gs://[BUCKET_NAME]/dictionary.txt
+ },
+ },
},
"hotwordRule": { # The rule that adjusts the likelihood of findings within a certain proximity of hotwords. # Hotword-based detection rule.
- "proximity": { # Message for specifying a window around a finding to apply a detection rule. # Proximity of the finding within which the entire hotword must reside. The total length of the window cannot exceed 1000 characters. Note that the finding itself will be included in the window, so that hotwords may be used to match substrings of the finding itself. For example, the certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be adjusted upwards if the area code is known to be the local area code of a company office using the hotword regex "\(xxx\)", where "xxx" is the area code in question.
- "windowBefore": 42, # Number of characters before the finding to consider.
- "windowAfter": 42, # Number of characters after the finding to consider.
- },
"hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.
"groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.
42,
@@ -3052,6 +3077,10 @@
"fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.
"relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of levels. For example, if a finding would be `POSSIBLE` without the detection rule and `relative_likelihood` is 1, then it is upgraded to `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`. Likelihood may never drop below `VERY_UNLIKELY` or exceed `VERY_LIKELY`, so applying an adjustment of 1 followed by an adjustment of -1 when base likelihood is `VERY_LIKELY` will result in a final likelihood of `LIKELY`.
},
+ "proximity": { # Message for specifying a window around a finding to apply a detection rule. # Proximity of the finding within which the entire hotword must reside. The total length of the window cannot exceed 1000 characters. Note that the finding itself will be included in the window, so that hotwords may be used to match substrings of the finding itself. For example, the certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be adjusted upwards if the area code is known to be the local area code of a company office using the hotword regex "\(xxx\)", where "xxx" is the area code in question.
+ "windowAfter": 42, # Number of characters after the finding to consider.
+ "windowBefore": 42, # Number of characters before the finding to consider.
+ },
},
},
],
@@ -3062,28 +3091,25 @@
],
},
],
+ "excludeInfoTypes": True or False, # When true, excludes type information of the findings.
"customInfoTypes": [ # CustomInfoTypes provided by the user. See https://cloud.google.com/dlp/docs/creating-custom-infotypes to learn more.
{ # Custom information type provided by the user. Used to find domain-specific sensitive information configurable to the data in question.
+ "likelihood": "A String", # Likelihood to return for this CustomInfoType. This base value can be altered by a detection rule if the finding meets the criteria specified by the rule. Defaults to `VERY_LIKELY` if not specified.
"infoType": { # Type of information detected by the API. # CustomInfoType can either be a new infoType, or an extension of built-in infoType, when the name matches one of existing infoTypes and that infoType is specified in `InspectContent.info_types` field. Specifying the latter adds findings to the one detected by the system. If built-in info type is not specified in `InspectContent.info_types` list then the name is treated as a custom info type.
"name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
},
- "storedType": { # A reference to a StoredInfoType to use with scanning. # Load an existing `StoredInfoType` resource for use in `InspectDataSource`. Not currently supported in `InspectContent`.
- "createTime": "A String", # Timestamp indicating when the version of the `StoredInfoType` used for inspection was created. Output-only field, populated by the system.
- "name": "A String", # Resource name of the requested `StoredInfoType`, for example `organizations/433245324/storedInfoTypes/432452342` or `projects/project-id/storedInfoTypes/432452342`.
- },
+ "exclusionType": "A String", # If set to EXCLUSION_TYPE_EXCLUDE this infoType will not cause a finding to be returned. It still can be used for rules matching.
"regex": { # Message defining a custom regular expression. # Regular expression based CustomInfoType.
"groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.
42,
],
"pattern": "A String", # Pattern defining the regular expression. Its syntax (https://github.com/google/re2/wiki/Syntax) can be found under the google/re2 repository on GitHub.
},
+ "surrogateType": { # Message for detecting output from deidentification transformations such as [`CryptoReplaceFfxFpeConfig`](https://cloud.google.com/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#cryptoreplaceffxfpeconfig). These types of transformations are those that perform pseudonymization, thereby producing a "surrogate" as output. This should be used in conjunction with a field on the transformation such as `surrogate_info_type`. This CustomInfoType does not support the use of `detection_rules`. # Message for detecting output from deidentification transformations that support reversing.
+ },
"detectionRules": [ # Set of detection rules to apply to all findings of this CustomInfoType. Rules are applied in order that they are specified. Not supported for the `surrogate_type` CustomInfoType.
{ # Deprecated; use `InspectionRuleSet` instead. Rule for modifying a `CustomInfoType` to alter behavior under certain circumstances, depending on the specific details of the rule. Not supported for the `surrogate_type` custom infoType.
"hotwordRule": { # The rule that adjusts the likelihood of findings within a certain proximity of hotwords. # Hotword-based detection rule.
- "proximity": { # Message for specifying a window around a finding to apply a detection rule. # Proximity of the finding within which the entire hotword must reside. The total length of the window cannot exceed 1000 characters. Note that the finding itself will be included in the window, so that hotwords may be used to match substrings of the finding itself. For example, the certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be adjusted upwards if the area code is known to be the local area code of a company office using the hotword regex "\(xxx\)", where "xxx" is the area code in question.
- "windowBefore": 42, # Number of characters before the finding to consider.
- "windowAfter": 42, # Number of characters after the finding to consider.
- },
"hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.
"groupIndexes": [ # The index of the submatch to extract as findings. When not specified, the entire match is returned. No more than 3 may be included.
42,
@@ -3094,65 +3120,39 @@
"fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.
"relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of levels. For example, if a finding would be `POSSIBLE` without the detection rule and `relative_likelihood` is 1, then it is upgraded to `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`. Likelihood may never drop below `VERY_UNLIKELY` or exceed `VERY_LIKELY`, so applying an adjustment of 1 followed by an adjustment of -1 when base likelihood is `VERY_LIKELY` will result in a final likelihood of `LIKELY`.
},
+ "proximity": { # Message for specifying a window around a finding to apply a detection rule. # Proximity of the finding within which the entire hotword must reside. The total length of the window cannot exceed 1000 characters. Note that the finding itself will be included in the window, so that hotwords may be used to match substrings of the finding itself. For example, the certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be adjusted upwards if the area code is known to be the local area code of a company office using the hotword regex "\(xxx\)", where "xxx" is the area code in question.
+ "windowAfter": 42, # Number of characters after the finding to consider.
+ "windowBefore": 42, # Number of characters before the finding to consider.
+ },
},
},
],
+ "storedType": { # A reference to a StoredInfoType to use with scanning. # Load an existing `StoredInfoType` resource for use in `InspectDataSource`. Not currently supported in `InspectContent`.
+ "createTime": "A String", # Timestamp indicating when the version of the `StoredInfoType` used for inspection was created. Output-only field, populated by the system.
+ "name": "A String", # Resource name of the requested `StoredInfoType`, for example `organizations/433245324/storedInfoTypes/432452342` or `projects/project-id/storedInfoTypes/432452342`.
+ },
"dictionary": { # Custom information type based on a dictionary of words or phrases. This can be used to match sensitive information specific to the data, such as a list of employee IDs or job titles. Dictionary words are case-insensitive and all characters other than letters and digits in the unicode [Basic Multilingual Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane) will be replaced with whitespace when scanning for matches, so the dictionary phrase "Sam Johnson" will match all three phrases "sam johnson", "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters surrounding any match must be of a different type than the adjacent characters within the word, so letters must be next to non-letters and digits next to non-digits. For example, the dictionary word "jen" will match the first three letters of the text "jen123" but will return no matches for "jennifer". Dictionary words containing a large number of characters that are not letters or digits may result in unexpected findings because such characters are treated as whitespace. The [limits](https://cloud.google.com/dlp/limits) page contains details about the size limits of dictionaries. For dictionaries that do not fit within these constraints, consider using `LargeCustomDictionaryConfig` in the `StoredInfoType` API. # A list of phrases to detect as a CustomInfoType.
- "cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file is accepted.
- "path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage. Example: gs://[BUCKET_NAME]/dictionary.txt
- },
"wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.
"words": [ # Words or phrases defining the dictionary. The dictionary must contain at least one phrase and every phrase must contain at least 2 characters that are letters or digits. [required]
"A String",
],
},
+ "cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file is accepted.
+ "path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage. Example: gs://[BUCKET_NAME]/dictionary.txt
+ },
},
- "surrogateType": { # Message for detecting output from deidentification transformations such as [`CryptoReplaceFfxFpeConfig`](https://cloud.google.com/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#cryptoreplaceffxfpeconfig). These types of transformations are those that perform pseudonymization, thereby producing a "surrogate" as output. This should be used in conjunction with a field on the transformation such as `surrogate_info_type`. This CustomInfoType does not support the use of `detection_rules`. # Message for detecting output from deidentification transformations that support reversing.
- },
- "exclusionType": "A String", # If set to EXCLUSION_TYPE_EXCLUDE this infoType will not cause a finding to be returned. It still can be used for rules matching.
- "likelihood": "A String", # Likelihood to return for this CustomInfoType. This base value can be altered by a detection rule if the finding meets the criteria specified by the rule. Defaults to `VERY_LIKELY` if not specified.
},
],
- "excludeInfoTypes": True or False, # When true, excludes type information of the findings.
- },
- "item": { # Container structure for the content to inspect. # The item to re-identify. Will be treated as text.
- "value": "A String", # String data to inspect or redact.
- "table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more. # Structured content for inspection. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more.
- "headers": [ # Headers of the table.
- { # General identifier of a data field in a storage service.
- "name": "A String", # Name describing the field.
- },
- ],
- "rows": [ # Rows of the table.
- { # Values of the row.
- "values": [ # Individual cells.
- { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- ],
- },
- ],
- },
- "byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.
- "type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.
- "data": "A String", # Content data to inspect or redact.
- },
+ "contentOptions": [ # List of options defining data content to scan. If empty, text, images, and other content will be included.
+ "A String",
+ ],
+ "includeQuote": True or False, # When true, a contextual quote from the data that triggered a finding is included in the response; see Finding.quote.
+ "infoTypes": [ # Restricts what info_types to look for. The values must correspond to InfoType values returned by ListInfoTypes or listed at https://cloud.google.com/dlp/docs/infotypes-reference. When no InfoTypes or CustomInfoTypes are specified in a request, the system may automatically choose what detectors to run. By default this may be all types, but may change over time as detectors are updated. If you need precise control and predictability as to what detectors are run you should specify specific InfoTypes listed in the reference, otherwise a default list will be used, which may change over time.
+ { # Type of information detected by the API.
+ "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
+ },
+ ],
+ "minLikelihood": "A String", # Only returns findings equal or above this threshold. The default is POSSIBLE. See https://cloud.google.com/dlp/docs/likelihood to learn more.
},
"locationId": "A String", # Deprecated. This field has no effect.
}
@@ -3166,729 +3166,84 @@
An object of the form:
{ # Results of re-identifying a item.
+ "item": { # Container structure for the content to inspect. # The re-identified item.
+ "byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.
+ "type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.
+ "data": "A String", # Content data to inspect or redact.
+ },
+ "value": "A String", # String data to inspect or redact.
+ "table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more. # Structured content for inspection. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more.
+ "rows": [ # Rows of the table.
+ { # Values of the row.
+ "values": [ # Individual cells.
+ { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ ],
+ },
+ ],
+ "headers": [ # Headers of the table.
+ { # General identifier of a data field in a storage service.
+ "name": "A String", # Name describing the field.
+ },
+ ],
+ },
+ },
"overview": { # Overview of the modifications that occurred. # An overview of the changes that were made to the `item`.
"transformedBytes": "A String", # Total size in bytes that were transformed in some way.
"transformationSummaries": [ # Transformations applied to the dataset.
{ # Summary of a single transformation. Only one of 'transformation', 'field_transformation', or 'record_suppress' will be set.
- "fieldTransformations": [ # The field transformation that was applied. If multiple field transformations are requested for a single field, this list will contain all of them; otherwise, only one is supplied.
- { # The transformation to apply to the field.
- "fields": [ # Required. Input field(s) to apply the transformation to.
- { # General identifier of a data field in a storage service.
- "name": "A String", # Name describing the field.
- },
- ],
- "infoTypeTransformations": { # A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type. # Treat the contents of the field as free text, and selectively transform content that matches an `InfoType`.
- "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one for a given infoType.
- { # A transformation to apply to text that is identified as a specific info_type.
- "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
- "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
- "wrappedKey": "A String", # Required. The wrapped data crypto key.
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
- "key": "A String", # Required. A 128/192/256 bit key.
- },
- },
- "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.
- "name": "A String", # Name describing the field.
- },
- "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
- "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
- },
+ "recordSuppress": { # Configuration to suppress records whose suppression conditions evaluate to true. # The specific suppression option these stats apply to.
+ "condition": { # A condition for determining whether a transformation should be applied to a field. # A condition that when it evaluates to true will result in the record being evaluated to be suppressed from the transformed content.
+ "expressions": { # An expression, consisting or an operator and conditions. # An expression.
+ "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.
+ "conditions": { # A collection of conditions. # Conditions to apply to the expression.
+ "conditions": [ # A collection of conditions.
+ { # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.
+ "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
+ "name": "A String", # Name describing the field.
},
- "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask
- "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.
- { # Characters to skip when doing deidentification of a value. These will be left alone and skipped.
- "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation.
- "charactersToSkip": "A String", # Characters to not transform when masking.
- },
- ],
- "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.
- "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
- },
- "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
- "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
- "wrappedKey": "A String", # Required. The wrapped data crypto key.
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
- "key": "A String", # Required. A 128/192/256 bit key.
- },
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
- "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
- "name": "A String", # Name describing the field.
- },
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
- "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
- "wrappedKey": "A String", # Required. The wrapped data crypto key.
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
- "key": "A String", # Required. A 128/192/256 bit key.
- },
- },
- "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
- "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
- },
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- },
- ],
- },
- "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe
- "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
- "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
- "wrappedKey": "A String", # Required. The wrapped data crypto key.
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
- "key": "A String", # Required. A 128/192/256 bit key.
- },
- },
- "commonAlphabet": "A String", # Common alphabets.
- "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
- "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE
- "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
- },
- "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2
- "name": "A String", # Name describing the field.
- },
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
- "partToExtract": "A String", # The part of the time to keep.
- },
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
- },
- "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing
- "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
- "upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- },
- "replaceConfig": { # Replace each input value with a given `Value`. # Replace
- "newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- },
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact
- },
- },
- "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`.
- { # Type of information detected by the API.
- "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
- },
- ],
- },
- ],
- },
- "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
- "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
- "wrappedKey": "A String", # Required. The wrapped data crypto key.
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
- "key": "A String", # Required. A 128/192/256 bit key.
- },
- },
- "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.
- "name": "A String", # Name describing the field.
- },
- "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
- "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
- },
- },
- "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask
- "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.
- { # Characters to skip when doing deidentification of a value. These will be left alone and skipped.
- "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation.
- "charactersToSkip": "A String", # Characters to not transform when masking.
- },
- ],
- "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.
- "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
- },
- "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
- "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
- "wrappedKey": "A String", # Required. The wrapped data crypto key.
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
- "key": "A String", # Required. A 128/192/256 bit key.
- },
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
- "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
- "name": "A String", # Name describing the field.
- },
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
- "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
- "wrappedKey": "A String", # Required. The wrapped data crypto key.
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
- "key": "A String", # Required. A 128/192/256 bit key.
- },
- },
- "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
- "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
- },
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
+ "value": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
"dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
"day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
"month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
"year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
},
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
"timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
"timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
},
"dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
"booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
},
+ "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
},
],
},
- "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe
- "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
- "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
- "wrappedKey": "A String", # Required. The wrapped data crypto key.
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
- "key": "A String", # Required. A 128/192/256 bit key.
- },
- },
- "commonAlphabet": "A String", # Common alphabets.
- "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
- "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE
- "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
- },
- "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2
- "name": "A String", # Name describing the field.
- },
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
- "partToExtract": "A String", # The part of the time to keep.
- },
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
- },
- "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing
- "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
- "upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- },
- "replaceConfig": { # Replace each input value with a given `Value`. # Replace
- "newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- },
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact
- },
- },
- "condition": { # A condition for determining whether a transformation should be applied to a field. # Only apply the transformation if the condition evaluates to true for the given `RecordCondition`. The conditions are allowed to reference fields that are not used in the actual transformation. Example Use Cases: - Apply a different bucket transformation to an age column if the zip code column for the same record is within a specific range. - Redact a field if the date of birth field is greater than 85.
- "expressions": { # An expression, consisting or an operator and conditions. # An expression.
- "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.
- "conditions": { # A collection of conditions. # Conditions to apply to the expression.
- "conditions": [ # A collection of conditions.
- { # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.
- "value": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
- "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
- "name": "A String", # Name describing the field.
- },
- },
- ],
- },
- },
},
},
- ],
- "transformation": { # A rule for transforming a value. # The specific transformation these stats apply to.
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
- "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
- "wrappedKey": "A String", # Required. The wrapped data crypto key.
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
- "key": "A String", # Required. A 128/192/256 bit key.
- },
- },
- "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.
- "name": "A String", # Name describing the field.
- },
- "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
- "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
- },
- },
- "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask
- "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.
- { # Characters to skip when doing deidentification of a value. These will be left alone and skipped.
- "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation.
- "charactersToSkip": "A String", # Characters to not transform when masking.
- },
- ],
- "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.
- "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
- },
- "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
- "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
- "wrappedKey": "A String", # Required. The wrapped data crypto key.
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
- "key": "A String", # Required. A 128/192/256 bit key.
- },
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
- "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
- "name": "A String", # Name describing the field.
- },
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
- "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
- "wrappedKey": "A String", # Required. The wrapped data crypto key.
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
- "key": "A String", # Required. A 128/192/256 bit key.
- },
- },
- "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
- "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
- },
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- },
- ],
- },
- "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe
- "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.
- "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
- "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
- },
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
- "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
- "wrappedKey": "A String", # Required. The wrapped data crypto key.
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
- "key": "A String", # Required. A 128/192/256 bit key.
- },
- },
- "commonAlphabet": "A String", # Common alphabets.
- "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
- "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE
- "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
- },
- "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2
- "name": "A String", # Name describing the field.
- },
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
- "partToExtract": "A String", # The part of the time to keep.
- },
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
- },
- "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing
- "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
- "upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- },
- "replaceConfig": { # Replace each input value with a given `Value`. # Replace
- "newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- },
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact
- },
- },
- "infoType": { # Type of information detected by the API. # Set if the transformation was limited to a specific InfoType.
- "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
},
"results": [ # Collection of all transformations that took place or had an error.
{ # A collection that informs the user the number of times a particular `TransformationResultCode` and error details occurred.
@@ -3900,84 +3255,729 @@
"field": { # General identifier of a data field in a storage service. # Set if the transformation was limited to a specific FieldId.
"name": "A String", # Name describing the field.
},
- "recordSuppress": { # Configuration to suppress records whose suppression conditions evaluate to true. # The specific suppression option these stats apply to.
- "condition": { # A condition for determining whether a transformation should be applied to a field. # A condition that when it evaluates to true will result in the record being evaluated to be suppressed from the transformed content.
- "expressions": { # An expression, consisting or an operator and conditions. # An expression.
- "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.
- "conditions": { # A collection of conditions. # Conditions to apply to the expression.
- "conditions": [ # A collection of conditions.
- { # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.
- "value": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
- },
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- },
- "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
- "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
- "name": "A String", # Name describing the field.
- },
- },
- ],
+ "infoType": { # Type of information detected by the API. # Set if the transformation was limited to a specific InfoType.
+ "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
+ },
+ "transformation": { # A rule for transforming a value. # The specific transformation these stats apply to.
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
+ "name": "A String", # Name describing the field.
+ },
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
+ "partToExtract": "A String", # The part of the time to keep.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ "replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ "min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ },
+ ],
+ },
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
+ "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
+ },
+ "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.
+ "name": "A String", # Name describing the field.
+ },
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
+ "newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ },
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.
+ { # Characters to skip when doing deidentification of a value. These will be left alone and skipped.
+ "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation.
+ "charactersToSkip": "A String", # Characters to not transform when masking.
+ },
+ ],
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
+ "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
+ },
+ "commonAlphabet": "A String", # Common alphabets.
+ "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2
+ "name": "A String", # Name describing the field.
+ },
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing
+ "lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
+ "upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
},
},
},
"transformedBytes": "A String", # Total size in bytes that were transformed in some way.
- },
- ],
- },
- "item": { # Container structure for the content to inspect. # The re-identified item.
- "value": "A String", # String data to inspect or redact.
- "table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more. # Structured content for inspection. See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to learn more.
- "headers": [ # Headers of the table.
- { # General identifier of a data field in a storage service.
- "name": "A String", # Name describing the field.
- },
- ],
- "rows": [ # Rows of the table.
- { # Values of the row.
- "values": [ # Individual cells.
- { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data.
- "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
- "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
- "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
- "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "fieldTransformations": [ # The field transformation that was applied. If multiple field transformations are requested for a single field, this list will contain all of them; otherwise, only one is supplied.
+ { # The transformation to apply to the field.
+ "infoTypeTransformations": { # A type of transformation that will scan unstructured text and apply various `PrimitiveTransformation`s to each finding, where the transformation is applied to only values that were identified as a specific info_type. # Treat the contents of the field as free text, and selectively transform content that matches an `InfoType`.
+ "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one for a given infoType.
+ { # A transformation to apply to text that is identified as a specific info_type.
+ "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
+ "name": "A String", # Name describing the field.
+ },
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
+ "partToExtract": "A String", # The part of the time to keep.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ "replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ "min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ },
+ ],
+ },
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
+ "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
+ },
+ "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.
+ "name": "A String", # Name describing the field.
+ },
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
+ "newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ },
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.
+ { # Characters to skip when doing deidentification of a value. These will be left alone and skipped.
+ "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation.
+ "charactersToSkip": "A String", # Characters to not transform when masking.
+ },
+ ],
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
+ "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
+ },
+ "commonAlphabet": "A String", # Common alphabets.
+ "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2
+ "name": "A String", # Name describing the field.
+ },
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing
+ "lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
+ "upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ },
+ },
+ "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause this transformation to apply to all findings that correspond to infoTypes that were requested in `InspectConfig`.
+ { # Type of information detected by the API.
+ "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
+ },
+ ],
+ },
+ ],
+ },
+ "fields": [ # Required. Input field(s) to apply the transformation to.
+ { # General identifier of a data field in a storage service.
+ "name": "A String", # Name describing the field.
},
- "dayOfWeekValue": "A String", # day of week
- "integerValue": "A String", # integer
- "booleanValue": True or False, # boolean
- "stringValue": "A String", # string
- "floatValue": 3.14, # float
- "timestampValue": "A String", # timestamp
- "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ ],
+ "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting to learn more. # Date Shift
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Causes the shift to be computed based on this key and the context. This results in the same shift for the same context and crypto_key. If set, must also set context. Can only be applied to table items.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id. If set, must also set cryptoKey. If set, shift will be consistent for the given context.
+ "name": "A String", # Name describing the field.
+ },
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this range (inclusive ends). Negative means shift to earlier in time. Must not be more than 365250 days (1000 years) each direction. For example, 3 means shift date to at most 3 days into the future.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a portion of the value. # Time extraction
+ "partToExtract": "A String", # The part of the time to keep.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the output would be 'My phone number is '. # Redact
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and replacement values are dynamically provided by the user for custom behavior, such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH This can be used on data of type: number, long, string, timestamp. If the bound `Value` type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Bucketing
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Upper bound of the range, exclusive; type must match min.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ "replacementValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Replacement value for this bucket.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ "min": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Lower bound of the range, inclusive. Type should be the same as max if used.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ },
+ ],
+ },
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given input. Outputs a base64 encoded representation of the encrypted output. Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297. # Deterministic Crypto
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the encryption function.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom info type followed by the number of characters comprising the surrogate. The following scheme defines the format: {info type name}({surrogate character count}):{surrogate} For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom info type 'Surrogate'. This facilitates reversal of the surrogate when it occurs in free text. Note: For record transformations where the entire cell in a table is being transformed, surrogates are not mandatory. Surrogates are used to denote the location of the token and are necessary for re-identification in free form text. In order for inspection to work properly, the name of this info type must not occur naturally anywhere in your data; otherwise, inspection may either - reverse a surrogate that does not correspond to an actual identifier - be unable to parse the surrogate and result in an error Therefore, choose your custom info type name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE.
+ "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
+ },
+ "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining referential integrity such that the same identifier in two different contexts will be given a distinct surrogate. The context is appended to plaintext value being encrypted. On decryption the provided context is validated against the value used during encryption. If a context was provided during encryption, same context must be provided during decryption as well. If the context is not set, plaintext would be used as is for encryption. If the context is set but: 1. there is no record present when transforming a given value or 2. the field is not present when transforming a given value, plaintext would be used as is for encryption. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s.
+ "name": "A String", # Name describing the field.
+ },
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
+ "newValue": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to replace it with.
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ },
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a fixed character. Masking can start from the beginning or end of the string. This can be used on data of any type (numbers, longs, and so on) and when de-identifying structured data we'll attempt to preserve the original data's type. (This allows you to take a long like 123 and modify it to a string like **3. # Mask
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing characters. For example, if the input string is `555-555-5555` and you instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP returns `***-**5-5555`.
+ { # Characters to skip when doing deidentification of a value. These will be left alone and skipped.
+ "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing punctuation.
+ "charactersToSkip": "A String", # Characters to not transform when masking.
+ },
+ ],
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values—for example, `*` for an alphabetic string such as a name, or `0` for a numeric string such as ZIP code or credit card number. This string must have a length of 1. If not supplied, this value defaults to `*` for strings, and `0` for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the input string `1234-5678-9012-3456` is masked as `00000000000000-3456`. If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order` is `true`, then the string `12345` is masked as `12***`.
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be masked. Skipped characters do not count towards this tally.
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. Uses SHA-256. The key size must be either 32 or 64 bytes. Outputs a base64 encoded representation of the hashed output (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=). Currently, only string and integer values can be hashed. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. # Crypto
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # The key used by the hash function.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption (FPE) with the FFX mode of operation; however when used in the `ReidentifyContent` API method, it serves the opposite function by reversing the surrogate back into the original identifier. The identifier must be encoded as ASCII. For a given crypto key and context, the same identifier will be replaced with the same surrogate. Identifiers must be at least two characters long. In the case that the identifier is the empty string, it will be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn more. Note: We recommend using CryptoDeterministicConfig for all use cases which do not require preserving the input alphabet space and size, plus warrant referential integrity. # Ffx-Fpe
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
+ "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with. This annotation will be applied to the surrogate by prefixing it with the name of the custom infoType followed by the number of characters comprising the surrogate. The following scheme defines the format: info_type_name(surrogate_character_count):surrogate For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and the surrogate is 'abc', the full replacement value will be: 'MY_TOKEN_INFO_TYPE(3):abc' This annotation identifies the surrogate when inspecting content using the custom infoType [`SurrogateType`](https://cloud.google.com/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype). This facilitates reversal of the surrogate when it occurs in free text. In order for inspection to work properly, the name of this infoType must not occur naturally anywhere in your data; otherwise, inspection may find a surrogate that does not correspond to an actual identifier. Therefore, choose your custom infoType name carefully after considering what your data looks like. One way to select a name that has a high chance of yielding reliable detection is to include one or more unicode characters that are highly improbable to exist in your data. For example, assuming your data is entered from a regular ASCII keyboard, the symbol with the hex code point 29DD might be used like so: ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when creating a CustomInfoType, or one of the names listed at https://cloud.google.com/dlp/docs/infotypes-reference when specifying a built-in type. When sending Cloud DLP results to Data Catalog, infoType names should conform to the pattern `[A-Za-z0-9$-_]{1,64}`.
+ },
+ "commonAlphabet": "A String", # Common alphabets.
+ "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same identifier in two different contexts won't be given the same surrogate. If the context is not set, a default tweak will be used. If the context is set but: 1. there is no record present when transforming a given value or 1. the field is not present when transforming a given value, a default tweak will be used. Note that case (1) is expected when an `InfoTypeTransformation` is applied to both structured and non-structured `ContentItem`s. Currently, the referenced field may be of value type integer or string. The tweak is constructed as a sequence of bytes in big endian byte order such that: - a 64 bit integer is encoded followed by a single byte of value 1 - a string is encoded in UTF-8 format followed by a single byte of value 2
+ "name": "A String", # Name describing the field.
+ },
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to a key encryption key (KEK) stored by KMS). When using KMS to wrap/unwrap DEKs, be sure to set an appropriate IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot unwrap the data crypto key. # Required. The key used by the encryption algorithm.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. The wrapped key must be a 128/192/256 bit key. Authorization requires the following IAM permissions when sending a request to perform a crypto transformation using a kms-wrapped crypto key: dlp.kms.encrypt # Kms wrapped key
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally leaking the key. Choose another type of key if possible. # Unwrapped crypto key
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. It will be discarded after the request finishes. # Transient crypto key
+ "name": "A String", # Required. Name of the key. This is an arbitrary string used to differentiate different keys. A unique key is generated per name: two separate `TransientCryptoKey` protos share the same generated key if their names are the same. When the data crypto key is generated, this name is not used in any way (repeating the api call will result in a different key being generated).
+ },
+ },
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters that the FFX mode natively supports. This happens before/after encryption/decryption. Each character listed must appear only once. Number of characters must be in the range [2, 95]. This must be encoded as ASCII. The order of characters does not matter. The full list of allowed characters is: 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz ~`!@#$%^&*()_-+={[}]|\:;"'<,>.?/
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The Bucketing transformation can provide all of this functionality, but requires more configuration. This message is provided as a convenience to the user for simple bucketing strategies. The transformed value will be a hyphenated string of {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20 all values that are within this bucket will be replaced with "10-20". This can be used on data of type: double, long. If the bound Value type differs from the type of data being transformed, we will first attempt converting the type of the data to be transformed to match the type of the bound before comparing. See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more. # Fixed size bucketing
+ "lowerBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Lower bound value of buckets. All values less than `lower_bound` are grouped together into a single bucket; for example if `lower_bound` = 10, then all values less than 10 are replaced with the value "-10".
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60, 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
+ "upperBound": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Required. Upper bound value of buckets. All values greater than upper_bound are grouped together into a single bucket; for example if `upper_bound` = 89, then all values greater than 89 are replaced with the value "89+".
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
},
},
- ],
- },
- ],
- },
- "byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.
- "type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.
- "data": "A String", # Content data to inspect or redact.
- },
+ "condition": { # A condition for determining whether a transformation should be applied to a field. # Only apply the transformation if the condition evaluates to true for the given `RecordCondition`. The conditions are allowed to reference fields that are not used in the actual transformation. Example Use Cases: - Apply a different bucket transformation to an age column if the zip code column for the same record is within a specific range. - Redact a field if the date of birth field is greater than 85.
+ "expressions": { # An expression, consisting or an operator and conditions. # An expression.
+ "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently only supported value is `AND`.
+ "conditions": { # A collection of conditions. # Conditions to apply to the expression.
+ "conditions": [ # A collection of conditions.
+ { # The field type of `value` and `field` do not need to match to be considered equal, but not all comparisons are possible. EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types, but all other comparisons are invalid with incompatible types. A `value` of type: - `string` can be compared against all other types - `boolean` can only be compared against other booleans - `integer` can be compared against doubles or a string if the string value can be parsed as an integer. - `double` can be compared against integers or a string if the string can be parsed as a double. - `Timestamp` can be compared against strings in RFC 3339 date string format. - `TimeOfDay` can be compared against timestamps and strings in the format of 'HH:mm:ss'. If we fail to compare do to type mismatch, a warning will be given and the condition will evaluate to false.
+ "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
+ "name": "A String", # Name describing the field.
+ },
+ "value": { # Set of primitive values supported by the system. Note that for the purposes of inspection or transformation, the number of bytes considered to comprise a 'Value' is based on its representation as a UTF-8 encoded string. For example, if 'integer_value' is set to 123456789, the number of bytes would be counted as 9, even though an int64 only holds up to 8 bytes of data. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
+ "floatValue": 3.14, # float
+ "integerValue": "A String", # integer
+ "dateValue": { # Represents a whole or partial calendar date, such as a birthday. The time of day and time zone are either specified elsewhere or are insignificant. The date is relative to the Gregorian Calendar. This can represent one of the following: * A full date, with non-zero year, month, and day values * A month and day value, with a zero year, such as an anniversary * A year on its own, with zero month and day values * A year and month value, with a zero day, such as a credit card expiration date Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`. # date
+ "day": 42, # Day of a month. Must be from 1 to 31 and valid for the year and month, or 0 to specify a year by itself or a year and month where the day isn't significant.
+ "month": 42, # Month of a year. Must be from 1 to 12, or 0 to specify a year without a month and day.
+ "year": 42, # Year of the date. Must be from 1 to 9999, or 0 to specify a date without a year.
+ },
+ "timestampValue": "A String", # timestamp
+ "stringValue": "A String", # string
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant or are specified elsewhere. An API may choose to allow leap seconds. Related types are google.type.Date and `google.protobuf.Timestamp`. # time of day
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose to allow the value "24:00:00" for scenarios like business closing time.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may allow the value 60 if it allows leap-seconds.
+ },
+ "dayOfWeekValue": "A String", # day of week
+ "booleanValue": True or False, # boolean
+ },
+ "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
+ },
+ ],
+ },
+ },
+ },
+ },
+ ],
+ },
+ ],
},
}</pre>
</div>