chore: regens API reference docs (#889)
diff --git a/docs/dyn/dlp_v2.projects.content.html b/docs/dyn/dlp_v2.projects.content.html
index d93cf1b..588cb89 100644
--- a/docs/dyn/dlp_v2.projects.content.html
+++ b/docs/dyn/dlp_v2.projects.content.html
@@ -75,17 +75,17 @@
<h1><a href="dlp_v2.html">Cloud Data Loss Prevention (DLP) API</a> . <a href="dlp_v2.projects.html">projects</a> . <a href="dlp_v2.projects.content.html">content</a></h1>
<h2>Instance Methods</h2>
<p class="toc_element">
- <code><a href="#deidentify">deidentify(parent, body, x__xgafv=None)</a></code></p>
+ <code><a href="#deidentify">deidentify(parent, body=None, x__xgafv=None)</a></code></p>
<p class="firstline">De-identifies potentially sensitive info from a ContentItem.</p>
<p class="toc_element">
- <code><a href="#inspect">inspect(parent, body, x__xgafv=None)</a></code></p>
+ <code><a href="#inspect">inspect(parent, body=None, x__xgafv=None)</a></code></p>
<p class="firstline">Finds potentially sensitive info in content.</p>
<p class="toc_element">
- <code><a href="#reidentify">reidentify(parent, body, x__xgafv=None)</a></code></p>
+ <code><a href="#reidentify">reidentify(parent, body=None, x__xgafv=None)</a></code></p>
<p class="firstline">Re-identifies content that has been de-identified.</p>
<h3>Method Details</h3>
<div class="method">
- <code class="details" id="deidentify">deidentify(parent, body, x__xgafv=None)</code>
+ <code class="details" id="deidentify">deidentify(parent, body=None, x__xgafv=None)</code>
<pre>De-identifies potentially sensitive info from a ContentItem.
This method has limits on input size and output size.
See https://cloud.google.com/dlp/docs/deidentify-sensitive-data to
@@ -97,20 +97,402 @@
Args:
parent: string, The parent resource name, for example projects/my-project-id. (required)
- body: object, The request body. (required)
+ body: object, The request body.
The object takes the form of:
{ # Request to de-identify a list of items.
- "deidentifyTemplateName": "A String", # Optional template to use. Any configuration directly specified in
+ "inspectConfig": { # Configuration description of the scanning process. # Configuration for the inspector.
+ # Items specified here will override the template referenced by the
+ # inspect_template_name argument.
+ # When used with redactContent only info_types and min_likelihood are currently
+ # used.
+ "excludeInfoTypes": True or False, # When true, excludes type information of the findings.
+ "limits": { # Configuration to control the number of findings returned. # Configuration to control the number of findings returned.
+ "maxFindingsPerRequest": 42, # Max number of findings that will be returned per request/job.
+ # When set within `InspectContentRequest`, the maximum returned is 2000
+ # regardless if this is set higher.
+ "maxFindingsPerInfoType": [ # Configuration of findings limit given for specified infoTypes.
+ { # Max findings configuration per infoType, per content item or long
+ # running DlpJob.
+ "infoType": { # Type of information detected by the API. # Type of information the findings limit applies to. Only one limit per
+ # info_type should be provided. If InfoTypeLimit does not have an
+ # info_type, the DLP API applies the limit against all info_types that
+ # are found but not specified in another InfoTypeLimit.
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # `[a-zA-Z0-9_]{1,64}`.
+ },
+ "maxFindings": 42, # Max findings limit for the given infoType.
+ },
+ ],
+ "maxFindingsPerItem": 42, # Max number of findings that will be returned for each item scanned.
+ # When set within `InspectJobConfig`,
+ # the maximum returned is 2000 regardless if this is set higher.
+ # When set within `InspectContentRequest`, this field is ignored.
+ },
+ "minLikelihood": "A String", # Only returns findings equal or above this threshold. The default is
+ # POSSIBLE.
+ # See https://cloud.google.com/dlp/docs/likelihood to learn more.
+ "customInfoTypes": [ # CustomInfoTypes provided by the user. See
+ # https://cloud.google.com/dlp/docs/creating-custom-infotypes to learn more.
+ { # Custom information type provided by the user. Used to find domain-specific
+ # sensitive information configurable to the data in question.
+ "regex": { # Message defining a custom regular expression. # Regular expression based CustomInfoType.
+ "pattern": "A String", # Pattern defining the regular expression. Its syntax
+ # (https://github.com/google/re2/wiki/Syntax) can be found under the
+ # google/re2 repository on GitHub.
+ "groupIndexes": [ # The index of the submatch to extract as findings. When not
+ # specified, the entire match is returned. No more than 3 may be included.
+ 42,
+ ],
+ },
+ "surrogateType": { # Message for detecting output from deidentification transformations # Message for detecting output from deidentification transformations that
+ # support reversing.
+ # such as
+ # [`CryptoReplaceFfxFpeConfig`](/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#cryptoreplaceffxfpeconfig).
+ # These types of transformations are
+ # those that perform pseudonymization, thereby producing a "surrogate" as
+ # output. This should be used in conjunction with a field on the
+ # transformation such as `surrogate_info_type`. This CustomInfoType does
+ # not support the use of `detection_rules`.
+ },
+ "infoType": { # Type of information detected by the API. # CustomInfoType can either be a new infoType, or an extension of built-in
+ # infoType, when the name matches one of existing infoTypes and that infoType
+ # is specified in `InspectContent.info_types` field. Specifying the latter
+ # adds findings to the one detected by the system. If built-in info type is
+ # not specified in `InspectContent.info_types` list then the name is treated
+ # as a custom info type.
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # `[a-zA-Z0-9_]{1,64}`.
+ },
+ "dictionary": { # Custom information type based on a dictionary of words or phrases. This can # A list of phrases to detect as a CustomInfoType.
+ # be used to match sensitive information specific to the data, such as a list
+ # of employee IDs or job titles.
+ #
+ # Dictionary words are case-insensitive and all characters other than letters
+ # and digits in the unicode [Basic Multilingual
+ # Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane)
+ # will be replaced with whitespace when scanning for matches, so the
+ # dictionary phrase "Sam Johnson" will match all three phrases "sam johnson",
+ # "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters
+ # surrounding any match must be of a different type than the adjacent
+ # characters within the word, so letters must be next to non-letters and
+ # digits next to non-digits. For example, the dictionary word "jen" will
+ # match the first three letters of the text "jen123" but will return no
+ # matches for "jennifer".
+ #
+ # Dictionary words containing a large number of characters that are not
+ # letters or digits may result in unexpected findings because such characters
+ # are treated as whitespace. The
+ # [limits](https://cloud.google.com/dlp/limits) page contains details about
+ # the size limits of dictionaries. For dictionaries that do not fit within
+ # these constraints, consider using `LargeCustomDictionaryConfig` in the
+ # `StoredInfoType` API.
+ "wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.
+ "words": [ # Words or phrases defining the dictionary. The dictionary must contain
+ # at least one phrase and every phrase must contain at least 2 characters
+ # that are letters or digits. [required]
+ "A String",
+ ],
+ },
+ "cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file
+ # is accepted.
+ "path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage.
+ # Example: gs://[BUCKET_NAME]/dictionary.txt
+ },
+ },
+ "storedType": { # A reference to a StoredInfoType to use with scanning. # Load an existing `StoredInfoType` resource for use in
+ # `InspectDataSource`. Not currently supported in `InspectContent`.
+ "name": "A String", # Resource name of the requested `StoredInfoType`, for example
+ # `organizations/433245324/storedInfoTypes/432452342` or
+ # `projects/project-id/storedInfoTypes/432452342`.
+ "createTime": "A String", # Timestamp indicating when the version of the `StoredInfoType` used for
+ # inspection was created. Output-only field, populated by the system.
+ },
+ "detectionRules": [ # Set of detection rules to apply to all findings of this CustomInfoType.
+ # Rules are applied in order that they are specified. Not supported for the
+ # `surrogate_type` CustomInfoType.
+ { # Deprecated; use `InspectionRuleSet` instead. Rule for modifying a
+ # `CustomInfoType` to alter behavior under certain circumstances, depending
+ # on the specific details of the rule. Not supported for the `surrogate_type`
+ # custom infoType.
+ "hotwordRule": { # The rule that adjusts the likelihood of findings within a certain # Hotword-based detection rule.
+ # proximity of hotwords.
+ "proximity": { # Message for specifying a window around a finding to apply a detection # Proximity of the finding within which the entire hotword must reside.
+ # The total length of the window cannot exceed 1000 characters. Note that
+ # the finding itself will be included in the window, so that hotwords may
+ # be used to match substrings of the finding itself. For example, the
+ # certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be
+ # adjusted upwards if the area code is known to be the local area code of
+ # a company office using the hotword regex "\(xxx\)", where "xxx"
+ # is the area code in question.
+ # rule.
+ "windowBefore": 42, # Number of characters before the finding to consider.
+ "windowAfter": 42, # Number of characters after the finding to consider.
+ },
+ "hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.
+ "pattern": "A String", # Pattern defining the regular expression. Its syntax
+ # (https://github.com/google/re2/wiki/Syntax) can be found under the
+ # google/re2 repository on GitHub.
+ "groupIndexes": [ # The index of the submatch to extract as findings. When not
+ # specified, the entire match is returned. No more than 3 may be included.
+ 42,
+ ],
+ },
+ "likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as # Likelihood adjustment to apply to all matching findings.
+ # part of a detection rule.
+ "relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of
+ # levels. For example, if a finding would be `POSSIBLE` without the
+ # detection rule and `relative_likelihood` is 1, then it is upgraded to
+ # `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`.
+ # Likelihood may never drop below `VERY_UNLIKELY` or exceed
+ # `VERY_LIKELY`, so applying an adjustment of 1 followed by an
+ # adjustment of -1 when base likelihood is `VERY_LIKELY` will result in
+ # a final likelihood of `LIKELY`.
+ "fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.
+ },
+ },
+ },
+ ],
+ "exclusionType": "A String", # If set to EXCLUSION_TYPE_EXCLUDE this infoType will not cause a finding
+ # to be returned. It still can be used for rules matching.
+ "likelihood": "A String", # Likelihood to return for this CustomInfoType. This base value can be
+ # altered by a detection rule if the finding meets the criteria specified by
+ # the rule. Defaults to `VERY_LIKELY` if not specified.
+ },
+ ],
+ "includeQuote": True or False, # When true, a contextual quote from the data that triggered a finding is
+ # included in the response; see Finding.quote.
+ "ruleSet": [ # Set of rules to apply to the findings for this InspectConfig.
+ # Exclusion rules, contained in the set are executed in the end, other
+ # rules are executed in the order they are specified for each info type.
+ { # Rule set for modifying a set of infoTypes to alter behavior under certain
+ # circumstances, depending on the specific details of the rules within the set.
+ "rules": [ # Set of rules to be applied to infoTypes. The rules are applied in order.
+ { # A single inspection rule to be applied to infoTypes, specified in
+ # `InspectionRuleSet`.
+ "hotwordRule": { # The rule that adjusts the likelihood of findings within a certain # Hotword-based detection rule.
+ # proximity of hotwords.
+ "proximity": { # Message for specifying a window around a finding to apply a detection # Proximity of the finding within which the entire hotword must reside.
+ # The total length of the window cannot exceed 1000 characters. Note that
+ # the finding itself will be included in the window, so that hotwords may
+ # be used to match substrings of the finding itself. For example, the
+ # certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be
+ # adjusted upwards if the area code is known to be the local area code of
+ # a company office using the hotword regex "\(xxx\)", where "xxx"
+ # is the area code in question.
+ # rule.
+ "windowBefore": 42, # Number of characters before the finding to consider.
+ "windowAfter": 42, # Number of characters after the finding to consider.
+ },
+ "hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.
+ "pattern": "A String", # Pattern defining the regular expression. Its syntax
+ # (https://github.com/google/re2/wiki/Syntax) can be found under the
+ # google/re2 repository on GitHub.
+ "groupIndexes": [ # The index of the submatch to extract as findings. When not
+ # specified, the entire match is returned. No more than 3 may be included.
+ 42,
+ ],
+ },
+ "likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as # Likelihood adjustment to apply to all matching findings.
+ # part of a detection rule.
+ "relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of
+ # levels. For example, if a finding would be `POSSIBLE` without the
+ # detection rule and `relative_likelihood` is 1, then it is upgraded to
+ # `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`.
+ # Likelihood may never drop below `VERY_UNLIKELY` or exceed
+ # `VERY_LIKELY`, so applying an adjustment of 1 followed by an
+ # adjustment of -1 when base likelihood is `VERY_LIKELY` will result in
+ # a final likelihood of `LIKELY`.
+ "fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.
+ },
+ },
+ "exclusionRule": { # The rule that specifies conditions when findings of infoTypes specified in # Exclusion rule.
+ # `InspectionRuleSet` are removed from results.
+ "regex": { # Message defining a custom regular expression. # Regular expression which defines the rule.
+ "pattern": "A String", # Pattern defining the regular expression. Its syntax
+ # (https://github.com/google/re2/wiki/Syntax) can be found under the
+ # google/re2 repository on GitHub.
+ "groupIndexes": [ # The index of the submatch to extract as findings. When not
+ # specified, the entire match is returned. No more than 3 may be included.
+ 42,
+ ],
+ },
+ "excludeInfoTypes": { # List of exclude infoTypes. # Set of infoTypes for which findings would affect this rule.
+ "infoTypes": [ # InfoType list in ExclusionRule rule drops a finding when it overlaps or
+ # contained within with a finding of an infoType from this list. For
+ # example, for `InspectionRuleSet.info_types` containing "PHONE_NUMBER"` and
+ # `exclusion_rule` containing `exclude_info_types.info_types` with
+ # "EMAIL_ADDRESS" the phone number findings are dropped if they overlap
+ # with EMAIL_ADDRESS finding.
+ # That leads to "555-222-2222@example.org" to generate only a single
+ # finding, namely email address.
+ { # Type of information detected by the API.
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # `[a-zA-Z0-9_]{1,64}`.
+ },
+ ],
+ },
+ "dictionary": { # Custom information type based on a dictionary of words or phrases. This can # Dictionary which defines the rule.
+ # be used to match sensitive information specific to the data, such as a list
+ # of employee IDs or job titles.
+ #
+ # Dictionary words are case-insensitive and all characters other than letters
+ # and digits in the unicode [Basic Multilingual
+ # Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane)
+ # will be replaced with whitespace when scanning for matches, so the
+ # dictionary phrase "Sam Johnson" will match all three phrases "sam johnson",
+ # "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters
+ # surrounding any match must be of a different type than the adjacent
+ # characters within the word, so letters must be next to non-letters and
+ # digits next to non-digits. For example, the dictionary word "jen" will
+ # match the first three letters of the text "jen123" but will return no
+ # matches for "jennifer".
+ #
+ # Dictionary words containing a large number of characters that are not
+ # letters or digits may result in unexpected findings because such characters
+ # are treated as whitespace. The
+ # [limits](https://cloud.google.com/dlp/limits) page contains details about
+ # the size limits of dictionaries. For dictionaries that do not fit within
+ # these constraints, consider using `LargeCustomDictionaryConfig` in the
+ # `StoredInfoType` API.
+ "wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.
+ "words": [ # Words or phrases defining the dictionary. The dictionary must contain
+ # at least one phrase and every phrase must contain at least 2 characters
+ # that are letters or digits. [required]
+ "A String",
+ ],
+ },
+ "cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file
+ # is accepted.
+ "path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage.
+ # Example: gs://[BUCKET_NAME]/dictionary.txt
+ },
+ },
+ "matchingType": "A String", # How the rule is applied, see MatchingType documentation for details.
+ },
+ },
+ ],
+ "infoTypes": [ # List of infoTypes this rule set is applied to.
+ { # Type of information detected by the API.
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # `[a-zA-Z0-9_]{1,64}`.
+ },
+ ],
+ },
+ ],
+ "contentOptions": [ # List of options defining data content to scan.
+ # If empty, text, images, and other content will be included.
+ "A String",
+ ],
+ "infoTypes": [ # Restricts what info_types to look for. The values must correspond to
+ # InfoType values returned by ListInfoTypes or listed at
+ # https://cloud.google.com/dlp/docs/infotypes-reference.
+ #
+ # When no InfoTypes or CustomInfoTypes are specified in a request, the
+ # system may automatically choose what detectors to run. By default this may
+ # be all types, but may change over time as detectors are updated.
+ #
+ # If you need precise control and predictability as to what detectors are
+ # run you should specify specific InfoTypes listed in the reference,
+ # otherwise a default list will be used, which may change over time.
+ { # Type of information detected by the API.
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # `[a-zA-Z0-9_]{1,64}`.
+ },
+ ],
+ },
+ "deidentifyTemplateName": "A String", # Template to use. Any configuration directly specified in
# deidentify_config will override those set in the template. Singular fields
# that are set in this request will replace their corresponding fields in the
# template. Repeated fields are appended. Singular sub-messages and groups
# are recursively merged.
- "inspectTemplateName": "A String", # Optional template to use. Any configuration directly specified in
+ "inspectTemplateName": "A String", # Template to use. Any configuration directly specified in
# inspect_config will override those set in the template. Singular fields
# that are set in this request will replace their corresponding fields in the
# template. Repeated fields are appended. Singular sub-messages and groups
# are recursively merged.
+ "item": { # Container structure for the content to inspect. # The item to de-identify. Will be treated as text.
+ "table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. # Structured content for inspection. See
+ # https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to
+ # learn more.
+ # See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to
+ # learn more.
+ "headers": [ # Headers of the table.
+ { # General identifier of a data field in a storage service.
+ "name": "A String", # Name describing the field.
+ },
+ ],
+ "rows": [ # Rows of the table.
+ { # Values of the row.
+ "values": [ # Individual cells.
+ { # Set of primitive values supported by the system.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ ],
+ },
+ ],
+ },
+ "byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.
+ "type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.
+ "data": "A String", # Content data to inspect or redact.
+ },
+ "value": "A String", # String data to inspect or redact.
+ },
+ "locationId": "A String", # The geographic location to process de-identification. Reserved for future
+ # extensions.
"deidentifyConfig": { # The configuration that controls how the data will change. # Configuration for the de-identification of the content item.
# Items specified here will override the template referenced by the
# deidentify_template_name argument.
@@ -119,43 +501,12 @@
# apply various `PrimitiveTransformation`s to each finding, where the
# transformation is applied to only values that were identified as a specific
# info_type.
- "transformations": [ # Transformation for each infoType. Cannot specify more than one
- # for a given infoType. [required]
+ "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one
+ # for a given infoType.
{ # A transformation to apply to text that is identified as a specific
# info_type.
- "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
- "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
- # fixed character. Masking can start from the beginning or end of the string.
- # This can be used on data of any type (numbers, longs, and so on) and when
- # de-identifying structured data we'll attempt to preserve the original data's
- # type. (This allows you to take a long like 123 and modify it to a string like
- # **3.
- "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
- # For example, if your string is 555-555-5555 and you ask us to skip `-` and
- # mask 5 chars with * we would produce ***-*55-5555.
- { # Characters to skip when doing deidentification of a value. These will be left
- # alone and skipped.
- "commonCharactersToIgnore": "A String",
- "charactersToSkip": "A String",
- },
- ],
- "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
- # masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
- # alphabetic string such as name, or "0" for a numeric string such as ZIP
- # code or credit card number. String must have length 1. If not supplied, we
- # will default to "*" for strings, 0 for digits.
- "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
- # '0', number_to_mask is 14, and `reverse_order` is false, then
- # 1234-5678-9012-3456 -> 00000000000000-3456
- # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
- # is true, then 12345 -> 12***
- },
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
- # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
- # output would be 'My phone number is '.
- },
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
+ "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
@@ -163,21 +514,21 @@
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -185,7 +536,7 @@
# (repeating the api call will result in a different key being generated).
},
},
- "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
+ "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
@@ -209,7 +560,7 @@
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
- # format: <info type name>(<surrogate character count>):<surrogate>
+ # format: {info type name}({surrogate character count}):{surrogate}
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
@@ -219,6 +570,11 @@
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
+ # Note: For record transformations where the entire cell in a table is being
+ # transformed, surrogates are not mandatory. Surrogates are used to denote
+ # the location of the token and are necessary for re-identification in free
+ # form text.
+ #
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
@@ -231,21 +587,56 @@
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
+ # ⧝MY_TOKEN_TYPE.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
+ # characters. For example, if the input string is `555-555-5555` and you
+ # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
+ # returns `***-**5-5555`.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
+ # punctuation.
+ "charactersToSkip": "A String", # Characters to not transform when masking.
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an
+ # alphabetic string such as a name, or `0` for a numeric string such as ZIP
+ # code or credit card number. This string must have a length of 1. If not
+ # supplied, this value defaults to `*` for strings, and `0` for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
+ # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
+ # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
+ # is `true`, then the string `12345` is masked as `12***`.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
- # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
+ # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
@@ -255,18 +646,18 @@
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
+ "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
- # then all values less than 10 are replaced with the value “-10”. [Required].
+ # then all values less than 10 are replaced with the value “-10”.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -276,7 +667,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -286,31 +677,30 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
+ "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
- # [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -320,7 +710,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -330,88 +720,52 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
+ "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
- # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
},
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
# portion of the value.
- "partToExtract": "A String",
+ "partToExtract": "A String", # The part of the time to keep.
},
- "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
- # Uses SHA-256.
- # The key size must be either 32 or 64 bytes.
- # Outputs a base64 encoded representation of the hashed output
- # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
- # Currently, only string and integer values can be hashed.
- # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
- # results in the same shift for the same context and crypto_key.
+ # results in the same shift for the same context and crypto_key. If
+ # set, must also set context. Can only be applied to table items.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -419,160 +773,19 @@
# (repeating the api call will result in a different key being generated).
},
},
- "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
- # [Required]
- "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
- # [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
- # If set, must also set method. If set, shift will be consistent for the
+ # If set, must also set cryptoKey. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
- # replacement values are dynamically provided by the user for custom behavior,
- # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
- # This can be used on
- # data of type: number, long, string, timestamp.
- # If the bound `Value` type differs from the type of data being transformed, we
- # will first attempt converting the type of the data to be transformed to match
- # the type of the bound before comparing.
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
- # the default behavior will be to hyphenate the min-max range.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
- # used.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- ],
- },
- "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
@@ -585,26 +798,26 @@
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -612,13 +825,13 @@
# (repeating the api call will result in a different key being generated).
},
},
- "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
- "commonAlphabet": "A String",
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
+ "commonAlphabet": "A String", # Common alphabets.
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
- # Number of characters must be in the range [2, 62].
+ # Number of characters must be in the range [2, 95].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
@@ -672,20 +885,194 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "replaceConfig": { # Replace each input value with a given `Value`.
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ ],
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -695,7 +1082,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -705,17 +1092,17 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
},
},
@@ -727,7 +1114,7 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
],
},
@@ -738,15 +1125,15 @@
# a column within a table.
# table.
"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that
- # match any suppression rule are omitted from the output [optional].
+ # match any suppression rule are omitted from the output.
{ # Configuration to suppress records whose suppression conditions evaluate to
# true.
"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
# evaluated to be suppressed from the transformed content.
# a field.
"expressions": { # An expression, consisting or an operator and conditions. # An expression.
- "conditions": { # A collection of conditions.
- "conditions": [
+ "conditions": { # A collection of conditions. # Conditions to apply to the expression.
+ "conditions": [ # A collection of conditions.
{ # The field type of `value` and `field` do not need to match to be
# considered equal, but not all comparisons are possible.
# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
@@ -766,20 +1153,20 @@
#
# If we fail to compare do to type mismatch, a warning will be given and
# the condition will evaluate to false.
- "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
- "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
+ "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
+ "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
"name": "A String", # Name describing the field.
},
- "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
+ "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -789,7 +1176,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -799,17 +1186,17 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
},
],
@@ -822,48 +1209,707 @@
],
"fieldTransformations": [ # Transform the record by applying various field transformations.
{ # The transformation to apply to the field.
+ "fields": [ # Required. Input field(s) to apply the transformation to.
+ { # General identifier of a data field in a storage service.
+ "name": "A String", # Name describing the field.
+ },
+ ],
+ "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
+ # input. Outputs a base64 encoded representation of the encrypted output.
+ # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
+ # referential integrity such that the same identifier in two different
+ # contexts will be given a distinct surrogate. The context is appended to
+ # plaintext value being encrypted. On decryption the provided context is
+ # validated against the value used during encryption. If a context was
+ # provided during encryption, same context must be provided during decryption
+ # as well.
+ #
+ # If the context is not set, plaintext would be used as is for encryption.
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 2. the field is not present when transforming a given value,
+ #
+ # plaintext would be used as is for encryption.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom info type followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: {info type name}({surrogate character count}):{surrogate}
+ #
+ # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom info type 'Surrogate'. This facilitates reversal of the
+ # surrogate when it occurs in free text.
+ #
+ # Note: For record transformations where the entire cell in a table is being
+ # transformed, surrogates are not mandatory. Surrogates are used to denote
+ # the location of the token and are necessary for re-identification in free
+ # form text.
+ #
+ # In order for inspection to work properly, the name of this info type must
+ # not occur naturally anywhere in your data; otherwise, inspection may either
+ #
+ # - reverse a surrogate that does not correspond to an actual identifier
+ # - be unable to parse the surrogate and result in an error
+ #
+ # Therefore, choose your custom info type name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE.
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # `[a-zA-Z0-9_]{1,64}`.
+ },
+ },
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
+ # characters. For example, if the input string is `555-555-5555` and you
+ # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
+ # returns `***-**5-5555`.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
+ # punctuation.
+ "charactersToSkip": "A String", # Characters to not transform when masking.
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an
+ # alphabetic string such as a name, or `0` for a numeric string such as ZIP
+ # code or credit card number. This string must have a length of 1. If not
+ # supplied, this value defaults to `*` for strings, and `0` for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
+ # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
+ # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
+ # is `true`, then the string `12345` is masked as `12***`.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
+ # Bucketing transformation can provide all of this functionality,
+ # but requires more configuration. This message is provided as a convenience to
+ # the user for simple bucketing strategies.
+ #
+ # The transformed value will be a hyphenated string of
+ # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
+ # all values that are within this bucket will be replaced with "10-20".
+ #
+ # This can be used on data of type: double, long.
+ #
+ # If the bound Value type differs from the type of data
+ # being transformed, we will first attempt converting the type of the data to
+ # be transformed to match the type of the bound before comparing.
+ #
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
+ # grouped together into a single bucket; for example if `lower_bound` = 10,
+ # then all values less than 10 are replaced with the value “-10”.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
+ # grouped together into a single bucket; for example if `upper_bound` = 89,
+ # then all values greater than 89 are replaced with the value “89+”.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
+ # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
+ # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
+ # portion of the value.
+ "partToExtract": "A String", # The part of the time to keep.
+ },
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
+ # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
+ # to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
+ # results in the same shift for the same context and crypto_key. If
+ # set, must also set context. Can only be applied to table items.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
+ # range (inclusive ends). Negative means shift to earlier in time. Must not
+ # be more than 365250 days (1000 years) each direction.
+ #
+ # For example, 3 means shift date to at most 3 days into the future.
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
+ # If set, must also set cryptoKey. If set, shift will be consistent for the
+ # given context.
+ "name": "A String", # Name describing the field.
+ },
+ },
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
+ # (FPE) with the FFX mode of operation; however when used in the
+ # `ReidentifyContent` API method, it serves the opposite function by reversing
+ # the surrogate back into the original identifier. The identifier must be
+ # encoded as ASCII. For a given crypto key and context, the same identifier
+ # will be replaced with the same surrogate. Identifiers must be at least two
+ # characters long. In the case that the identifier is the empty string, it will
+ # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
+ # more.
+ #
+ # Note: We recommend using CryptoDeterministicConfig for all use cases which
+ # do not require preserving the input alphabet space and size, plus warrant
+ # referential integrity.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
+ "commonAlphabet": "A String", # Common alphabets.
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
+ # that the FFX mode natively supports. This happens before/after
+ # encryption/decryption.
+ # Each character listed must appear only once.
+ # Number of characters must be in the range [2, 95].
+ # This must be encoded as ASCII.
+ # The order of characters does not matter.
+ "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
+ # identifier in two different contexts won't be given the same surrogate. If
+ # the context is not set, a default tweak will be used.
+ #
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 1. the field is not present when transforming a given value,
+ #
+ # a default tweak will be used.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ # Currently, the referenced field may be of value type integer or string.
+ #
+ # The tweak is constructed as a sequence of bytes in big endian byte order
+ # such that:
+ #
+ # - a 64 bit integer is encoded followed by a single byte of value 1
+ # - a string is encoded in UTF-8 format followed by a single byte of value 2
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom infoType followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: info_type_name(surrogate_character_count):surrogate
+ #
+ # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom infoType
+ # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
+ # This facilitates reversal of the surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this infoType must
+ # not occur naturally anywhere in your data; otherwise, inspection may
+ # find a surrogate that does not correspond to an actual identifier.
+ # Therefore, choose your custom infoType name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # `[a-zA-Z0-9_]{1,64}`.
+ },
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ ],
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
+ "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ },
+ "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
+ # given `RecordCondition`. The conditions are allowed to reference fields
+ # that are not used in the actual transformation.
+ #
+ # Example Use Cases:
+ #
+ # - Apply a different bucket transformation to an age column if the zip code
+ # column for the same record is within a specific range.
+ # - Redact a field if the date of birth field is greater than 85.
+ # a field.
+ "expressions": { # An expression, consisting or an operator and conditions. # An expression.
+ "conditions": { # A collection of conditions. # Conditions to apply to the expression.
+ "conditions": [ # A collection of conditions.
+ { # The field type of `value` and `field` do not need to match to be
+ # considered equal, but not all comparisons are possible.
+ # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
+ # but all other comparisons are invalid with incompatible types.
+ # A `value` of type:
+ #
+ # - `string` can be compared against all other types
+ # - `boolean` can only be compared against other booleans
+ # - `integer` can be compared against doubles or a string if the string value
+ # can be parsed as an integer.
+ # - `double` can be compared against integers or a string if the string can
+ # be parsed as a double.
+ # - `Timestamp` can be compared against strings in RFC 3339 date string
+ # format.
+ # - `TimeOfDay` can be compared against timestamps and strings in the format
+ # of 'HH:mm:ss'.
+ #
+ # If we fail to compare do to type mismatch, a warning will be given and
+ # the condition will evaluate to false.
+ "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
+ "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
+ "name": "A String", # Name describing the field.
+ },
+ "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ ],
+ },
+ "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
+ # only supported value is `AND`.
+ },
+ },
"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
# transform content that matches an `InfoType`.
# apply various `PrimitiveTransformation`s to each finding, where the
# transformation is applied to only values that were identified as a specific
# info_type.
- "transformations": [ # Transformation for each infoType. Cannot specify more than one
- # for a given infoType. [required]
+ "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one
+ # for a given infoType.
{ # A transformation to apply to text that is identified as a specific
# info_type.
- "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
- "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
- # fixed character. Masking can start from the beginning or end of the string.
- # This can be used on data of any type (numbers, longs, and so on) and when
- # de-identifying structured data we'll attempt to preserve the original data's
- # type. (This allows you to take a long like 123 and modify it to a string like
- # **3.
- "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
- # For example, if your string is 555-555-5555 and you ask us to skip `-` and
- # mask 5 chars with * we would produce ***-*55-5555.
- { # Characters to skip when doing deidentification of a value. These will be left
- # alone and skipped.
- "commonCharactersToIgnore": "A String",
- "charactersToSkip": "A String",
- },
- ],
- "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
- # masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
- # alphabetic string such as name, or "0" for a numeric string such as ZIP
- # code or credit card number. String must have length 1. If not supplied, we
- # will default to "*" for strings, 0 for digits.
- "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
- # '0', number_to_mask is 14, and `reverse_order` is false, then
- # 1234-5678-9012-3456 -> 00000000000000-3456
- # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
- # is true, then 12345 -> 12***
- },
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
- # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
- # output would be 'My phone number is '.
- },
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
+ "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
@@ -871,21 +1917,21 @@
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -893,7 +1939,7 @@
# (repeating the api call will result in a different key being generated).
},
},
- "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
+ "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
@@ -917,7 +1963,7 @@
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
- # format: <info type name>(<surrogate character count>):<surrogate>
+ # format: {info type name}({surrogate character count}):{surrogate}
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
@@ -927,6 +1973,11 @@
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
+ # Note: For record transformations where the entire cell in a table is being
+ # transformed, surrogates are not mandatory. Surrogates are used to denote
+ # the location of the token and are necessary for re-identification in free
+ # form text.
+ #
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
@@ -939,21 +1990,56 @@
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
+ # ⧝MY_TOKEN_TYPE.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
+ # characters. For example, if the input string is `555-555-5555` and you
+ # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
+ # returns `***-**5-5555`.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
+ # punctuation.
+ "charactersToSkip": "A String", # Characters to not transform when masking.
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an
+ # alphabetic string such as a name, or `0` for a numeric string such as ZIP
+ # code or credit card number. This string must have a length of 1. If not
+ # supplied, this value defaults to `*` for strings, and `0` for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
+ # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
+ # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
+ # is `true`, then the string `12345` is masked as `12***`.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
- # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
+ # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
@@ -963,18 +2049,18 @@
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
+ "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
- # then all values less than 10 are replaced with the value “-10”. [Required].
+ # then all values less than 10 are replaced with the value “-10”.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -984,7 +2070,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -994,31 +2080,30 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
+ "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
- # [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -1028,7 +2113,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -1038,88 +2123,52 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
+ "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
- # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
},
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
# portion of the value.
- "partToExtract": "A String",
+ "partToExtract": "A String", # The part of the time to keep.
},
- "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
- # Uses SHA-256.
- # The key size must be either 32 or 64 bytes.
- # Outputs a base64 encoded representation of the hashed output
- # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
- # Currently, only string and integer values can be hashed.
- # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
- # results in the same shift for the same context and crypto_key.
+ # results in the same shift for the same context and crypto_key. If
+ # set, must also set context. Can only be applied to table items.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -1127,160 +2176,19 @@
# (repeating the api call will result in a different key being generated).
},
},
- "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
- # [Required]
- "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
- # [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
- # If set, must also set method. If set, shift will be consistent for the
+ # If set, must also set cryptoKey. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
- # replacement values are dynamically provided by the user for custom behavior,
- # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
- # This can be used on
- # data of type: number, long, string, timestamp.
- # If the bound `Value` type differs from the type of data being transformed, we
- # will first attempt converting the type of the data to be transformed to match
- # the type of the bound before comparing.
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
- # the default behavior will be to hyphenate the min-max range.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
- # used.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- ],
- },
- "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
@@ -1293,26 +2201,26 @@
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -1320,13 +2228,13 @@
# (repeating the api call will result in a different key being generated).
},
},
- "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
- "commonAlphabet": "A String",
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
+ "commonAlphabet": "A String", # Common alphabets.
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
- # Number of characters must be in the range [2, 62].
+ # Number of characters must be in the range [2, 95].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
@@ -1380,20 +2288,194 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "replaceConfig": { # Replace each input value with a given `Value`.
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ ],
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -1403,7 +2485,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -1413,17 +2495,17 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
},
},
@@ -1435,1081 +2517,32 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
],
},
],
},
- "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
- "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
- # fixed character. Masking can start from the beginning or end of the string.
- # This can be used on data of any type (numbers, longs, and so on) and when
- # de-identifying structured data we'll attempt to preserve the original data's
- # type. (This allows you to take a long like 123 and modify it to a string like
- # **3.
- "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
- # For example, if your string is 555-555-5555 and you ask us to skip `-` and
- # mask 5 chars with * we would produce ***-*55-5555.
- { # Characters to skip when doing deidentification of a value. These will be left
- # alone and skipped.
- "commonCharactersToIgnore": "A String",
- "charactersToSkip": "A String",
- },
- ],
- "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
- # masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
- # alphabetic string such as name, or "0" for a numeric string such as ZIP
- # code or credit card number. String must have length 1. If not supplied, we
- # will default to "*" for strings, 0 for digits.
- "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
- # '0', number_to_mask is 14, and `reverse_order` is false, then
- # 1234-5678-9012-3456 -> 00000000000000-3456
- # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
- # is true, then 12345 -> 12***
- },
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
- # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
- # output would be 'My phone number is '.
- },
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
- # input. Outputs a base64 encoded representation of the encrypted output.
- # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
- # referential integrity such that the same identifier in two different
- # contexts will be given a distinct surrogate. The context is appended to
- # plaintext value being encrypted. On decryption the provided context is
- # validated against the value used during encryption. If a context was
- # provided during encryption, same context must be provided during decryption
- # as well.
- #
- # If the context is not set, plaintext would be used as is for encryption.
- # If the context is set but:
- #
- # 1. there is no record present when transforming a given value or
- # 2. the field is not present when transforming a given value,
- #
- # plaintext would be used as is for encryption.
- #
- # Note that case (1) is expected when an `InfoTypeTransformation` is
- # applied to both structured and non-structured `ContentItem`s.
- "name": "A String", # Name describing the field.
- },
- "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
- # This annotation will be applied to the surrogate by prefixing it with
- # the name of the custom info type followed by the number of
- # characters comprising the surrogate. The following scheme defines the
- # format: <info type name>(<surrogate character count>):<surrogate>
- #
- # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
- # the surrogate is 'abc', the full replacement value
- # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
- #
- # This annotation identifies the surrogate when inspecting content using the
- # custom info type 'Surrogate'. This facilitates reversal of the
- # surrogate when it occurs in free text.
- #
- # In order for inspection to work properly, the name of this info type must
- # not occur naturally anywhere in your data; otherwise, inspection may either
- #
- # - reverse a surrogate that does not correspond to an actual identifier
- # - be unable to parse the surrogate and result in an error
- #
- # Therefore, choose your custom info type name carefully after considering
- # what your data looks like. One way to select a name that has a high chance
- # of yielding reliable detection is to include one or more unicode characters
- # that are highly improbable to exist in your data.
- # For example, assuming your data is entered from a regular ASCII keyboard,
- # the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
- "name": "A String", # Name of the information type. Either a name of your choosing when
- # creating a CustomInfoType, or one of the names listed
- # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
- # a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
- },
- },
- "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
- # Bucketing transformation can provide all of this functionality,
- # but requires more configuration. This message is provided as a convenience to
- # the user for simple bucketing strategies.
- #
- # The transformed value will be a hyphenated string of
- # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
- # all values that are within this bucket will be replaced with "10-20".
- #
- # This can be used on data of type: double, long.
- #
- # If the bound Value type differs from the type of data
- # being transformed, we will first attempt converting the type of the data to
- # be transformed to match the type of the bound before comparing.
- #
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
- # grouped together into a single bucket; for example if `lower_bound` = 10,
- # then all values less than 10 are replaced with the value “-10”. [Required].
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
- # grouped together into a single bucket; for example if `upper_bound` = 89,
- # then all values greater than 89 are replaced with the value “89+”.
- # [Required].
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
- # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
- # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
- # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
- },
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
- # portion of the value.
- "partToExtract": "A String",
- },
- "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
- # Uses SHA-256.
- # The key size must be either 32 or 64 bytes.
- # Outputs a base64 encoded representation of the hashed output
- # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
- # Currently, only string and integer values can be hashed.
- # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
- # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
- # to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
- # results in the same shift for the same context and crypto_key.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
- # [Required]
- "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
- # range (inclusive ends). Negative means shift to earlier in time. Must not
- # be more than 365250 days (1000 years) each direction.
- #
- # For example, 3 means shift date to at most 3 days into the future.
- # [Required]
- "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
- # If set, must also set method. If set, shift will be consistent for the
- # given context.
- "name": "A String", # Name describing the field.
- },
- },
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
- # replacement values are dynamically provided by the user for custom behavior,
- # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
- # This can be used on
- # data of type: number, long, string, timestamp.
- # If the bound `Value` type differs from the type of data being transformed, we
- # will first attempt converting the type of the data to be transformed to match
- # the type of the bound before comparing.
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
- # the default behavior will be to hyphenate the min-max range.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
- # used.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- ],
- },
- "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
- # (FPE) with the FFX mode of operation; however when used in the
- # `ReidentifyContent` API method, it serves the opposite function by reversing
- # the surrogate back into the original identifier. The identifier must be
- # encoded as ASCII. For a given crypto key and context, the same identifier
- # will be replaced with the same surrogate. Identifiers must be at least two
- # characters long. In the case that the identifier is the empty string, it will
- # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
- # more.
- #
- # Note: We recommend using CryptoDeterministicConfig for all use cases which
- # do not require preserving the input alphabet space and size, plus warrant
- # referential integrity.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
- "commonAlphabet": "A String",
- "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
- # that the FFX mode natively supports. This happens before/after
- # encryption/decryption.
- # Each character listed must appear only once.
- # Number of characters must be in the range [2, 62].
- # This must be encoded as ASCII.
- # The order of characters does not matter.
- "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
- # identifier in two different contexts won't be given the same surrogate. If
- # the context is not set, a default tweak will be used.
- #
- # If the context is set but:
- #
- # 1. there is no record present when transforming a given value or
- # 1. the field is not present when transforming a given value,
- #
- # a default tweak will be used.
- #
- # Note that case (1) is expected when an `InfoTypeTransformation` is
- # applied to both structured and non-structured `ContentItem`s.
- # Currently, the referenced field may be of value type integer or string.
- #
- # The tweak is constructed as a sequence of bytes in big endian byte order
- # such that:
- #
- # - a 64 bit integer is encoded followed by a single byte of value 1
- # - a string is encoded in UTF-8 format followed by a single byte of value 2
- "name": "A String", # Name describing the field.
- },
- "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
- # This annotation will be applied to the surrogate by prefixing it with
- # the name of the custom infoType followed by the number of
- # characters comprising the surrogate. The following scheme defines the
- # format: info_type_name(surrogate_character_count):surrogate
- #
- # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
- # the surrogate is 'abc', the full replacement value
- # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
- #
- # This annotation identifies the surrogate when inspecting content using the
- # custom infoType
- # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
- # This facilitates reversal of the surrogate when it occurs in free text.
- #
- # In order for inspection to work properly, the name of this infoType must
- # not occur naturally anywhere in your data; otherwise, inspection may
- # find a surrogate that does not correspond to an actual identifier.
- # Therefore, choose your custom infoType name carefully after considering
- # what your data looks like. One way to select a name that has a high chance
- # of yielding reliable detection is to include one or more unicode characters
- # that are highly improbable to exist in your data.
- # For example, assuming your data is entered from a regular ASCII keyboard,
- # the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
- "name": "A String", # Name of the information type. Either a name of your choosing when
- # creating a CustomInfoType, or one of the names listed
- # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
- # a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
- },
- },
- "replaceConfig": { # Replace each input value with a given `Value`.
- "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- },
- "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
- # given `RecordCondition`. The conditions are allowed to reference fields
- # that are not used in the actual transformation. [optional]
- #
- # Example Use Cases:
- #
- # - Apply a different bucket transformation to an age column if the zip code
- # column for the same record is within a specific range.
- # - Redact a field if the date of birth field is greater than 85.
- # a field.
- "expressions": { # An expression, consisting or an operator and conditions. # An expression.
- "conditions": { # A collection of conditions.
- "conditions": [
- { # The field type of `value` and `field` do not need to match to be
- # considered equal, but not all comparisons are possible.
- # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
- # but all other comparisons are invalid with incompatible types.
- # A `value` of type:
- #
- # - `string` can be compared against all other types
- # - `boolean` can only be compared against other booleans
- # - `integer` can be compared against doubles or a string if the string value
- # can be parsed as an integer.
- # - `double` can be compared against integers or a string if the string can
- # be parsed as a double.
- # - `Timestamp` can be compared against strings in RFC 3339 date string
- # format.
- # - `TimeOfDay` can be compared against timestamps and strings in the format
- # of 'HH:mm:ss'.
- #
- # If we fail to compare do to type mismatch, a warning will be given and
- # the condition will evaluate to false.
- "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
- "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
- "name": "A String", # Name describing the field.
- },
- "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- ],
- },
- "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
- # only supported value is `AND`.
- },
- },
- "fields": [ # Input field(s) to apply the transformation to. [required]
- { # General identifier of a data field in a storage service.
- "name": "A String", # Name describing the field.
- },
- ],
},
],
},
- },
- "inspectConfig": { # Configuration description of the scanning process. # Configuration for the inspector.
- # Items specified here will override the template referenced by the
- # inspect_template_name argument.
- # When used with redactContent only info_types and min_likelihood are currently
- # used.
- "excludeInfoTypes": True or False, # When true, excludes type information of the findings.
- "limits": {
- "maxFindingsPerRequest": 42, # Max number of findings that will be returned per request/job.
- # When set within `InspectContentRequest`, the maximum returned is 2000
- # regardless if this is set higher.
- "maxFindingsPerInfoType": [ # Configuration of findings limit given for specified infoTypes.
- { # Max findings configuration per infoType, per content item or long
- # running DlpJob.
- "infoType": { # Type of information detected by the API. # Type of information the findings limit applies to. Only one limit per
- # info_type should be provided. If InfoTypeLimit does not have an
- # info_type, the DLP API applies the limit against all info_types that
- # are found but not specified in another InfoTypeLimit.
- "name": "A String", # Name of the information type. Either a name of your choosing when
- # creating a CustomInfoType, or one of the names listed
- # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
- # a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
- },
- "maxFindings": 42, # Max findings limit for the given infoType.
- },
- ],
- "maxFindingsPerItem": 42, # Max number of findings that will be returned for each item scanned.
- # When set within `InspectDataSourceRequest`,
- # the maximum returned is 2000 regardless if this is set higher.
- # When set within `InspectContentRequest`, this field is ignored.
- },
- "minLikelihood": "A String", # Only returns findings equal or above this threshold. The default is
- # POSSIBLE.
- # See https://cloud.google.com/dlp/docs/likelihood to learn more.
- "customInfoTypes": [ # CustomInfoTypes provided by the user. See
- # https://cloud.google.com/dlp/docs/creating-custom-infotypes to learn more.
- { # Custom information type provided by the user. Used to find domain-specific
- # sensitive information configurable to the data in question.
- "regex": { # Message defining a custom regular expression. # Regular expression based CustomInfoType.
- "pattern": "A String", # Pattern defining the regular expression. Its syntax
- # (https://github.com/google/re2/wiki/Syntax) can be found under the
- # google/re2 repository on GitHub.
- "groupIndexes": [ # The index of the submatch to extract as findings. When not
- # specified, the entire match is returned. No more than 3 may be included.
- 42,
- ],
- },
- "surrogateType": { # Message for detecting output from deidentification transformations # Message for detecting output from deidentification transformations that
- # support reversing.
- # such as
- # [`CryptoReplaceFfxFpeConfig`](/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#cryptoreplaceffxfpeconfig).
- # These types of transformations are
- # those that perform pseudonymization, thereby producing a "surrogate" as
- # output. This should be used in conjunction with a field on the
- # transformation such as `surrogate_info_type`. This CustomInfoType does
- # not support the use of `detection_rules`.
- },
- "infoType": { # Type of information detected by the API. # CustomInfoType can either be a new infoType, or an extension of built-in
- # infoType, when the name matches one of existing infoTypes and that infoType
- # is specified in `InspectContent.info_types` field. Specifying the latter
- # adds findings to the one detected by the system. If built-in info type is
- # not specified in `InspectContent.info_types` list then the name is treated
- # as a custom info type.
- "name": "A String", # Name of the information type. Either a name of your choosing when
- # creating a CustomInfoType, or one of the names listed
- # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
- # a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
- },
- "dictionary": { # Custom information type based on a dictionary of words or phrases. This can # A list of phrases to detect as a CustomInfoType.
- # be used to match sensitive information specific to the data, such as a list
- # of employee IDs or job titles.
- #
- # Dictionary words are case-insensitive and all characters other than letters
- # and digits in the unicode [Basic Multilingual
- # Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane)
- # will be replaced with whitespace when scanning for matches, so the
- # dictionary phrase "Sam Johnson" will match all three phrases "sam johnson",
- # "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters
- # surrounding any match must be of a different type than the adjacent
- # characters within the word, so letters must be next to non-letters and
- # digits next to non-digits. For example, the dictionary word "jen" will
- # match the first three letters of the text "jen123" but will return no
- # matches for "jennifer".
- #
- # Dictionary words containing a large number of characters that are not
- # letters or digits may result in unexpected findings because such characters
- # are treated as whitespace. The
- # [limits](https://cloud.google.com/dlp/limits) page contains details about
- # the size limits of dictionaries. For dictionaries that do not fit within
- # these constraints, consider using `LargeCustomDictionaryConfig` in the
- # `StoredInfoType` API.
- "wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.
- "words": [ # Words or phrases defining the dictionary. The dictionary must contain
- # at least one phrase and every phrase must contain at least 2 characters
- # that are letters or digits. [required]
- "A String",
- ],
- },
- "cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file
- # is accepted.
- "path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage.
- # Example: gs://[BUCKET_NAME]/dictionary.txt
- },
- },
- "storedType": { # A reference to a StoredInfoType to use with scanning. # Load an existing `StoredInfoType` resource for use in
- # `InspectDataSource`. Not currently supported in `InspectContent`.
- "name": "A String", # Resource name of the requested `StoredInfoType`, for example
- # `organizations/433245324/storedInfoTypes/432452342` or
- # `projects/project-id/storedInfoTypes/432452342`.
- "createTime": "A String", # Timestamp indicating when the version of the `StoredInfoType` used for
- # inspection was created. Output-only field, populated by the system.
- },
- "detectionRules": [ # Set of detection rules to apply to all findings of this CustomInfoType.
- # Rules are applied in order that they are specified. Not supported for the
- # `surrogate_type` CustomInfoType.
- { # Deprecated; use `InspectionRuleSet` instead. Rule for modifying a
- # `CustomInfoType` to alter behavior under certain circumstances, depending
- # on the specific details of the rule. Not supported for the `surrogate_type`
- # custom infoType.
- "hotwordRule": { # The rule that adjusts the likelihood of findings within a certain # Hotword-based detection rule.
- # proximity of hotwords.
- "proximity": { # Message for specifying a window around a finding to apply a detection # Proximity of the finding within which the entire hotword must reside.
- # The total length of the window cannot exceed 1000 characters. Note that
- # the finding itself will be included in the window, so that hotwords may
- # be used to match substrings of the finding itself. For example, the
- # certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be
- # adjusted upwards if the area code is known to be the local area code of
- # a company office using the hotword regex "\(xxx\)", where "xxx"
- # is the area code in question.
- # rule.
- "windowAfter": 42, # Number of characters after the finding to consider.
- "windowBefore": 42, # Number of characters before the finding to consider.
- },
- "hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.
- "pattern": "A String", # Pattern defining the regular expression. Its syntax
- # (https://github.com/google/re2/wiki/Syntax) can be found under the
- # google/re2 repository on GitHub.
- "groupIndexes": [ # The index of the submatch to extract as findings. When not
- # specified, the entire match is returned. No more than 3 may be included.
- 42,
- ],
- },
- "likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as # Likelihood adjustment to apply to all matching findings.
- # part of a detection rule.
- "relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of
- # levels. For example, if a finding would be `POSSIBLE` without the
- # detection rule and `relative_likelihood` is 1, then it is upgraded to
- # `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`.
- # Likelihood may never drop below `VERY_UNLIKELY` or exceed
- # `VERY_LIKELY`, so applying an adjustment of 1 followed by an
- # adjustment of -1 when base likelihood is `VERY_LIKELY` will result in
- # a final likelihood of `LIKELY`.
- "fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.
- },
- },
- },
- ],
- "exclusionType": "A String", # If set to EXCLUSION_TYPE_EXCLUDE this infoType will not cause a finding
- # to be returned. It still can be used for rules matching.
- "likelihood": "A String", # Likelihood to return for this CustomInfoType. This base value can be
- # altered by a detection rule if the finding meets the criteria specified by
- # the rule. Defaults to `VERY_LIKELY` if not specified.
+ "transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default
+ # mode is `TransformationErrorHandling.ThrowError`.
+ # transformation error occurs when the requested transformation is incompatible
+ # with the data. For example, trying to de-identify an IP address using a
+ # `DateShift` transformation would result in a transformation error, since date
+ # info cannot be extracted from an IP address.
+ # Information about any incompatible transformations, and how they were
+ # handled, is returned in the response as part of the
+ # `TransformationOverviews`.
+ "throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error
},
- ],
- "includeQuote": True or False, # When true, a contextual quote from the data that triggered a finding is
- # included in the response; see Finding.quote.
- "ruleSet": [ # Set of rules to apply to the findings for this InspectConfig.
- # Exclusion rules, contained in the set are executed in the end, other
- # rules are executed in the order they are specified for each info type.
- { # Rule set for modifying a set of infoTypes to alter behavior under certain
- # circumstances, depending on the specific details of the rules within the set.
- "rules": [ # Set of rules to be applied to infoTypes. The rules are applied in order.
- { # A single inspection rule to be applied to infoTypes, specified in
- # `InspectionRuleSet`.
- "hotwordRule": { # The rule that adjusts the likelihood of findings within a certain # Hotword-based detection rule.
- # proximity of hotwords.
- "proximity": { # Message for specifying a window around a finding to apply a detection # Proximity of the finding within which the entire hotword must reside.
- # The total length of the window cannot exceed 1000 characters. Note that
- # the finding itself will be included in the window, so that hotwords may
- # be used to match substrings of the finding itself. For example, the
- # certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be
- # adjusted upwards if the area code is known to be the local area code of
- # a company office using the hotword regex "\(xxx\)", where "xxx"
- # is the area code in question.
- # rule.
- "windowAfter": 42, # Number of characters after the finding to consider.
- "windowBefore": 42, # Number of characters before the finding to consider.
- },
- "hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.
- "pattern": "A String", # Pattern defining the regular expression. Its syntax
- # (https://github.com/google/re2/wiki/Syntax) can be found under the
- # google/re2 repository on GitHub.
- "groupIndexes": [ # The index of the submatch to extract as findings. When not
- # specified, the entire match is returned. No more than 3 may be included.
- 42,
- ],
- },
- "likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as # Likelihood adjustment to apply to all matching findings.
- # part of a detection rule.
- "relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of
- # levels. For example, if a finding would be `POSSIBLE` without the
- # detection rule and `relative_likelihood` is 1, then it is upgraded to
- # `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`.
- # Likelihood may never drop below `VERY_UNLIKELY` or exceed
- # `VERY_LIKELY`, so applying an adjustment of 1 followed by an
- # adjustment of -1 when base likelihood is `VERY_LIKELY` will result in
- # a final likelihood of `LIKELY`.
- "fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.
- },
- },
- "exclusionRule": { # The rule that specifies conditions when findings of infoTypes specified in # Exclusion rule.
- # `InspectionRuleSet` are removed from results.
- "regex": { # Message defining a custom regular expression. # Regular expression which defines the rule.
- "pattern": "A String", # Pattern defining the regular expression. Its syntax
- # (https://github.com/google/re2/wiki/Syntax) can be found under the
- # google/re2 repository on GitHub.
- "groupIndexes": [ # The index of the submatch to extract as findings. When not
- # specified, the entire match is returned. No more than 3 may be included.
- 42,
- ],
- },
- "excludeInfoTypes": { # List of exclude infoTypes. # Set of infoTypes for which findings would affect this rule.
- "infoTypes": [ # InfoType list in ExclusionRule rule drops a finding when it overlaps or
- # contained within with a finding of an infoType from this list. For
- # example, for `InspectionRuleSet.info_types` containing "PHONE_NUMBER"` and
- # `exclusion_rule` containing `exclude_info_types.info_types` with
- # "EMAIL_ADDRESS" the phone number findings are dropped if they overlap
- # with EMAIL_ADDRESS finding.
- # That leads to "555-222-2222@example.org" to generate only a single
- # finding, namely email address.
- { # Type of information detected by the API.
- "name": "A String", # Name of the information type. Either a name of your choosing when
- # creating a CustomInfoType, or one of the names listed
- # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
- # a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
- },
- ],
- },
- "dictionary": { # Custom information type based on a dictionary of words or phrases. This can # Dictionary which defines the rule.
- # be used to match sensitive information specific to the data, such as a list
- # of employee IDs or job titles.
- #
- # Dictionary words are case-insensitive and all characters other than letters
- # and digits in the unicode [Basic Multilingual
- # Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane)
- # will be replaced with whitespace when scanning for matches, so the
- # dictionary phrase "Sam Johnson" will match all three phrases "sam johnson",
- # "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters
- # surrounding any match must be of a different type than the adjacent
- # characters within the word, so letters must be next to non-letters and
- # digits next to non-digits. For example, the dictionary word "jen" will
- # match the first three letters of the text "jen123" but will return no
- # matches for "jennifer".
- #
- # Dictionary words containing a large number of characters that are not
- # letters or digits may result in unexpected findings because such characters
- # are treated as whitespace. The
- # [limits](https://cloud.google.com/dlp/limits) page contains details about
- # the size limits of dictionaries. For dictionaries that do not fit within
- # these constraints, consider using `LargeCustomDictionaryConfig` in the
- # `StoredInfoType` API.
- "wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.
- "words": [ # Words or phrases defining the dictionary. The dictionary must contain
- # at least one phrase and every phrase must contain at least 2 characters
- # that are letters or digits. [required]
- "A String",
- ],
- },
- "cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file
- # is accepted.
- "path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage.
- # Example: gs://[BUCKET_NAME]/dictionary.txt
- },
- },
- "matchingType": "A String", # How the rule is applied, see MatchingType documentation for details.
- },
- },
- ],
- "infoTypes": [ # List of infoTypes this rule set is applied to.
- { # Type of information detected by the API.
- "name": "A String", # Name of the information type. Either a name of your choosing when
- # creating a CustomInfoType, or one of the names listed
- # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
- # a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
- },
- ],
+ "leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors
+ # cause an error. For example, if a `DateShift` transformation were applied
+ # an an IP address, this mode would leave the IP address unchanged in the
+ # response.
},
- ],
- "contentOptions": [ # List of options defining data content to scan.
- # If empty, text, images, and other content will be included.
- "A String",
- ],
- "infoTypes": [ # Restricts what info_types to look for. The values must correspond to
- # InfoType values returned by ListInfoTypes or listed at
- # https://cloud.google.com/dlp/docs/infotypes-reference.
- #
- # When no InfoTypes or CustomInfoTypes are specified in a request, the
- # system may automatically choose what detectors to run. By default this may
- # be all types, but may change over time as detectors are updated.
- #
- # The special InfoType name "ALL_BASIC" can be used to trigger all detectors,
- # but may change over time as new InfoTypes are added. If you need precise
- # control and predictability as to what detectors are run you should specify
- # specific InfoTypes listed in the reference.
- { # Type of information detected by the API.
- "name": "A String", # Name of the information type. Either a name of your choosing when
- # creating a CustomInfoType, or one of the names listed
- # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
- # a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
- },
- ],
- },
- "item": { # Container structure for the content to inspect. # The item to de-identify. Will be treated as text.
- "table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. # Structured content for inspection. See
- # https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to
- # learn more.
- # See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to
- # learn more.
- "headers": [
- { # General identifier of a data field in a storage service.
- "name": "A String", # Name describing the field.
- },
- ],
- "rows": [
- {
- "values": [
- { # Set of primitive values supported by the system.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- ],
- },
- ],
},
- "byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.
- "type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.
- "data": "A String", # Content data to inspect or redact.
- },
- "value": "A String", # String data to inspect or redact.
},
}
@@ -2532,7 +2565,7 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
"recordSuppress": { # Configuration to suppress records whose suppression conditions evaluate to # The specific suppression option these stats apply to.
# true.
@@ -2540,8 +2573,8 @@
# evaluated to be suppressed from the transformed content.
# a field.
"expressions": { # An expression, consisting or an operator and conditions. # An expression.
- "conditions": { # A collection of conditions.
- "conditions": [
+ "conditions": { # A collection of conditions. # Conditions to apply to the expression.
+ "conditions": [ # A collection of conditions.
{ # The field type of `value` and `field` do not need to match to be
# considered equal, but not all comparisons are possible.
# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
@@ -2561,20 +2594,20 @@
#
# If we fail to compare do to type mismatch, a warning will be given and
# the condition will evaluate to false.
- "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
- "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
+ "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
+ "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
"name": "A String", # Name describing the field.
},
- "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
+ "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -2584,7 +2617,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -2594,17 +2627,17 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
},
],
@@ -2614,11 +2647,11 @@
},
},
},
- "results": [
+ "results": [ # Collection of all transformations that took place or had an error.
{ # A collection that informs the user the number of times a particular
# `TransformationResultCode` and error details occurred.
- "count": "A String",
- "code": "A String",
+ "count": "A String", # Number of transformations counted by this result.
+ "code": "A String", # Outcome of the transformation.
"details": "A String", # A place for warnings or errors to show up if a transformation didn't
# work as expected.
},
@@ -2630,658 +2663,13 @@
# If multiple field transformations are requested for a single field,
# this list will contain all of them; otherwise, only one is supplied.
{ # The transformation to apply to the field.
- "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
- # transform content that matches an `InfoType`.
- # apply various `PrimitiveTransformation`s to each finding, where the
- # transformation is applied to only values that were identified as a specific
- # info_type.
- "transformations": [ # Transformation for each infoType. Cannot specify more than one
- # for a given infoType. [required]
- { # A transformation to apply to text that is identified as a specific
- # info_type.
- "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
- "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
- # fixed character. Masking can start from the beginning or end of the string.
- # This can be used on data of any type (numbers, longs, and so on) and when
- # de-identifying structured data we'll attempt to preserve the original data's
- # type. (This allows you to take a long like 123 and modify it to a string like
- # **3.
- "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
- # For example, if your string is 555-555-5555 and you ask us to skip `-` and
- # mask 5 chars with * we would produce ***-*55-5555.
- { # Characters to skip when doing deidentification of a value. These will be left
- # alone and skipped.
- "commonCharactersToIgnore": "A String",
- "charactersToSkip": "A String",
- },
- ],
- "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
- # masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
- # alphabetic string such as name, or "0" for a numeric string such as ZIP
- # code or credit card number. String must have length 1. If not supplied, we
- # will default to "*" for strings, 0 for digits.
- "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
- # '0', number_to_mask is 14, and `reverse_order` is false, then
- # 1234-5678-9012-3456 -> 00000000000000-3456
- # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
- # is true, then 12345 -> 12***
- },
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
- # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
- # output would be 'My phone number is '.
- },
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
- # input. Outputs a base64 encoded representation of the encrypted output.
- # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
- # referential integrity such that the same identifier in two different
- # contexts will be given a distinct surrogate. The context is appended to
- # plaintext value being encrypted. On decryption the provided context is
- # validated against the value used during encryption. If a context was
- # provided during encryption, same context must be provided during decryption
- # as well.
- #
- # If the context is not set, plaintext would be used as is for encryption.
- # If the context is set but:
- #
- # 1. there is no record present when transforming a given value or
- # 2. the field is not present when transforming a given value,
- #
- # plaintext would be used as is for encryption.
- #
- # Note that case (1) is expected when an `InfoTypeTransformation` is
- # applied to both structured and non-structured `ContentItem`s.
- "name": "A String", # Name describing the field.
- },
- "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
- # This annotation will be applied to the surrogate by prefixing it with
- # the name of the custom info type followed by the number of
- # characters comprising the surrogate. The following scheme defines the
- # format: <info type name>(<surrogate character count>):<surrogate>
- #
- # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
- # the surrogate is 'abc', the full replacement value
- # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
- #
- # This annotation identifies the surrogate when inspecting content using the
- # custom info type 'Surrogate'. This facilitates reversal of the
- # surrogate when it occurs in free text.
- #
- # In order for inspection to work properly, the name of this info type must
- # not occur naturally anywhere in your data; otherwise, inspection may either
- #
- # - reverse a surrogate that does not correspond to an actual identifier
- # - be unable to parse the surrogate and result in an error
- #
- # Therefore, choose your custom info type name carefully after considering
- # what your data looks like. One way to select a name that has a high chance
- # of yielding reliable detection is to include one or more unicode characters
- # that are highly improbable to exist in your data.
- # For example, assuming your data is entered from a regular ASCII keyboard,
- # the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
- "name": "A String", # Name of the information type. Either a name of your choosing when
- # creating a CustomInfoType, or one of the names listed
- # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
- # a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
- },
- },
- "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
- # Bucketing transformation can provide all of this functionality,
- # but requires more configuration. This message is provided as a convenience to
- # the user for simple bucketing strategies.
- #
- # The transformed value will be a hyphenated string of
- # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
- # all values that are within this bucket will be replaced with "10-20".
- #
- # This can be used on data of type: double, long.
- #
- # If the bound Value type differs from the type of data
- # being transformed, we will first attempt converting the type of the data to
- # be transformed to match the type of the bound before comparing.
- #
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
- # grouped together into a single bucket; for example if `lower_bound` = 10,
- # then all values less than 10 are replaced with the value “-10”. [Required].
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
- # grouped together into a single bucket; for example if `upper_bound` = 89,
- # then all values greater than 89 are replaced with the value “89+”.
- # [Required].
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
- # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
- # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
- # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
- },
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
- # portion of the value.
- "partToExtract": "A String",
- },
- "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
- # Uses SHA-256.
- # The key size must be either 32 or 64 bytes.
- # Outputs a base64 encoded representation of the hashed output
- # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
- # Currently, only string and integer values can be hashed.
- # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
- # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
- # to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
- # results in the same shift for the same context and crypto_key.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
- # [Required]
- "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
- # range (inclusive ends). Negative means shift to earlier in time. Must not
- # be more than 365250 days (1000 years) each direction.
- #
- # For example, 3 means shift date to at most 3 days into the future.
- # [Required]
- "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
- # If set, must also set method. If set, shift will be consistent for the
- # given context.
- "name": "A String", # Name describing the field.
- },
- },
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
- # replacement values are dynamically provided by the user for custom behavior,
- # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
- # This can be used on
- # data of type: number, long, string, timestamp.
- # If the bound `Value` type differs from the type of data being transformed, we
- # will first attempt converting the type of the data to be transformed to match
- # the type of the bound before comparing.
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
- # the default behavior will be to hyphenate the min-max range.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
- # used.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- ],
- },
- "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
- # (FPE) with the FFX mode of operation; however when used in the
- # `ReidentifyContent` API method, it serves the opposite function by reversing
- # the surrogate back into the original identifier. The identifier must be
- # encoded as ASCII. For a given crypto key and context, the same identifier
- # will be replaced with the same surrogate. Identifiers must be at least two
- # characters long. In the case that the identifier is the empty string, it will
- # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
- # more.
- #
- # Note: We recommend using CryptoDeterministicConfig for all use cases which
- # do not require preserving the input alphabet space and size, plus warrant
- # referential integrity.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
- "commonAlphabet": "A String",
- "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
- # that the FFX mode natively supports. This happens before/after
- # encryption/decryption.
- # Each character listed must appear only once.
- # Number of characters must be in the range [2, 62].
- # This must be encoded as ASCII.
- # The order of characters does not matter.
- "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
- # identifier in two different contexts won't be given the same surrogate. If
- # the context is not set, a default tweak will be used.
- #
- # If the context is set but:
- #
- # 1. there is no record present when transforming a given value or
- # 1. the field is not present when transforming a given value,
- #
- # a default tweak will be used.
- #
- # Note that case (1) is expected when an `InfoTypeTransformation` is
- # applied to both structured and non-structured `ContentItem`s.
- # Currently, the referenced field may be of value type integer or string.
- #
- # The tweak is constructed as a sequence of bytes in big endian byte order
- # such that:
- #
- # - a 64 bit integer is encoded followed by a single byte of value 1
- # - a string is encoded in UTF-8 format followed by a single byte of value 2
- "name": "A String", # Name describing the field.
- },
- "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
- # This annotation will be applied to the surrogate by prefixing it with
- # the name of the custom infoType followed by the number of
- # characters comprising the surrogate. The following scheme defines the
- # format: info_type_name(surrogate_character_count):surrogate
- #
- # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
- # the surrogate is 'abc', the full replacement value
- # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
- #
- # This annotation identifies the surrogate when inspecting content using the
- # custom infoType
- # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
- # This facilitates reversal of the surrogate when it occurs in free text.
- #
- # In order for inspection to work properly, the name of this infoType must
- # not occur naturally anywhere in your data; otherwise, inspection may
- # find a surrogate that does not correspond to an actual identifier.
- # Therefore, choose your custom infoType name carefully after considering
- # what your data looks like. One way to select a name that has a high chance
- # of yielding reliable detection is to include one or more unicode characters
- # that are highly improbable to exist in your data.
- # For example, assuming your data is entered from a regular ASCII keyboard,
- # the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
- "name": "A String", # Name of the information type. Either a name of your choosing when
- # creating a CustomInfoType, or one of the names listed
- # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
- # a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
- },
- },
- "replaceConfig": { # Replace each input value with a given `Value`.
- "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- },
- "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
- # this transformation to apply to all findings that correspond to
- # infoTypes that were requested in `InspectConfig`.
- { # Type of information detected by the API.
- "name": "A String", # Name of the information type. Either a name of your choosing when
- # creating a CustomInfoType, or one of the names listed
- # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
- # a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
- },
- ],
- },
- ],
- },
+ "fields": [ # Required. Input field(s) to apply the transformation to.
+ { # General identifier of a data field in a storage service.
+ "name": "A String", # Name describing the field.
+ },
+ ],
"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
- "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
- # fixed character. Masking can start from the beginning or end of the string.
- # This can be used on data of any type (numbers, longs, and so on) and when
- # de-identifying structured data we'll attempt to preserve the original data's
- # type. (This allows you to take a long like 123 and modify it to a string like
- # **3.
- "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
- # For example, if your string is 555-555-5555 and you ask us to skip `-` and
- # mask 5 chars with * we would produce ***-*55-5555.
- { # Characters to skip when doing deidentification of a value. These will be left
- # alone and skipped.
- "commonCharactersToIgnore": "A String",
- "charactersToSkip": "A String",
- },
- ],
- "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
- # masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
- # alphabetic string such as name, or "0" for a numeric string such as ZIP
- # code or credit card number. String must have length 1. If not supplied, we
- # will default to "*" for strings, 0 for digits.
- "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
- # '0', number_to_mask is 14, and `reverse_order` is false, then
- # 1234-5678-9012-3456 -> 00000000000000-3456
- # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
- # is true, then 12345 -> 12***
- },
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
- # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
- # output would be 'My phone number is '.
- },
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
@@ -3289,21 +2677,21 @@
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -3311,7 +2699,7 @@
# (repeating the api call will result in a different key being generated).
},
},
- "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
+ "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
@@ -3335,7 +2723,7 @@
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
- # format: <info type name>(<surrogate character count>):<surrogate>
+ # format: {info type name}({surrogate character count}):{surrogate}
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
@@ -3345,6 +2733,11 @@
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
+ # Note: For record transformations where the entire cell in a table is being
+ # transformed, surrogates are not mandatory. Surrogates are used to denote
+ # the location of the token and are necessary for re-identification in free
+ # form text.
+ #
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
@@ -3357,21 +2750,56 @@
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
+ # ⧝MY_TOKEN_TYPE.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
+ # characters. For example, if the input string is `555-555-5555` and you
+ # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
+ # returns `***-**5-5555`.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
+ # punctuation.
+ "charactersToSkip": "A String", # Characters to not transform when masking.
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an
+ # alphabetic string such as a name, or `0` for a numeric string such as ZIP
+ # code or credit card number. This string must have a length of 1. If not
+ # supplied, this value defaults to `*` for strings, and `0` for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
+ # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
+ # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
+ # is `true`, then the string `12345` is masked as `12***`.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
- # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
+ # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
@@ -3381,18 +2809,18 @@
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
+ "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
- # then all values less than 10 are replaced with the value “-10”. [Required].
+ # then all values less than 10 are replaced with the value “-10”.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -3402,7 +2830,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -3412,31 +2840,30 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
+ "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
- # [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -3446,7 +2873,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -3456,88 +2883,52 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
+ "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
- # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
},
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
# portion of the value.
- "partToExtract": "A String",
+ "partToExtract": "A String", # The part of the time to keep.
},
- "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
- # Uses SHA-256.
- # The key size must be either 32 or 64 bytes.
- # Outputs a base64 encoded representation of the hashed output
- # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
- # Currently, only string and integer values can be hashed.
- # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
- # results in the same shift for the same context and crypto_key.
+ # results in the same shift for the same context and crypto_key. If
+ # set, must also set context. Can only be applied to table items.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -3545,160 +2936,19 @@
# (repeating the api call will result in a different key being generated).
},
},
- "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
- # [Required]
- "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
- # [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
- # If set, must also set method. If set, shift will be consistent for the
+ # If set, must also set cryptoKey. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
- # replacement values are dynamically provided by the user for custom behavior,
- # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
- # This can be used on
- # data of type: number, long, string, timestamp.
- # If the bound `Value` type differs from the type of data being transformed, we
- # will first attempt converting the type of the data to be transformed to match
- # the type of the bound before comparing.
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
- # the default behavior will be to hyphenate the min-max range.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
- # used.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- ],
- },
- "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
@@ -3711,26 +2961,26 @@
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -3738,13 +2988,13 @@
# (repeating the api call will result in a different key being generated).
},
},
- "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
- "commonAlphabet": "A String",
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
+ "commonAlphabet": "A String", # Common alphabets.
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
- # Number of characters must be in the range [2, 62].
+ # Number of characters must be in the range [2, 95].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
@@ -3798,20 +3048,194 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "replaceConfig": { # Replace each input value with a given `Value`.
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ ],
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -3821,7 +3245,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -3831,23 +3255,23 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
},
},
"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
# given `RecordCondition`. The conditions are allowed to reference fields
- # that are not used in the actual transformation. [optional]
+ # that are not used in the actual transformation.
#
# Example Use Cases:
#
@@ -3856,8 +3280,8 @@
# - Redact a field if the date of birth field is greater than 85.
# a field.
"expressions": { # An expression, consisting or an operator and conditions. # An expression.
- "conditions": { # A collection of conditions.
- "conditions": [
+ "conditions": { # A collection of conditions. # Conditions to apply to the expression.
+ "conditions": [ # A collection of conditions.
{ # The field type of `value` and `field` do not need to match to be
# considered equal, but not all comparisons are possible.
# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
@@ -3877,20 +3301,20 @@
#
# If we fail to compare do to type mismatch, a warning will be given and
# the condition will evaluate to false.
- "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
- "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
+ "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
+ "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
"name": "A String", # Name describing the field.
},
- "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
+ "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -3900,7 +3324,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -3910,17 +3334,17 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
},
],
@@ -3929,47 +3353,635 @@
# only supported value is `AND`.
},
},
- "fields": [ # Input field(s) to apply the transformation to. [required]
- { # General identifier of a data field in a storage service.
- "name": "A String", # Name describing the field.
- },
- ],
+ "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
+ # transform content that matches an `InfoType`.
+ # apply various `PrimitiveTransformation`s to each finding, where the
+ # transformation is applied to only values that were identified as a specific
+ # info_type.
+ "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one
+ # for a given infoType.
+ { # A transformation to apply to text that is identified as a specific
+ # info_type.
+ "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
+ # input. Outputs a base64 encoded representation of the encrypted output.
+ # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
+ # referential integrity such that the same identifier in two different
+ # contexts will be given a distinct surrogate. The context is appended to
+ # plaintext value being encrypted. On decryption the provided context is
+ # validated against the value used during encryption. If a context was
+ # provided during encryption, same context must be provided during decryption
+ # as well.
+ #
+ # If the context is not set, plaintext would be used as is for encryption.
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 2. the field is not present when transforming a given value,
+ #
+ # plaintext would be used as is for encryption.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom info type followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: {info type name}({surrogate character count}):{surrogate}
+ #
+ # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom info type 'Surrogate'. This facilitates reversal of the
+ # surrogate when it occurs in free text.
+ #
+ # Note: For record transformations where the entire cell in a table is being
+ # transformed, surrogates are not mandatory. Surrogates are used to denote
+ # the location of the token and are necessary for re-identification in free
+ # form text.
+ #
+ # In order for inspection to work properly, the name of this info type must
+ # not occur naturally anywhere in your data; otherwise, inspection may either
+ #
+ # - reverse a surrogate that does not correspond to an actual identifier
+ # - be unable to parse the surrogate and result in an error
+ #
+ # Therefore, choose your custom info type name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE.
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # `[a-zA-Z0-9_]{1,64}`.
+ },
+ },
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
+ # characters. For example, if the input string is `555-555-5555` and you
+ # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
+ # returns `***-**5-5555`.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
+ # punctuation.
+ "charactersToSkip": "A String", # Characters to not transform when masking.
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an
+ # alphabetic string such as a name, or `0` for a numeric string such as ZIP
+ # code or credit card number. This string must have a length of 1. If not
+ # supplied, this value defaults to `*` for strings, and `0` for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
+ # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
+ # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
+ # is `true`, then the string `12345` is masked as `12***`.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
+ # Bucketing transformation can provide all of this functionality,
+ # but requires more configuration. This message is provided as a convenience to
+ # the user for simple bucketing strategies.
+ #
+ # The transformed value will be a hyphenated string of
+ # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
+ # all values that are within this bucket will be replaced with "10-20".
+ #
+ # This can be used on data of type: double, long.
+ #
+ # If the bound Value type differs from the type of data
+ # being transformed, we will first attempt converting the type of the data to
+ # be transformed to match the type of the bound before comparing.
+ #
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
+ # grouped together into a single bucket; for example if `lower_bound` = 10,
+ # then all values less than 10 are replaced with the value “-10”.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
+ # grouped together into a single bucket; for example if `upper_bound` = 89,
+ # then all values greater than 89 are replaced with the value “89+”.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
+ # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
+ # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
+ # portion of the value.
+ "partToExtract": "A String", # The part of the time to keep.
+ },
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
+ # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
+ # to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
+ # results in the same shift for the same context and crypto_key. If
+ # set, must also set context. Can only be applied to table items.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
+ # range (inclusive ends). Negative means shift to earlier in time. Must not
+ # be more than 365250 days (1000 years) each direction.
+ #
+ # For example, 3 means shift date to at most 3 days into the future.
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
+ # If set, must also set cryptoKey. If set, shift will be consistent for the
+ # given context.
+ "name": "A String", # Name describing the field.
+ },
+ },
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
+ # (FPE) with the FFX mode of operation; however when used in the
+ # `ReidentifyContent` API method, it serves the opposite function by reversing
+ # the surrogate back into the original identifier. The identifier must be
+ # encoded as ASCII. For a given crypto key and context, the same identifier
+ # will be replaced with the same surrogate. Identifiers must be at least two
+ # characters long. In the case that the identifier is the empty string, it will
+ # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
+ # more.
+ #
+ # Note: We recommend using CryptoDeterministicConfig for all use cases which
+ # do not require preserving the input alphabet space and size, plus warrant
+ # referential integrity.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
+ "commonAlphabet": "A String", # Common alphabets.
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
+ # that the FFX mode natively supports. This happens before/after
+ # encryption/decryption.
+ # Each character listed must appear only once.
+ # Number of characters must be in the range [2, 95].
+ # This must be encoded as ASCII.
+ # The order of characters does not matter.
+ "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
+ # identifier in two different contexts won't be given the same surrogate. If
+ # the context is not set, a default tweak will be used.
+ #
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 1. the field is not present when transforming a given value,
+ #
+ # a default tweak will be used.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ # Currently, the referenced field may be of value type integer or string.
+ #
+ # The tweak is constructed as a sequence of bytes in big endian byte order
+ # such that:
+ #
+ # - a 64 bit integer is encoded followed by a single byte of value 1
+ # - a string is encoded in UTF-8 format followed by a single byte of value 2
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom infoType followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: info_type_name(surrogate_character_count):surrogate
+ #
+ # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom infoType
+ # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
+ # This facilitates reversal of the surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this infoType must
+ # not occur naturally anywhere in your data; otherwise, inspection may
+ # find a surrogate that does not correspond to an actual identifier.
+ # Therefore, choose your custom infoType name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # `[a-zA-Z0-9_]{1,64}`.
+ },
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ ],
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
+ "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ },
+ "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
+ # this transformation to apply to all findings that correspond to
+ # infoTypes that were requested in `InspectConfig`.
+ { # Type of information detected by the API.
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # `[a-zA-Z0-9_]{1,64}`.
+ },
+ ],
+ },
+ ],
+ },
},
],
"transformedBytes": "A String", # Total size in bytes that were transformed in some way.
"transformation": { # A rule for transforming a value. # The specific transformation these stats apply to.
- "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
- # fixed character. Masking can start from the beginning or end of the string.
- # This can be used on data of any type (numbers, longs, and so on) and when
- # de-identifying structured data we'll attempt to preserve the original data's
- # type. (This allows you to take a long like 123 and modify it to a string like
- # **3.
- "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
- # For example, if your string is 555-555-5555 and you ask us to skip `-` and
- # mask 5 chars with * we would produce ***-*55-5555.
- { # Characters to skip when doing deidentification of a value. These will be left
- # alone and skipped.
- "commonCharactersToIgnore": "A String",
- "charactersToSkip": "A String",
- },
- ],
- "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
- # masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
- # alphabetic string such as name, or "0" for a numeric string such as ZIP
- # code or credit card number. String must have length 1. If not supplied, we
- # will default to "*" for strings, 0 for digits.
- "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
- # '0', number_to_mask is 14, and `reverse_order` is false, then
- # 1234-5678-9012-3456 -> 00000000000000-3456
- # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
- # is true, then 12345 -> 12***
- },
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
- # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
- # output would be 'My phone number is '.
- },
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
@@ -3977,21 +3989,21 @@
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -3999,7 +4011,7 @@
# (repeating the api call will result in a different key being generated).
},
},
- "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
+ "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
@@ -4023,7 +4035,7 @@
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
- # format: <info type name>(<surrogate character count>):<surrogate>
+ # format: {info type name}({surrogate character count}):{surrogate}
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
@@ -4033,6 +4045,11 @@
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
+ # Note: For record transformations where the entire cell in a table is being
+ # transformed, surrogates are not mandatory. Surrogates are used to denote
+ # the location of the token and are necessary for re-identification in free
+ # form text.
+ #
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
@@ -4045,21 +4062,56 @@
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
+ # ⧝MY_TOKEN_TYPE.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
+ # characters. For example, if the input string is `555-555-5555` and you
+ # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
+ # returns `***-**5-5555`.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
+ # punctuation.
+ "charactersToSkip": "A String", # Characters to not transform when masking.
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an
+ # alphabetic string such as a name, or `0` for a numeric string such as ZIP
+ # code or credit card number. This string must have a length of 1. If not
+ # supplied, this value defaults to `*` for strings, and `0` for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
+ # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
+ # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
+ # is `true`, then the string `12345` is masked as `12***`.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
- # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
+ # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
@@ -4069,18 +4121,18 @@
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
+ "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
- # then all values less than 10 are replaced with the value “-10”. [Required].
+ # then all values less than 10 are replaced with the value “-10”.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -4090,7 +4142,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -4100,31 +4152,30 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
+ "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
- # [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -4134,7 +4185,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -4144,88 +4195,52 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
+ "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
- # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
},
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
# portion of the value.
- "partToExtract": "A String",
+ "partToExtract": "A String", # The part of the time to keep.
},
- "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
- # Uses SHA-256.
- # The key size must be either 32 or 64 bytes.
- # Outputs a base64 encoded representation of the hashed output
- # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
- # Currently, only string and integer values can be hashed.
- # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
- # results in the same shift for the same context and crypto_key.
+ # results in the same shift for the same context and crypto_key. If
+ # set, must also set context. Can only be applied to table items.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -4233,160 +4248,19 @@
# (repeating the api call will result in a different key being generated).
},
},
- "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
- # [Required]
- "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
- # [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
- # If set, must also set method. If set, shift will be consistent for the
+ # If set, must also set cryptoKey. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
- # replacement values are dynamically provided by the user for custom behavior,
- # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
- # This can be used on
- # data of type: number, long, string, timestamp.
- # If the bound `Value` type differs from the type of data being transformed, we
- # will first attempt converting the type of the data to be transformed to match
- # the type of the bound before comparing.
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
- # the default behavior will be to hyphenate the min-max range.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
- # used.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- ],
- },
- "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
@@ -4399,26 +4273,26 @@
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -4426,13 +4300,13 @@
# (repeating the api call will result in a different key being generated).
},
},
- "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
- "commonAlphabet": "A String",
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
+ "commonAlphabet": "A String", # Common alphabets.
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
- # Number of characters must be in the range [2, 62].
+ # Number of characters must be in the range [2, 95].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
@@ -4486,20 +4360,194 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "replaceConfig": { # Replace each input value with a given `Value`.
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ ],
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -4509,7 +4557,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -4519,17 +4567,17 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
},
},
@@ -4543,24 +4591,24 @@
# learn more.
# See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to
# learn more.
- "headers": [
+ "headers": [ # Headers of the table.
{ # General identifier of a data field in a storage service.
"name": "A String", # Name describing the field.
},
],
- "rows": [
- {
- "values": [
+ "rows": [ # Rows of the table.
+ { # Values of the row.
+ "values": [ # Individual cells.
{ # Set of primitive values supported by the system.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -4570,7 +4618,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -4580,17 +4628,17 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
],
},
@@ -4606,7 +4654,7 @@
</div>
<div class="method">
- <code class="details" id="inspect">inspect(parent, body, x__xgafv=None)</code>
+ <code class="details" id="inspect">inspect(parent, body=None, x__xgafv=None)</code>
<pre>Finds potentially sensitive info in content.
This method has limits on input size, processing time, and output size.
@@ -4619,34 +4667,38 @@
Args:
parent: string, The parent resource name, for example projects/my-project-id. (required)
- body: object, The request body. (required)
+ body: object, The request body.
The object takes the form of:
{ # Request to search for potentially sensitive info in a ContentItem.
+ "locationId": "A String", # The geographic location to process content inspection. Reserved for future
+ # extensions.
+ # When inspecting images location is restricted to 'global', 'us', 'asia',
+ # and 'europe'.
"item": { # Container structure for the content to inspect. # The item to inspect.
"table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. # Structured content for inspection. See
# https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to
# learn more.
# See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to
# learn more.
- "headers": [
+ "headers": [ # Headers of the table.
{ # General identifier of a data field in a storage service.
"name": "A String", # Name describing the field.
},
],
- "rows": [
- {
- "values": [
+ "rows": [ # Rows of the table.
+ { # Values of the row.
+ "values": [ # Individual cells.
{ # Set of primitive values supported by the system.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -4656,7 +4708,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -4666,17 +4718,17 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
],
},
@@ -4693,7 +4745,7 @@
# When used with redactContent only info_types and min_likelihood are currently
# used.
"excludeInfoTypes": True or False, # When true, excludes type information of the findings.
- "limits": {
+ "limits": { # Configuration to control the number of findings returned. # Configuration to control the number of findings returned.
"maxFindingsPerRequest": 42, # Max number of findings that will be returned per request/job.
# When set within `InspectContentRequest`, the maximum returned is 2000
# regardless if this is set higher.
@@ -4708,13 +4760,13 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
"maxFindings": 42, # Max findings limit for the given infoType.
},
],
"maxFindingsPerItem": 42, # Max number of findings that will be returned for each item scanned.
- # When set within `InspectDataSourceRequest`,
+ # When set within `InspectJobConfig`,
# the maximum returned is 2000 regardless if this is set higher.
# When set within `InspectContentRequest`, this field is ignored.
},
@@ -4754,7 +4806,7 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
"dictionary": { # Custom information type based on a dictionary of words or phrases. This can # A list of phrases to detect as a CustomInfoType.
# be used to match sensitive information specific to the data, such as a list
@@ -4818,8 +4870,8 @@
# a company office using the hotword regex "\(xxx\)", where "xxx"
# is the area code in question.
# rule.
- "windowAfter": 42, # Number of characters after the finding to consider.
"windowBefore": 42, # Number of characters before the finding to consider.
+ "windowAfter": 42, # Number of characters after the finding to consider.
},
"hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.
"pattern": "A String", # Pattern defining the regular expression. Its syntax
@@ -4873,8 +4925,8 @@
# a company office using the hotword regex "\(xxx\)", where "xxx"
# is the area code in question.
# rule.
- "windowAfter": 42, # Number of characters after the finding to consider.
"windowBefore": 42, # Number of characters before the finding to consider.
+ "windowAfter": 42, # Number of characters after the finding to consider.
},
"hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.
"pattern": "A String", # Pattern defining the regular expression. Its syntax
@@ -4923,7 +4975,7 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
],
},
@@ -4973,7 +5025,7 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
],
},
@@ -4990,20 +5042,19 @@
# system may automatically choose what detectors to run. By default this may
# be all types, but may change over time as detectors are updated.
#
- # The special InfoType name "ALL_BASIC" can be used to trigger all detectors,
- # but may change over time as new InfoTypes are added. If you need precise
- # control and predictability as to what detectors are run you should specify
- # specific InfoTypes listed in the reference.
+ # If you need precise control and predictability as to what detectors are
+ # run you should specify specific InfoTypes listed in the reference,
+ # otherwise a default list will be used, which may change over time.
{ # Type of information detected by the API.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
],
},
- "inspectTemplateName": "A String", # Optional template to use. Any configuration directly specified in
+ "inspectTemplateName": "A String", # Template to use. Any configuration directly specified in
# inspect_config will override those set in the template. Singular fields
# that are set in this request will replace their corresponding fields in the
# template. Repeated fields are appended. Singular sub-messages and groups
@@ -5034,25 +5085,40 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
+ "name": "A String", # Resource name in format
+ # projects/{project}/locations/{location}/findings/{finding} Populated only
+ # when viewing persisted findings.
"quote": "A String", # The content that was found. Even if the content is not textual, it
# may be converted to a textual representation here.
# Provided if `include_quote` is true and the finding is
# less than or equal to 4096 bytes long. If the finding exceeds 4096 bytes
# in length, the quote may be omitted.
+ "labels": { # The labels associated with this `Finding`.
+ #
+ # Label keys must be between 1 and 63 characters long and must conform
+ # to the following regular expression: `[a-z]([-a-z0-9]*[a-z0-9])?`.
+ #
+ # Label values must be between 0 and 63 characters long and must conform
+ # to the regular expression `([a-z]([-a-z0-9]*[a-z0-9])?)?`.
+ #
+ # No more than 10 labels can be associated with a given finding.
+ #
+ # Examples:
+ # * `"environment" : "production"`
+ # * `"pipeline" : "etl"`
+ "a_key": "A String",
+ },
+ "jobName": "A String", # The job that stored the finding.
"quoteInfo": { # Message for infoType-dependent details parsed from quote. # Contains data parsed from quotes. Only populated if include_quote was set
# to true and a supported infoType was requested. Currently supported
# infoTypes: DATE, DATE_OF_BIRTH and TIME.
"dateTime": { # Message for a date time object. # The date time indicated by the quote.
# e.g. 2018-01-01, 5th August.
- "dayOfWeek": "A String",
- "timeZone": {
- "offsetMinutes": 42, # Set only if the offset can be determined. Positive for time ahead of UTC.
- # E.g. For "UTC-9", this value is -540.
- },
- "date": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # One or more of the following must be set. All fields are optional, but
- # when set must be valid date or time values.
+ "dayOfWeek": "A String", # Day of week
+ "date": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # One or more of the following must be set.
+ # Must be a valid date or time value.
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -5062,15 +5128,19 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "time": { # Represents a time of day. The date and time zone are either not significant
+ "timeZone": { # Time zone of the date time object. # Time zone
+ "offsetMinutes": 42, # Set only if the offset can be determined. Positive for time ahead of UTC.
+ # E.g. For "UTC-9", this value is -540.
+ },
+ "time": { # Represents a time of day. The date and time zone are either not significant # Time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -5082,34 +5152,62 @@
},
},
},
+ "jobCreateTime": "A String", # Time the job started that produced this finding.
"location": { # Specifies the location of the finding. # Where the content was found.
- "byteRange": { # Generic half-open interval [start, end) # Zero-based byte offsets delimiting the finding.
- # These are relative to the finding's containing element.
- # Note that when the content is not textual, this references
- # the UTF-8 encoded textual representation of the content.
- # Omitted if content is an image.
- "start": "A String", # Index of the first character of the range (inclusive).
- "end": "A String", # Index of the last character of the range (exclusive).
- },
"codepointRange": { # Generic half-open interval [start, end) # Unicode character offsets delimiting the finding.
# These are relative to the finding's containing element.
# Provided when the content is text.
"start": "A String", # Index of the first character of the range (inclusive).
"end": "A String", # Index of the last character of the range (exclusive).
},
+ "container": { # Represents a container that may contain DLP findings. # Information about the container where this finding occurred, if available.
+ # Examples of a container include a file, table, or database record.
+ "updateTime": "A String", # Findings container modification timestamp, if applicable.
+ # For Google Cloud Storage contains last file modification timestamp.
+ # For BigQuery table contains last_modified_time property.
+ # For Datastore - not populated.
+ "relativePath": "A String", # The rest of the path after the root.
+ # Examples:
+ # - For BigQuery table `project_id:dataset_id.table_id`, the relative path is
+ # `table_id`
+ # - Google Cloud Storage file `gs://bucket/folder/filename.txt`, the relative
+ # path is `folder/filename.txt`
+ "rootPath": "A String", # The root of the container.
+ # Examples:
+ # - For BigQuery table `project_id:dataset_id.table_id`, the root is
+ # `dataset_id`
+ # - For Google Cloud Storage file `gs://bucket/folder/filename.txt`, the root
+ # is `gs://bucket`
+ "version": "A String", # Findings container version, if available
+ # ("generation" for Google Cloud Storage).
+ "projectId": "A String", # Project where the finding was found.
+ # Can be different from the project that owns the finding.
+ "fullPath": "A String", # A string representation of the full container name.
+ # Examples:
+ # - BigQuery: 'Project:DataSetId.TableId'
+ # - Google Cloud Storage: 'gs://Bucket/folders/filename.txt'
+ "type": "A String", # Container type, for example BigQuery or Google Cloud Storage.
+ },
"contentLocations": [ # List of nested objects pointing to the precise location of the finding
# within the file or record.
- { # Findings container location data.
+ { # Precise location of the finding within a document, record, image, or metadata
+ # container.
"containerName": "A String", # Name of the container where the finding is located.
# The top level name is the source file name or table name. Names of some
# common storage containers are formatted as follows:
#
- # * BigQuery tables: `<project_id>:<dataset_id>.<table_id>`
- # * Cloud Storage files: `gs://<bucket>/<path>`
- # * Datastore namespace: <namespace>
+ # * BigQuery tables: `{project_id}:{dataset_id}.{table_id}`
+ # * Cloud Storage files: `gs://{bucket}/{path}`
+ # * Datastore namespace: {namespace}
#
# Nested names could be absent if the embedded object has no string
# identifier (for an example an image contained within a document).
+ "metadataLocation": { # Metadata Location # Location within the metadata for inspected content.
+ "type": "A String", # Type of metadata containing the finding.
+ "storageLabel": { # Storage metadata label to indicate which metadata entry contains findings. # Storage metadata.
+ "key": "A String",
+ },
+ },
"containerVersion": "A String", # Findings container version, if available
# ("generation" for Google Cloud Storage).
"containerTimestamp": "A String", # Findings container modification timestamp, if applicable.
@@ -5131,29 +5229,37 @@
],
},
"recordLocation": { # Location of a finding within a row or record. # Location within a row or record of a database table.
+ "tableLocation": { # Location of a finding within a table. # Location within a `ContentItem.Table`.
+ "rowIndex": "A String", # The zero-based index of the row where the finding is located. Only
+ # populated for resources that have a natural ordering, not BigQuery. In
+ # BigQuery, to identify the row a finding came from, populate
+ # BigQueryOptions.identifying_fields with your primary key column names and
+ # when you store the findings the value of those columns will be stored
+ # inside of Finding.
+ },
"fieldId": { # General identifier of a data field in a storage service. # Field id of the field containing the finding.
"name": "A String", # Name describing the field.
},
- "tableLocation": { # Location of a finding within a table. # Location within a `ContentItem.Table`.
- "rowIndex": "A String", # The zero-based index of the row where the finding is located.
- },
"recordKey": { # Message for a unique key indicating a record that contains a finding. # Key of the finding.
"bigQueryKey": { # Row key for identifying a record in BigQuery table.
"tableReference": { # Message defining the location of a BigQuery table. A table is uniquely # Complete BigQuery table reference.
# identified by its project_id, dataset_id, and table_name. Within a query
# a table is often referenced with a string in the format of:
- # `<project_id>:<dataset_id>.<table_id>` or
- # `<project_id>.<dataset_id>.<table_id>`.
+ # `<project_id>:<dataset_id>.<table_id>` or
+ # `<project_id>.<dataset_id>.<table_id>`.
"projectId": "A String", # The Google Cloud Platform project ID of the project containing the table.
# If omitted, project ID is inferred from the API call.
"tableId": "A String", # Name of the table.
"datasetId": "A String", # Dataset ID of the table.
},
- "rowNumber": "A String", # Absolute number of the row from the beginning of the table at the time
- # of scanning.
+ "rowNumber": "A String", # Row number inferred at the time the table was scanned. This value is
+ # nondeterministic, cannot be queried, and may be null for inspection
+ # jobs. To locate findings within a table, specify
+ # `inspect_job.storage_config.big_query_options.identifying_fields` in
+ # `CreateDlpJobRequest`.
},
"idValues": [ # Values of identifying columns in the given row. Order of values matches
- # the order of field identifiers specified in the scanning request.
+ # the order of `identifying_fields` specified in the scanning request.
"A String",
],
"datastoreKey": { # Record key for a finding in Cloud Datastore.
@@ -5204,7 +5310,17 @@
},
},
],
+ "byteRange": { # Generic half-open interval [start, end) # Zero-based byte offsets delimiting the finding.
+ # These are relative to the finding's containing element.
+ # Note that when the content is not textual, this references
+ # the UTF-8 encoded textual representation of the content.
+ # Omitted if content is an image.
+ "start": "A String", # Index of the first character of the range (inclusive).
+ "end": "A String", # Index of the last character of the range (exclusive).
+ },
},
+ "triggerName": "A String", # Job trigger name, if applicable, for this finding.
+ "resourceName": "A String", # The job that stored the finding.
"likelihood": "A String", # Confidence of how likely it is that the `info_type` is correct.
"createTime": "A String", # Timestamp when finding was detected.
},
@@ -5214,15 +5330,15 @@
</div>
<div class="method">
- <code class="details" id="reidentify">reidentify(parent, body, x__xgafv=None)</code>
+ <code class="details" id="reidentify">reidentify(parent, body=None, x__xgafv=None)</code>
<pre>Re-identifies content that has been de-identified.
See
https://cloud.google.com/dlp/docs/pseudonymization#re-identification_in_free_text_code_example
to learn more.
Args:
- parent: string, The parent resource name. (required)
- body: object, The request body. (required)
+ parent: string, Required. The parent resource name. (required)
+ body: object, The request body.
The object takes the form of:
{ # Request to re-identify an item.
@@ -5234,49 +5350,19 @@
# reverse. This requires that only reversible transformations
# be provided here. The reversible transformations are:
#
+ # - `CryptoDeterministicConfig`
# - `CryptoReplaceFfxFpeConfig`
"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text
# transformation everywhere.
# apply various `PrimitiveTransformation`s to each finding, where the
# transformation is applied to only values that were identified as a specific
# info_type.
- "transformations": [ # Transformation for each infoType. Cannot specify more than one
- # for a given infoType. [required]
+ "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one
+ # for a given infoType.
{ # A transformation to apply to text that is identified as a specific
# info_type.
- "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
- "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
- # fixed character. Masking can start from the beginning or end of the string.
- # This can be used on data of any type (numbers, longs, and so on) and when
- # de-identifying structured data we'll attempt to preserve the original data's
- # type. (This allows you to take a long like 123 and modify it to a string like
- # **3.
- "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
- # For example, if your string is 555-555-5555 and you ask us to skip `-` and
- # mask 5 chars with * we would produce ***-*55-5555.
- { # Characters to skip when doing deidentification of a value. These will be left
- # alone and skipped.
- "commonCharactersToIgnore": "A String",
- "charactersToSkip": "A String",
- },
- ],
- "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
- # masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
- # alphabetic string such as name, or "0" for a numeric string such as ZIP
- # code or credit card number. String must have length 1. If not supplied, we
- # will default to "*" for strings, 0 for digits.
- "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
- # '0', number_to_mask is 14, and `reverse_order` is false, then
- # 1234-5678-9012-3456 -> 00000000000000-3456
- # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
- # is true, then 12345 -> 12***
- },
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
- # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
- # output would be 'My phone number is '.
- },
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
+ "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
@@ -5284,21 +5370,21 @@
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -5306,7 +5392,7 @@
# (repeating the api call will result in a different key being generated).
},
},
- "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
+ "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
@@ -5330,7 +5416,7 @@
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
- # format: <info type name>(<surrogate character count>):<surrogate>
+ # format: {info type name}({surrogate character count}):{surrogate}
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
@@ -5340,6 +5426,11 @@
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
+ # Note: For record transformations where the entire cell in a table is being
+ # transformed, surrogates are not mandatory. Surrogates are used to denote
+ # the location of the token and are necessary for re-identification in free
+ # form text.
+ #
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
@@ -5352,21 +5443,56 @@
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
+ # ⧝MY_TOKEN_TYPE.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
+ # characters. For example, if the input string is `555-555-5555` and you
+ # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
+ # returns `***-**5-5555`.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
+ # punctuation.
+ "charactersToSkip": "A String", # Characters to not transform when masking.
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an
+ # alphabetic string such as a name, or `0` for a numeric string such as ZIP
+ # code or credit card number. This string must have a length of 1. If not
+ # supplied, this value defaults to `*` for strings, and `0` for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
+ # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
+ # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
+ # is `true`, then the string `12345` is masked as `12***`.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
- # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
+ # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
@@ -5376,18 +5502,18 @@
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
+ "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
- # then all values less than 10 are replaced with the value “-10”. [Required].
+ # then all values less than 10 are replaced with the value “-10”.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -5397,7 +5523,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -5407,31 +5533,30 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
+ "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
- # [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -5441,7 +5566,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -5451,88 +5576,52 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
+ "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
- # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
},
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
# portion of the value.
- "partToExtract": "A String",
+ "partToExtract": "A String", # The part of the time to keep.
},
- "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
- # Uses SHA-256.
- # The key size must be either 32 or 64 bytes.
- # Outputs a base64 encoded representation of the hashed output
- # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
- # Currently, only string and integer values can be hashed.
- # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
- # results in the same shift for the same context and crypto_key.
+ # results in the same shift for the same context and crypto_key. If
+ # set, must also set context. Can only be applied to table items.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -5540,160 +5629,19 @@
# (repeating the api call will result in a different key being generated).
},
},
- "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
- # [Required]
- "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
- # [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
- # If set, must also set method. If set, shift will be consistent for the
+ # If set, must also set cryptoKey. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
- # replacement values are dynamically provided by the user for custom behavior,
- # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
- # This can be used on
- # data of type: number, long, string, timestamp.
- # If the bound `Value` type differs from the type of data being transformed, we
- # will first attempt converting the type of the data to be transformed to match
- # the type of the bound before comparing.
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
- # the default behavior will be to hyphenate the min-max range.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
- # used.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- ],
- },
- "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
@@ -5706,26 +5654,26 @@
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -5733,13 +5681,13 @@
# (repeating the api call will result in a different key being generated).
},
},
- "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
- "commonAlphabet": "A String",
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
+ "commonAlphabet": "A String", # Common alphabets.
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
- # Number of characters must be in the range [2, 62].
+ # Number of characters must be in the range [2, 95].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
@@ -5793,20 +5741,194 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "replaceConfig": { # Replace each input value with a given `Value`.
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ ],
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -5816,7 +5938,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -5826,17 +5948,17 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
},
},
@@ -5848,7 +5970,7 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
],
},
@@ -5859,15 +5981,15 @@
# a column within a table.
# table.
"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that
- # match any suppression rule are omitted from the output [optional].
+ # match any suppression rule are omitted from the output.
{ # Configuration to suppress records whose suppression conditions evaluate to
# true.
"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
# evaluated to be suppressed from the transformed content.
# a field.
"expressions": { # An expression, consisting or an operator and conditions. # An expression.
- "conditions": { # A collection of conditions.
- "conditions": [
+ "conditions": { # A collection of conditions. # Conditions to apply to the expression.
+ "conditions": [ # A collection of conditions.
{ # The field type of `value` and `field` do not need to match to be
# considered equal, but not all comparisons are possible.
# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
@@ -5887,20 +6009,20 @@
#
# If we fail to compare do to type mismatch, a warning will be given and
# the condition will evaluate to false.
- "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
- "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
+ "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
+ "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
"name": "A String", # Name describing the field.
},
- "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
+ "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -5910,7 +6032,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -5920,17 +6042,17 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
},
],
@@ -5943,48 +6065,707 @@
],
"fieldTransformations": [ # Transform the record by applying various field transformations.
{ # The transformation to apply to the field.
+ "fields": [ # Required. Input field(s) to apply the transformation to.
+ { # General identifier of a data field in a storage service.
+ "name": "A String", # Name describing the field.
+ },
+ ],
+ "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
+ # input. Outputs a base64 encoded representation of the encrypted output.
+ # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
+ # referential integrity such that the same identifier in two different
+ # contexts will be given a distinct surrogate. The context is appended to
+ # plaintext value being encrypted. On decryption the provided context is
+ # validated against the value used during encryption. If a context was
+ # provided during encryption, same context must be provided during decryption
+ # as well.
+ #
+ # If the context is not set, plaintext would be used as is for encryption.
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 2. the field is not present when transforming a given value,
+ #
+ # plaintext would be used as is for encryption.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom info type followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: {info type name}({surrogate character count}):{surrogate}
+ #
+ # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom info type 'Surrogate'. This facilitates reversal of the
+ # surrogate when it occurs in free text.
+ #
+ # Note: For record transformations where the entire cell in a table is being
+ # transformed, surrogates are not mandatory. Surrogates are used to denote
+ # the location of the token and are necessary for re-identification in free
+ # form text.
+ #
+ # In order for inspection to work properly, the name of this info type must
+ # not occur naturally anywhere in your data; otherwise, inspection may either
+ #
+ # - reverse a surrogate that does not correspond to an actual identifier
+ # - be unable to parse the surrogate and result in an error
+ #
+ # Therefore, choose your custom info type name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE.
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # `[a-zA-Z0-9_]{1,64}`.
+ },
+ },
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
+ # characters. For example, if the input string is `555-555-5555` and you
+ # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
+ # returns `***-**5-5555`.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
+ # punctuation.
+ "charactersToSkip": "A String", # Characters to not transform when masking.
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an
+ # alphabetic string such as a name, or `0` for a numeric string such as ZIP
+ # code or credit card number. This string must have a length of 1. If not
+ # supplied, this value defaults to `*` for strings, and `0` for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
+ # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
+ # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
+ # is `true`, then the string `12345` is masked as `12***`.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
+ # Bucketing transformation can provide all of this functionality,
+ # but requires more configuration. This message is provided as a convenience to
+ # the user for simple bucketing strategies.
+ #
+ # The transformed value will be a hyphenated string of
+ # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
+ # all values that are within this bucket will be replaced with "10-20".
+ #
+ # This can be used on data of type: double, long.
+ #
+ # If the bound Value type differs from the type of data
+ # being transformed, we will first attempt converting the type of the data to
+ # be transformed to match the type of the bound before comparing.
+ #
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
+ # grouped together into a single bucket; for example if `lower_bound` = 10,
+ # then all values less than 10 are replaced with the value “-10”.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
+ # grouped together into a single bucket; for example if `upper_bound` = 89,
+ # then all values greater than 89 are replaced with the value “89+”.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
+ # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
+ # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
+ # portion of the value.
+ "partToExtract": "A String", # The part of the time to keep.
+ },
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
+ # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
+ # to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
+ # results in the same shift for the same context and crypto_key. If
+ # set, must also set context. Can only be applied to table items.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
+ # range (inclusive ends). Negative means shift to earlier in time. Must not
+ # be more than 365250 days (1000 years) each direction.
+ #
+ # For example, 3 means shift date to at most 3 days into the future.
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
+ # If set, must also set cryptoKey. If set, shift will be consistent for the
+ # given context.
+ "name": "A String", # Name describing the field.
+ },
+ },
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
+ # (FPE) with the FFX mode of operation; however when used in the
+ # `ReidentifyContent` API method, it serves the opposite function by reversing
+ # the surrogate back into the original identifier. The identifier must be
+ # encoded as ASCII. For a given crypto key and context, the same identifier
+ # will be replaced with the same surrogate. Identifiers must be at least two
+ # characters long. In the case that the identifier is the empty string, it will
+ # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
+ # more.
+ #
+ # Note: We recommend using CryptoDeterministicConfig for all use cases which
+ # do not require preserving the input alphabet space and size, plus warrant
+ # referential integrity.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
+ "commonAlphabet": "A String", # Common alphabets.
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
+ # that the FFX mode natively supports. This happens before/after
+ # encryption/decryption.
+ # Each character listed must appear only once.
+ # Number of characters must be in the range [2, 95].
+ # This must be encoded as ASCII.
+ # The order of characters does not matter.
+ "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
+ # identifier in two different contexts won't be given the same surrogate. If
+ # the context is not set, a default tweak will be used.
+ #
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 1. the field is not present when transforming a given value,
+ #
+ # a default tweak will be used.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ # Currently, the referenced field may be of value type integer or string.
+ #
+ # The tweak is constructed as a sequence of bytes in big endian byte order
+ # such that:
+ #
+ # - a 64 bit integer is encoded followed by a single byte of value 1
+ # - a string is encoded in UTF-8 format followed by a single byte of value 2
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom infoType followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: info_type_name(surrogate_character_count):surrogate
+ #
+ # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom infoType
+ # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
+ # This facilitates reversal of the surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this infoType must
+ # not occur naturally anywhere in your data; otherwise, inspection may
+ # find a surrogate that does not correspond to an actual identifier.
+ # Therefore, choose your custom infoType name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # `[a-zA-Z0-9_]{1,64}`.
+ },
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ ],
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
+ "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ },
+ "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
+ # given `RecordCondition`. The conditions are allowed to reference fields
+ # that are not used in the actual transformation.
+ #
+ # Example Use Cases:
+ #
+ # - Apply a different bucket transformation to an age column if the zip code
+ # column for the same record is within a specific range.
+ # - Redact a field if the date of birth field is greater than 85.
+ # a field.
+ "expressions": { # An expression, consisting or an operator and conditions. # An expression.
+ "conditions": { # A collection of conditions. # Conditions to apply to the expression.
+ "conditions": [ # A collection of conditions.
+ { # The field type of `value` and `field` do not need to match to be
+ # considered equal, but not all comparisons are possible.
+ # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
+ # but all other comparisons are invalid with incompatible types.
+ # A `value` of type:
+ #
+ # - `string` can be compared against all other types
+ # - `boolean` can only be compared against other booleans
+ # - `integer` can be compared against doubles or a string if the string value
+ # can be parsed as an integer.
+ # - `double` can be compared against integers or a string if the string can
+ # be parsed as a double.
+ # - `Timestamp` can be compared against strings in RFC 3339 date string
+ # format.
+ # - `TimeOfDay` can be compared against timestamps and strings in the format
+ # of 'HH:mm:ss'.
+ #
+ # If we fail to compare do to type mismatch, a warning will be given and
+ # the condition will evaluate to false.
+ "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
+ "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
+ "name": "A String", # Name describing the field.
+ },
+ "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ ],
+ },
+ "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
+ # only supported value is `AND`.
+ },
+ },
"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
# transform content that matches an `InfoType`.
# apply various `PrimitiveTransformation`s to each finding, where the
# transformation is applied to only values that were identified as a specific
# info_type.
- "transformations": [ # Transformation for each infoType. Cannot specify more than one
- # for a given infoType. [required]
+ "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one
+ # for a given infoType.
{ # A transformation to apply to text that is identified as a specific
# info_type.
- "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
- "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
- # fixed character. Masking can start from the beginning or end of the string.
- # This can be used on data of any type (numbers, longs, and so on) and when
- # de-identifying structured data we'll attempt to preserve the original data's
- # type. (This allows you to take a long like 123 and modify it to a string like
- # **3.
- "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
- # For example, if your string is 555-555-5555 and you ask us to skip `-` and
- # mask 5 chars with * we would produce ***-*55-5555.
- { # Characters to skip when doing deidentification of a value. These will be left
- # alone and skipped.
- "commonCharactersToIgnore": "A String",
- "charactersToSkip": "A String",
- },
- ],
- "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
- # masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
- # alphabetic string such as name, or "0" for a numeric string such as ZIP
- # code or credit card number. String must have length 1. If not supplied, we
- # will default to "*" for strings, 0 for digits.
- "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
- # '0', number_to_mask is 14, and `reverse_order` is false, then
- # 1234-5678-9012-3456 -> 00000000000000-3456
- # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
- # is true, then 12345 -> 12***
- },
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
- # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
- # output would be 'My phone number is '.
- },
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
+ "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
@@ -5992,21 +6773,21 @@
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -6014,7 +6795,7 @@
# (repeating the api call will result in a different key being generated).
},
},
- "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
+ "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
@@ -6038,7 +6819,7 @@
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
- # format: <info type name>(<surrogate character count>):<surrogate>
+ # format: {info type name}({surrogate character count}):{surrogate}
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
@@ -6048,6 +6829,11 @@
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
+ # Note: For record transformations where the entire cell in a table is being
+ # transformed, surrogates are not mandatory. Surrogates are used to denote
+ # the location of the token and are necessary for re-identification in free
+ # form text.
+ #
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
@@ -6060,21 +6846,56 @@
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
+ # ⧝MY_TOKEN_TYPE.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
+ # characters. For example, if the input string is `555-555-5555` and you
+ # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
+ # returns `***-**5-5555`.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
+ # punctuation.
+ "charactersToSkip": "A String", # Characters to not transform when masking.
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an
+ # alphabetic string such as a name, or `0` for a numeric string such as ZIP
+ # code or credit card number. This string must have a length of 1. If not
+ # supplied, this value defaults to `*` for strings, and `0` for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
+ # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
+ # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
+ # is `true`, then the string `12345` is masked as `12***`.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
- # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
+ # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
@@ -6084,18 +6905,18 @@
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
+ "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
- # then all values less than 10 are replaced with the value “-10”. [Required].
+ # then all values less than 10 are replaced with the value “-10”.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -6105,7 +6926,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -6115,31 +6936,30 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
+ "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
- # [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -6149,7 +6969,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -6159,88 +6979,52 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
+ "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
- # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
},
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
# portion of the value.
- "partToExtract": "A String",
+ "partToExtract": "A String", # The part of the time to keep.
},
- "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
- # Uses SHA-256.
- # The key size must be either 32 or 64 bytes.
- # Outputs a base64 encoded representation of the hashed output
- # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
- # Currently, only string and integer values can be hashed.
- # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
- # results in the same shift for the same context and crypto_key.
+ # results in the same shift for the same context and crypto_key. If
+ # set, must also set context. Can only be applied to table items.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -6248,160 +7032,19 @@
# (repeating the api call will result in a different key being generated).
},
},
- "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
- # [Required]
- "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
- # [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
- # If set, must also set method. If set, shift will be consistent for the
+ # If set, must also set cryptoKey. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
- # replacement values are dynamically provided by the user for custom behavior,
- # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
- # This can be used on
- # data of type: number, long, string, timestamp.
- # If the bound `Value` type differs from the type of data being transformed, we
- # will first attempt converting the type of the data to be transformed to match
- # the type of the bound before comparing.
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
- # the default behavior will be to hyphenate the min-max range.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
- # used.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- ],
- },
- "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
@@ -6414,26 +7057,26 @@
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -6441,13 +7084,13 @@
# (repeating the api call will result in a different key being generated).
},
},
- "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
- "commonAlphabet": "A String",
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
+ "commonAlphabet": "A String", # Common alphabets.
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
- # Number of characters must be in the range [2, 62].
+ # Number of characters must be in the range [2, 95].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
@@ -6501,20 +7144,194 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "replaceConfig": { # Replace each input value with a given `Value`.
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ ],
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -6524,7 +7341,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -6534,17 +7351,17 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
},
},
@@ -6556,712 +7373,116 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
],
},
],
},
- "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
- "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
- # fixed character. Masking can start from the beginning or end of the string.
- # This can be used on data of any type (numbers, longs, and so on) and when
- # de-identifying structured data we'll attempt to preserve the original data's
- # type. (This allows you to take a long like 123 and modify it to a string like
- # **3.
- "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
- # For example, if your string is 555-555-5555 and you ask us to skip `-` and
- # mask 5 chars with * we would produce ***-*55-5555.
- { # Characters to skip when doing deidentification of a value. These will be left
- # alone and skipped.
- "commonCharactersToIgnore": "A String",
- "charactersToSkip": "A String",
- },
- ],
- "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
- # masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
- # alphabetic string such as name, or "0" for a numeric string such as ZIP
- # code or credit card number. String must have length 1. If not supplied, we
- # will default to "*" for strings, 0 for digits.
- "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
- # '0', number_to_mask is 14, and `reverse_order` is false, then
- # 1234-5678-9012-3456 -> 00000000000000-3456
- # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
- # is true, then 12345 -> 12***
- },
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
- # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
- # output would be 'My phone number is '.
- },
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
- # input. Outputs a base64 encoded representation of the encrypted output.
- # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
+ },
+ ],
+ },
+ "transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default
+ # mode is `TransformationErrorHandling.ThrowError`.
+ # transformation error occurs when the requested transformation is incompatible
+ # with the data. For example, trying to de-identify an IP address using a
+ # `DateShift` transformation would result in a transformation error, since date
+ # info cannot be extracted from an IP address.
+ # Information about any incompatible transformations, and how they were
+ # handled, is returned in the response as part of the
+ # `TransformationOverviews`.
+ "throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error
+ },
+ "leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors
+ # cause an error. For example, if a `DateShift` transformation were applied
+ # an an IP address, this mode would leave the IP address unchanged in the
+ # response.
+ },
+ },
+ },
+ "inspectTemplateName": "A String", # Template to use. Any configuration directly specified in
+ # `inspect_config` will override those set in the template. Singular fields
+ # that are set in this request will replace their corresponding fields in the
+ # template. Repeated fields are appended. Singular sub-messages and groups
+ # are recursively merged.
+ "item": { # Container structure for the content to inspect. # The item to re-identify. Will be treated as text.
+ "table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. # Structured content for inspection. See
+ # https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to
+ # learn more.
+ # See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to
+ # learn more.
+ "headers": [ # Headers of the table.
+ { # General identifier of a data field in a storage service.
+ "name": "A String", # Name describing the field.
+ },
+ ],
+ "rows": [ # Rows of the table.
+ { # Values of the row.
+ "values": [ # Individual cells.
+ { # Set of primitive values supported by the system.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
- # referential integrity such that the same identifier in two different
- # contexts will be given a distinct surrogate. The context is appended to
- # plaintext value being encrypted. On decryption the provided context is
- # validated against the value used during encryption. If a context was
- # provided during encryption, same context must be provided during decryption
- # as well.
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
#
- # If the context is not set, plaintext would be used as is for encryption.
- # If the context is set but:
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
#
- # 1. there is no record present when transforming a given value or
- # 2. the field is not present when transforming a given value,
- #
- # plaintext would be used as is for encryption.
- #
- # Note that case (1) is expected when an `InfoTypeTransformation` is
- # applied to both structured and non-structured `ContentItem`s.
- "name": "A String", # Name describing the field.
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
- # This annotation will be applied to the surrogate by prefixing it with
- # the name of the custom info type followed by the number of
- # characters comprising the surrogate. The following scheme defines the
- # format: <info type name>(<surrogate character count>):<surrogate>
- #
- # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
- # the surrogate is 'abc', the full replacement value
- # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
- #
- # This annotation identifies the surrogate when inspecting content using the
- # custom info type 'Surrogate'. This facilitates reversal of the
- # surrogate when it occurs in free text.
- #
- # In order for inspection to work properly, the name of this info type must
- # not occur naturally anywhere in your data; otherwise, inspection may either
- #
- # - reverse a surrogate that does not correspond to an actual identifier
- # - be unable to parse the surrogate and result in an error
- #
- # Therefore, choose your custom info type name carefully after considering
- # what your data looks like. One way to select a name that has a high chance
- # of yielding reliable detection is to include one or more unicode characters
- # that are highly improbable to exist in your data.
- # For example, assuming your data is entered from a regular ASCII keyboard,
- # the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
- "name": "A String", # Name of the information type. Either a name of your choosing when
- # creating a CustomInfoType, or one of the names listed
- # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
- # a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
- },
- },
- "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
- # Bucketing transformation can provide all of this functionality,
- # but requires more configuration. This message is provided as a convenience to
- # the user for simple bucketing strategies.
- #
- # The transformed value will be a hyphenated string of
- # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
- # all values that are within this bucket will be replaced with "10-20".
- #
- # This can be used on data of type: double, long.
- #
- # If the bound Value type differs from the type of data
- # being transformed, we will first attempt converting the type of the data to
- # be transformed to match the type of the bound before comparing.
- #
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
- # grouped together into a single bucket; for example if `lower_bound` = 10,
- # then all values less than 10 are replaced with the value “-10”. [Required].
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
- # grouped together into a single bucket; for example if `upper_bound` = 89,
- # then all values greater than 89 are replaced with the value “89+”.
- # [Required].
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
- # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
- # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
- # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
- },
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
- # portion of the value.
- "partToExtract": "A String",
- },
- "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
- # Uses SHA-256.
- # The key size must be either 32 or 64 bytes.
- # Outputs a base64 encoded representation of the hashed output
- # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
- # Currently, only string and integer values can be hashed.
- # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
- # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
- # to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
- # results in the same shift for the same context and crypto_key.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
- # [Required]
- "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
- # range (inclusive ends). Negative means shift to earlier in time. Must not
- # be more than 365250 days (1000 years) each direction.
- #
- # For example, 3 means shift date to at most 3 days into the future.
- # [Required]
- "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
- # If set, must also set method. If set, shift will be consistent for the
- # given context.
- "name": "A String", # Name describing the field.
- },
- },
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
- # replacement values are dynamically provided by the user for custom behavior,
- # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
- # This can be used on
- # data of type: number, long, string, timestamp.
- # If the bound `Value` type differs from the type of data being transformed, we
- # will first attempt converting the type of the data to be transformed to match
- # the type of the bound before comparing.
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
- # the default behavior will be to hyphenate the min-max range.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
- # used.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- ],
- },
- "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
- # (FPE) with the FFX mode of operation; however when used in the
- # `ReidentifyContent` API method, it serves the opposite function by reversing
- # the surrogate back into the original identifier. The identifier must be
- # encoded as ASCII. For a given crypto key and context, the same identifier
- # will be replaced with the same surrogate. Identifiers must be at least two
- # characters long. In the case that the identifier is the empty string, it will
- # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
- # more.
- #
- # Note: We recommend using CryptoDeterministicConfig for all use cases which
- # do not require preserving the input alphabet space and size, plus warrant
- # referential integrity.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
- "commonAlphabet": "A String",
- "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
- # that the FFX mode natively supports. This happens before/after
- # encryption/decryption.
- # Each character listed must appear only once.
- # Number of characters must be in the range [2, 62].
- # This must be encoded as ASCII.
- # The order of characters does not matter.
- "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
- # identifier in two different contexts won't be given the same surrogate. If
- # the context is not set, a default tweak will be used.
- #
- # If the context is set but:
- #
- # 1. there is no record present when transforming a given value or
- # 1. the field is not present when transforming a given value,
- #
- # a default tweak will be used.
- #
- # Note that case (1) is expected when an `InfoTypeTransformation` is
- # applied to both structured and non-structured `ContentItem`s.
- # Currently, the referenced field may be of value type integer or string.
- #
- # The tweak is constructed as a sequence of bytes in big endian byte order
- # such that:
- #
- # - a 64 bit integer is encoded followed by a single byte of value 1
- # - a string is encoded in UTF-8 format followed by a single byte of value 2
- "name": "A String", # Name describing the field.
- },
- "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
- # This annotation will be applied to the surrogate by prefixing it with
- # the name of the custom infoType followed by the number of
- # characters comprising the surrogate. The following scheme defines the
- # format: info_type_name(surrogate_character_count):surrogate
- #
- # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
- # the surrogate is 'abc', the full replacement value
- # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
- #
- # This annotation identifies the surrogate when inspecting content using the
- # custom infoType
- # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
- # This facilitates reversal of the surrogate when it occurs in free text.
- #
- # In order for inspection to work properly, the name of this infoType must
- # not occur naturally anywhere in your data; otherwise, inspection may
- # find a surrogate that does not correspond to an actual identifier.
- # Therefore, choose your custom infoType name carefully after considering
- # what your data looks like. One way to select a name that has a high chance
- # of yielding reliable detection is to include one or more unicode characters
- # that are highly improbable to exist in your data.
- # For example, assuming your data is entered from a regular ASCII keyboard,
- # the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
- "name": "A String", # Name of the information type. Either a name of your choosing when
- # creating a CustomInfoType, or one of the names listed
- # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
- # a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
- },
- },
- "replaceConfig": { # Replace each input value with a given `Value`.
- "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- },
- "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
- # given `RecordCondition`. The conditions are allowed to reference fields
- # that are not used in the actual transformation. [optional]
- #
- # Example Use Cases:
- #
- # - Apply a different bucket transformation to an age column if the zip code
- # column for the same record is within a specific range.
- # - Redact a field if the date of birth field is greater than 85.
- # a field.
- "expressions": { # An expression, consisting or an operator and conditions. # An expression.
- "conditions": { # A collection of conditions.
- "conditions": [
- { # The field type of `value` and `field` do not need to match to be
- # considered equal, but not all comparisons are possible.
- # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
- # but all other comparisons are invalid with incompatible types.
- # A `value` of type:
- #
- # - `string` can be compared against all other types
- # - `boolean` can only be compared against other booleans
- # - `integer` can be compared against doubles or a string if the string value
- # can be parsed as an integer.
- # - `double` can be compared against integers or a string if the string can
- # be parsed as a double.
- # - `Timestamp` can be compared against strings in RFC 3339 date string
- # format.
- # - `TimeOfDay` can be compared against timestamps and strings in the format
- # of 'HH:mm:ss'.
- #
- # If we fail to compare do to type mismatch, a warning will be given and
- # the condition will evaluate to false.
- "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
- "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
- "name": "A String", # Name describing the field.
- },
- "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- ],
- },
- "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
- # only supported value is `AND`.
- },
- },
- "fields": [ # Input field(s) to apply the transformation to. [required]
- { # General identifier of a data field in a storage service.
- "name": "A String", # Name describing the field.
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
],
},
],
},
+ "byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.
+ "type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.
+ "data": "A String", # Content data to inspect or redact.
+ },
+ "value": "A String", # String data to inspect or redact.
},
- "reidentifyTemplateName": "A String", # Optional template to use. References an instance of `DeidentifyTemplate`.
+ "reidentifyTemplateName": "A String", # Template to use. References an instance of `DeidentifyTemplate`.
# Any configuration directly specified in `reidentify_config` or
# `inspect_config` will override those set in the template. Singular fields
# that are set in this request will replace their corresponding fields in the
# template. Repeated fields are appended. Singular sub-messages and groups
# are recursively merged.
+ "locationId": "A String", # The geographic location to process content reidentification. Reserved for
+ # future extensions.
"inspectConfig": { # Configuration description of the scanning process. # Configuration for the inspector.
# When used with redactContent only info_types and min_likelihood are currently
# used.
"excludeInfoTypes": True or False, # When true, excludes type information of the findings.
- "limits": {
+ "limits": { # Configuration to control the number of findings returned. # Configuration to control the number of findings returned.
"maxFindingsPerRequest": 42, # Max number of findings that will be returned per request/job.
# When set within `InspectContentRequest`, the maximum returned is 2000
# regardless if this is set higher.
@@ -7276,13 +7497,13 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
"maxFindings": 42, # Max findings limit for the given infoType.
},
],
"maxFindingsPerItem": 42, # Max number of findings that will be returned for each item scanned.
- # When set within `InspectDataSourceRequest`,
+ # When set within `InspectJobConfig`,
# the maximum returned is 2000 regardless if this is set higher.
# When set within `InspectContentRequest`, this field is ignored.
},
@@ -7322,7 +7543,7 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
"dictionary": { # Custom information type based on a dictionary of words or phrases. This can # A list of phrases to detect as a CustomInfoType.
# be used to match sensitive information specific to the data, such as a list
@@ -7386,8 +7607,8 @@
# a company office using the hotword regex "\(xxx\)", where "xxx"
# is the area code in question.
# rule.
- "windowAfter": 42, # Number of characters after the finding to consider.
"windowBefore": 42, # Number of characters before the finding to consider.
+ "windowAfter": 42, # Number of characters after the finding to consider.
},
"hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.
"pattern": "A String", # Pattern defining the regular expression. Its syntax
@@ -7441,8 +7662,8 @@
# a company office using the hotword regex "\(xxx\)", where "xxx"
# is the area code in question.
# rule.
- "windowAfter": 42, # Number of characters after the finding to consider.
"windowBefore": 42, # Number of characters before the finding to consider.
+ "windowAfter": 42, # Number of characters after the finding to consider.
},
"hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.
"pattern": "A String", # Pattern defining the regular expression. Its syntax
@@ -7491,7 +7712,7 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
],
},
@@ -7541,7 +7762,7 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
],
},
@@ -7558,89 +7779,18 @@
# system may automatically choose what detectors to run. By default this may
# be all types, but may change over time as detectors are updated.
#
- # The special InfoType name "ALL_BASIC" can be used to trigger all detectors,
- # but may change over time as new InfoTypes are added. If you need precise
- # control and predictability as to what detectors are run you should specify
- # specific InfoTypes listed in the reference.
+ # If you need precise control and predictability as to what detectors are
+ # run you should specify specific InfoTypes listed in the reference,
+ # otherwise a default list will be used, which may change over time.
{ # Type of information detected by the API.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
],
},
- "inspectTemplateName": "A String", # Optional template to use. Any configuration directly specified in
- # `inspect_config` will override those set in the template. Singular fields
- # that are set in this request will replace their corresponding fields in the
- # template. Repeated fields are appended. Singular sub-messages and groups
- # are recursively merged.
- "item": { # Container structure for the content to inspect. # The item to re-identify. Will be treated as text.
- "table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. # Structured content for inspection. See
- # https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to
- # learn more.
- # See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to
- # learn more.
- "headers": [
- { # General identifier of a data field in a storage service.
- "name": "A String", # Name describing the field.
- },
- ],
- "rows": [
- {
- "values": [
- { # Set of primitive values supported by the system.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- ],
- },
- ],
- },
- "byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.
- "type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.
- "data": "A String", # Content data to inspect or redact.
- },
- "value": "A String", # String data to inspect or redact.
- },
}
x__xgafv: string, V1 error format.
@@ -7652,6 +7802,71 @@
An object of the form:
{ # Results of re-identifying a item.
+ "item": { # Container structure for the content to inspect. # The re-identified item.
+ "table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. # Structured content for inspection. See
+ # https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to
+ # learn more.
+ # See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to
+ # learn more.
+ "headers": [ # Headers of the table.
+ { # General identifier of a data field in a storage service.
+ "name": "A String", # Name describing the field.
+ },
+ ],
+ "rows": [ # Rows of the table.
+ { # Values of the row.
+ "values": [ # Individual cells.
+ { # Set of primitive values supported by the system.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ ],
+ },
+ ],
+ },
+ "byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.
+ "type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.
+ "data": "A String", # Content data to inspect or redact.
+ },
+ "value": "A String", # String data to inspect or redact.
+ },
"overview": { # Overview of the modifications that occurred. # An overview of the changes that were made to the `item`.
"transformationSummaries": [ # Transformations applied to the dataset.
{ # Summary of a single transformation.
@@ -7662,7 +7877,7 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
"recordSuppress": { # Configuration to suppress records whose suppression conditions evaluate to # The specific suppression option these stats apply to.
# true.
@@ -7670,8 +7885,8 @@
# evaluated to be suppressed from the transformed content.
# a field.
"expressions": { # An expression, consisting or an operator and conditions. # An expression.
- "conditions": { # A collection of conditions.
- "conditions": [
+ "conditions": { # A collection of conditions. # Conditions to apply to the expression.
+ "conditions": [ # A collection of conditions.
{ # The field type of `value` and `field` do not need to match to be
# considered equal, but not all comparisons are possible.
# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
@@ -7691,20 +7906,20 @@
#
# If we fail to compare do to type mismatch, a warning will be given and
# the condition will evaluate to false.
- "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
- "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
+ "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
+ "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
"name": "A String", # Name describing the field.
},
- "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
+ "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -7714,7 +7929,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -7724,17 +7939,17 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
},
],
@@ -7744,11 +7959,11 @@
},
},
},
- "results": [
+ "results": [ # Collection of all transformations that took place or had an error.
{ # A collection that informs the user the number of times a particular
# `TransformationResultCode` and error details occurred.
- "count": "A String",
- "code": "A String",
+ "count": "A String", # Number of transformations counted by this result.
+ "code": "A String", # Outcome of the transformation.
"details": "A String", # A place for warnings or errors to show up if a transformation didn't
# work as expected.
},
@@ -7760,658 +7975,13 @@
# If multiple field transformations are requested for a single field,
# this list will contain all of them; otherwise, only one is supplied.
{ # The transformation to apply to the field.
- "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
- # transform content that matches an `InfoType`.
- # apply various `PrimitiveTransformation`s to each finding, where the
- # transformation is applied to only values that were identified as a specific
- # info_type.
- "transformations": [ # Transformation for each infoType. Cannot specify more than one
- # for a given infoType. [required]
- { # A transformation to apply to text that is identified as a specific
- # info_type.
- "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
- "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
- # fixed character. Masking can start from the beginning or end of the string.
- # This can be used on data of any type (numbers, longs, and so on) and when
- # de-identifying structured data we'll attempt to preserve the original data's
- # type. (This allows you to take a long like 123 and modify it to a string like
- # **3.
- "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
- # For example, if your string is 555-555-5555 and you ask us to skip `-` and
- # mask 5 chars with * we would produce ***-*55-5555.
- { # Characters to skip when doing deidentification of a value. These will be left
- # alone and skipped.
- "commonCharactersToIgnore": "A String",
- "charactersToSkip": "A String",
- },
- ],
- "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
- # masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
- # alphabetic string such as name, or "0" for a numeric string such as ZIP
- # code or credit card number. String must have length 1. If not supplied, we
- # will default to "*" for strings, 0 for digits.
- "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
- # '0', number_to_mask is 14, and `reverse_order` is false, then
- # 1234-5678-9012-3456 -> 00000000000000-3456
- # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
- # is true, then 12345 -> 12***
- },
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
- # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
- # output would be 'My phone number is '.
- },
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
- # input. Outputs a base64 encoded representation of the encrypted output.
- # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
- # referential integrity such that the same identifier in two different
- # contexts will be given a distinct surrogate. The context is appended to
- # plaintext value being encrypted. On decryption the provided context is
- # validated against the value used during encryption. If a context was
- # provided during encryption, same context must be provided during decryption
- # as well.
- #
- # If the context is not set, plaintext would be used as is for encryption.
- # If the context is set but:
- #
- # 1. there is no record present when transforming a given value or
- # 2. the field is not present when transforming a given value,
- #
- # plaintext would be used as is for encryption.
- #
- # Note that case (1) is expected when an `InfoTypeTransformation` is
- # applied to both structured and non-structured `ContentItem`s.
- "name": "A String", # Name describing the field.
- },
- "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
- # This annotation will be applied to the surrogate by prefixing it with
- # the name of the custom info type followed by the number of
- # characters comprising the surrogate. The following scheme defines the
- # format: <info type name>(<surrogate character count>):<surrogate>
- #
- # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
- # the surrogate is 'abc', the full replacement value
- # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
- #
- # This annotation identifies the surrogate when inspecting content using the
- # custom info type 'Surrogate'. This facilitates reversal of the
- # surrogate when it occurs in free text.
- #
- # In order for inspection to work properly, the name of this info type must
- # not occur naturally anywhere in your data; otherwise, inspection may either
- #
- # - reverse a surrogate that does not correspond to an actual identifier
- # - be unable to parse the surrogate and result in an error
- #
- # Therefore, choose your custom info type name carefully after considering
- # what your data looks like. One way to select a name that has a high chance
- # of yielding reliable detection is to include one or more unicode characters
- # that are highly improbable to exist in your data.
- # For example, assuming your data is entered from a regular ASCII keyboard,
- # the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
- "name": "A String", # Name of the information type. Either a name of your choosing when
- # creating a CustomInfoType, or one of the names listed
- # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
- # a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
- },
- },
- "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
- # Bucketing transformation can provide all of this functionality,
- # but requires more configuration. This message is provided as a convenience to
- # the user for simple bucketing strategies.
- #
- # The transformed value will be a hyphenated string of
- # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
- # all values that are within this bucket will be replaced with "10-20".
- #
- # This can be used on data of type: double, long.
- #
- # If the bound Value type differs from the type of data
- # being transformed, we will first attempt converting the type of the data to
- # be transformed to match the type of the bound before comparing.
- #
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
- # grouped together into a single bucket; for example if `lower_bound` = 10,
- # then all values less than 10 are replaced with the value “-10”. [Required].
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
- # grouped together into a single bucket; for example if `upper_bound` = 89,
- # then all values greater than 89 are replaced with the value “89+”.
- # [Required].
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
- # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
- # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
- # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
- },
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
- # portion of the value.
- "partToExtract": "A String",
- },
- "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
- # Uses SHA-256.
- # The key size must be either 32 or 64 bytes.
- # Outputs a base64 encoded representation of the hashed output
- # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
- # Currently, only string and integer values can be hashed.
- # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
- # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
- # to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
- # results in the same shift for the same context and crypto_key.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
- # [Required]
- "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
- # range (inclusive ends). Negative means shift to earlier in time. Must not
- # be more than 365250 days (1000 years) each direction.
- #
- # For example, 3 means shift date to at most 3 days into the future.
- # [Required]
- "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
- # If set, must also set method. If set, shift will be consistent for the
- # given context.
- "name": "A String", # Name describing the field.
- },
- },
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
- # replacement values are dynamically provided by the user for custom behavior,
- # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
- # This can be used on
- # data of type: number, long, string, timestamp.
- # If the bound `Value` type differs from the type of data being transformed, we
- # will first attempt converting the type of the data to be transformed to match
- # the type of the bound before comparing.
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
- # the default behavior will be to hyphenate the min-max range.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
- # used.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- ],
- },
- "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
- # (FPE) with the FFX mode of operation; however when used in the
- # `ReidentifyContent` API method, it serves the opposite function by reversing
- # the surrogate back into the original identifier. The identifier must be
- # encoded as ASCII. For a given crypto key and context, the same identifier
- # will be replaced with the same surrogate. Identifiers must be at least two
- # characters long. In the case that the identifier is the empty string, it will
- # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
- # more.
- #
- # Note: We recommend using CryptoDeterministicConfig for all use cases which
- # do not require preserving the input alphabet space and size, plus warrant
- # referential integrity.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
- "commonAlphabet": "A String",
- "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
- # that the FFX mode natively supports. This happens before/after
- # encryption/decryption.
- # Each character listed must appear only once.
- # Number of characters must be in the range [2, 62].
- # This must be encoded as ASCII.
- # The order of characters does not matter.
- "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
- # identifier in two different contexts won't be given the same surrogate. If
- # the context is not set, a default tweak will be used.
- #
- # If the context is set but:
- #
- # 1. there is no record present when transforming a given value or
- # 1. the field is not present when transforming a given value,
- #
- # a default tweak will be used.
- #
- # Note that case (1) is expected when an `InfoTypeTransformation` is
- # applied to both structured and non-structured `ContentItem`s.
- # Currently, the referenced field may be of value type integer or string.
- #
- # The tweak is constructed as a sequence of bytes in big endian byte order
- # such that:
- #
- # - a 64 bit integer is encoded followed by a single byte of value 1
- # - a string is encoded in UTF-8 format followed by a single byte of value 2
- "name": "A String", # Name describing the field.
- },
- "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
- # This annotation will be applied to the surrogate by prefixing it with
- # the name of the custom infoType followed by the number of
- # characters comprising the surrogate. The following scheme defines the
- # format: info_type_name(surrogate_character_count):surrogate
- #
- # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
- # the surrogate is 'abc', the full replacement value
- # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
- #
- # This annotation identifies the surrogate when inspecting content using the
- # custom infoType
- # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
- # This facilitates reversal of the surrogate when it occurs in free text.
- #
- # In order for inspection to work properly, the name of this infoType must
- # not occur naturally anywhere in your data; otherwise, inspection may
- # find a surrogate that does not correspond to an actual identifier.
- # Therefore, choose your custom infoType name carefully after considering
- # what your data looks like. One way to select a name that has a high chance
- # of yielding reliable detection is to include one or more unicode characters
- # that are highly improbable to exist in your data.
- # For example, assuming your data is entered from a regular ASCII keyboard,
- # the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
- "name": "A String", # Name of the information type. Either a name of your choosing when
- # creating a CustomInfoType, or one of the names listed
- # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
- # a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
- },
- },
- "replaceConfig": { # Replace each input value with a given `Value`.
- "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- },
- "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
- # this transformation to apply to all findings that correspond to
- # infoTypes that were requested in `InspectConfig`.
- { # Type of information detected by the API.
- "name": "A String", # Name of the information type. Either a name of your choosing when
- # creating a CustomInfoType, or one of the names listed
- # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
- # a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
- },
- ],
- },
- ],
- },
+ "fields": [ # Required. Input field(s) to apply the transformation to.
+ { # General identifier of a data field in a storage service.
+ "name": "A String", # Name describing the field.
+ },
+ ],
"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
- "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
- # fixed character. Masking can start from the beginning or end of the string.
- # This can be used on data of any type (numbers, longs, and so on) and when
- # de-identifying structured data we'll attempt to preserve the original data's
- # type. (This allows you to take a long like 123 and modify it to a string like
- # **3.
- "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
- # For example, if your string is 555-555-5555 and you ask us to skip `-` and
- # mask 5 chars with * we would produce ***-*55-5555.
- { # Characters to skip when doing deidentification of a value. These will be left
- # alone and skipped.
- "commonCharactersToIgnore": "A String",
- "charactersToSkip": "A String",
- },
- ],
- "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
- # masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
- # alphabetic string such as name, or "0" for a numeric string such as ZIP
- # code or credit card number. String must have length 1. If not supplied, we
- # will default to "*" for strings, 0 for digits.
- "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
- # '0', number_to_mask is 14, and `reverse_order` is false, then
- # 1234-5678-9012-3456 -> 00000000000000-3456
- # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
- # is true, then 12345 -> 12***
- },
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
- # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
- # output would be 'My phone number is '.
- },
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
@@ -8419,21 +7989,21 @@
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -8441,7 +8011,7 @@
# (repeating the api call will result in a different key being generated).
},
},
- "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
+ "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
@@ -8465,7 +8035,7 @@
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
- # format: <info type name>(<surrogate character count>):<surrogate>
+ # format: {info type name}({surrogate character count}):{surrogate}
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
@@ -8475,6 +8045,11 @@
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
+ # Note: For record transformations where the entire cell in a table is being
+ # transformed, surrogates are not mandatory. Surrogates are used to denote
+ # the location of the token and are necessary for re-identification in free
+ # form text.
+ #
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
@@ -8487,21 +8062,56 @@
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
+ # ⧝MY_TOKEN_TYPE.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
+ # characters. For example, if the input string is `555-555-5555` and you
+ # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
+ # returns `***-**5-5555`.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
+ # punctuation.
+ "charactersToSkip": "A String", # Characters to not transform when masking.
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an
+ # alphabetic string such as a name, or `0` for a numeric string such as ZIP
+ # code or credit card number. This string must have a length of 1. If not
+ # supplied, this value defaults to `*` for strings, and `0` for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
+ # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
+ # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
+ # is `true`, then the string `12345` is masked as `12***`.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
- # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
+ # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
@@ -8511,18 +8121,18 @@
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
+ "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
- # then all values less than 10 are replaced with the value “-10”. [Required].
+ # then all values less than 10 are replaced with the value “-10”.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -8532,7 +8142,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -8542,31 +8152,30 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
+ "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
- # [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -8576,7 +8185,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -8586,88 +8195,52 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
+ "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
- # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
},
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
# portion of the value.
- "partToExtract": "A String",
+ "partToExtract": "A String", # The part of the time to keep.
},
- "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
- # Uses SHA-256.
- # The key size must be either 32 or 64 bytes.
- # Outputs a base64 encoded representation of the hashed output
- # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
- # Currently, only string and integer values can be hashed.
- # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
- # results in the same shift for the same context and crypto_key.
+ # results in the same shift for the same context and crypto_key. If
+ # set, must also set context. Can only be applied to table items.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -8675,160 +8248,19 @@
# (repeating the api call will result in a different key being generated).
},
},
- "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
- # [Required]
- "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
- # [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
- # If set, must also set method. If set, shift will be consistent for the
+ # If set, must also set cryptoKey. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
- # replacement values are dynamically provided by the user for custom behavior,
- # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
- # This can be used on
- # data of type: number, long, string, timestamp.
- # If the bound `Value` type differs from the type of data being transformed, we
- # will first attempt converting the type of the data to be transformed to match
- # the type of the bound before comparing.
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
- # the default behavior will be to hyphenate the min-max range.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
- # used.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- ],
- },
- "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
@@ -8841,26 +8273,26 @@
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -8868,13 +8300,13 @@
# (repeating the api call will result in a different key being generated).
},
},
- "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
- "commonAlphabet": "A String",
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
+ "commonAlphabet": "A String", # Common alphabets.
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
- # Number of characters must be in the range [2, 62].
+ # Number of characters must be in the range [2, 95].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
@@ -8928,20 +8360,194 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "replaceConfig": { # Replace each input value with a given `Value`.
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ ],
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -8951,7 +8557,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -8961,23 +8567,23 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
},
},
"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
# given `RecordCondition`. The conditions are allowed to reference fields
- # that are not used in the actual transformation. [optional]
+ # that are not used in the actual transformation.
#
# Example Use Cases:
#
@@ -8986,8 +8592,8 @@
# - Redact a field if the date of birth field is greater than 85.
# a field.
"expressions": { # An expression, consisting or an operator and conditions. # An expression.
- "conditions": { # A collection of conditions.
- "conditions": [
+ "conditions": { # A collection of conditions. # Conditions to apply to the expression.
+ "conditions": [ # A collection of conditions.
{ # The field type of `value` and `field` do not need to match to be
# considered equal, but not all comparisons are possible.
# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
@@ -9007,20 +8613,20 @@
#
# If we fail to compare do to type mismatch, a warning will be given and
# the condition will evaluate to false.
- "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
- "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
+ "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
+ "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
"name": "A String", # Name describing the field.
},
- "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
+ "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -9030,7 +8636,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -9040,17 +8646,17 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
},
],
@@ -9059,47 +8665,635 @@
# only supported value is `AND`.
},
},
- "fields": [ # Input field(s) to apply the transformation to. [required]
- { # General identifier of a data field in a storage service.
- "name": "A String", # Name describing the field.
- },
- ],
+ "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
+ # transform content that matches an `InfoType`.
+ # apply various `PrimitiveTransformation`s to each finding, where the
+ # transformation is applied to only values that were identified as a specific
+ # info_type.
+ "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one
+ # for a given infoType.
+ { # A transformation to apply to text that is identified as a specific
+ # info_type.
+ "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
+ # input. Outputs a base64 encoded representation of the encrypted output.
+ # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
+ # referential integrity such that the same identifier in two different
+ # contexts will be given a distinct surrogate. The context is appended to
+ # plaintext value being encrypted. On decryption the provided context is
+ # validated against the value used during encryption. If a context was
+ # provided during encryption, same context must be provided during decryption
+ # as well.
+ #
+ # If the context is not set, plaintext would be used as is for encryption.
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 2. the field is not present when transforming a given value,
+ #
+ # plaintext would be used as is for encryption.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom info type followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: {info type name}({surrogate character count}):{surrogate}
+ #
+ # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom info type 'Surrogate'. This facilitates reversal of the
+ # surrogate when it occurs in free text.
+ #
+ # Note: For record transformations where the entire cell in a table is being
+ # transformed, surrogates are not mandatory. Surrogates are used to denote
+ # the location of the token and are necessary for re-identification in free
+ # form text.
+ #
+ # In order for inspection to work properly, the name of this info type must
+ # not occur naturally anywhere in your data; otherwise, inspection may either
+ #
+ # - reverse a surrogate that does not correspond to an actual identifier
+ # - be unable to parse the surrogate and result in an error
+ #
+ # Therefore, choose your custom info type name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE.
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # `[a-zA-Z0-9_]{1,64}`.
+ },
+ },
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
+ # characters. For example, if the input string is `555-555-5555` and you
+ # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
+ # returns `***-**5-5555`.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
+ # punctuation.
+ "charactersToSkip": "A String", # Characters to not transform when masking.
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an
+ # alphabetic string such as a name, or `0` for a numeric string such as ZIP
+ # code or credit card number. This string must have a length of 1. If not
+ # supplied, this value defaults to `*` for strings, and `0` for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
+ # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
+ # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
+ # is `true`, then the string `12345` is masked as `12***`.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
+ # Bucketing transformation can provide all of this functionality,
+ # but requires more configuration. This message is provided as a convenience to
+ # the user for simple bucketing strategies.
+ #
+ # The transformed value will be a hyphenated string of
+ # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
+ # all values that are within this bucket will be replaced with "10-20".
+ #
+ # This can be used on data of type: double, long.
+ #
+ # If the bound Value type differs from the type of data
+ # being transformed, we will first attempt converting the type of the data to
+ # be transformed to match the type of the bound before comparing.
+ #
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
+ # grouped together into a single bucket; for example if `lower_bound` = 10,
+ # then all values less than 10 are replaced with the value “-10”.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
+ # grouped together into a single bucket; for example if `upper_bound` = 89,
+ # then all values greater than 89 are replaced with the value “89+”.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
+ # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
+ # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
+ # portion of the value.
+ "partToExtract": "A String", # The part of the time to keep.
+ },
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
+ # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
+ # to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
+ # results in the same shift for the same context and crypto_key. If
+ # set, must also set context. Can only be applied to table items.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
+ # range (inclusive ends). Negative means shift to earlier in time. Must not
+ # be more than 365250 days (1000 years) each direction.
+ #
+ # For example, 3 means shift date to at most 3 days into the future.
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
+ # If set, must also set cryptoKey. If set, shift will be consistent for the
+ # given context.
+ "name": "A String", # Name describing the field.
+ },
+ },
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
+ # (FPE) with the FFX mode of operation; however when used in the
+ # `ReidentifyContent` API method, it serves the opposite function by reversing
+ # the surrogate back into the original identifier. The identifier must be
+ # encoded as ASCII. For a given crypto key and context, the same identifier
+ # will be replaced with the same surrogate. Identifiers must be at least two
+ # characters long. In the case that the identifier is the empty string, it will
+ # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
+ # more.
+ #
+ # Note: We recommend using CryptoDeterministicConfig for all use cases which
+ # do not require preserving the input alphabet space and size, plus warrant
+ # referential integrity.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
+ "commonAlphabet": "A String", # Common alphabets.
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
+ # that the FFX mode natively supports. This happens before/after
+ # encryption/decryption.
+ # Each character listed must appear only once.
+ # Number of characters must be in the range [2, 95].
+ # This must be encoded as ASCII.
+ # The order of characters does not matter.
+ "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
+ # identifier in two different contexts won't be given the same surrogate. If
+ # the context is not set, a default tweak will be used.
+ #
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 1. the field is not present when transforming a given value,
+ #
+ # a default tweak will be used.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ # Currently, the referenced field may be of value type integer or string.
+ #
+ # The tweak is constructed as a sequence of bytes in big endian byte order
+ # such that:
+ #
+ # - a 64 bit integer is encoded followed by a single byte of value 1
+ # - a string is encoded in UTF-8 format followed by a single byte of value 2
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom infoType followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: info_type_name(surrogate_character_count):surrogate
+ #
+ # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom infoType
+ # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
+ # This facilitates reversal of the surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this infoType must
+ # not occur naturally anywhere in your data; otherwise, inspection may
+ # find a surrogate that does not correspond to an actual identifier.
+ # Therefore, choose your custom infoType name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # `[a-zA-Z0-9_]{1,64}`.
+ },
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ ],
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
+ "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ },
+ "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
+ # this transformation to apply to all findings that correspond to
+ # infoTypes that were requested in `InspectConfig`.
+ { # Type of information detected by the API.
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # `[a-zA-Z0-9_]{1,64}`.
+ },
+ ],
+ },
+ ],
+ },
},
],
"transformedBytes": "A String", # Total size in bytes that were transformed in some way.
"transformation": { # A rule for transforming a value. # The specific transformation these stats apply to.
- "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
- # fixed character. Masking can start from the beginning or end of the string.
- # This can be used on data of any type (numbers, longs, and so on) and when
- # de-identifying structured data we'll attempt to preserve the original data's
- # type. (This allows you to take a long like 123 and modify it to a string like
- # **3.
- "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
- # For example, if your string is 555-555-5555 and you ask us to skip `-` and
- # mask 5 chars with * we would produce ***-*55-5555.
- { # Characters to skip when doing deidentification of a value. These will be left
- # alone and skipped.
- "commonCharactersToIgnore": "A String",
- "charactersToSkip": "A String",
- },
- ],
- "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
- # masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
- # alphabetic string such as name, or "0" for a numeric string such as ZIP
- # code or credit card number. String must have length 1. If not supplied, we
- # will default to "*" for strings, 0 for digits.
- "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
- # '0', number_to_mask is 14, and `reverse_order` is false, then
- # 1234-5678-9012-3456 -> 00000000000000-3456
- # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
- # is true, then 12345 -> 12***
- },
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
- # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
- # output would be 'My phone number is '.
- },
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
@@ -9107,21 +9301,21 @@
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -9129,7 +9323,7 @@
# (repeating the api call will result in a different key being generated).
},
},
- "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
+ "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
@@ -9153,7 +9347,7 @@
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
- # format: <info type name>(<surrogate character count>):<surrogate>
+ # format: {info type name}({surrogate character count}):{surrogate}
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
@@ -9163,6 +9357,11 @@
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
+ # Note: For record transformations where the entire cell in a table is being
+ # transformed, surrogates are not mandatory. Surrogates are used to denote
+ # the location of the token and are necessary for re-identification in free
+ # form text.
+ #
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
@@ -9175,21 +9374,56 @@
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
+ # ⧝MY_TOKEN_TYPE.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
+ # characters. For example, if the input string is `555-555-5555` and you
+ # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
+ # returns `***-**5-5555`.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
+ # punctuation.
+ "charactersToSkip": "A String", # Characters to not transform when masking.
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an
+ # alphabetic string such as a name, or `0` for a numeric string such as ZIP
+ # code or credit card number. This string must have a length of 1. If not
+ # supplied, this value defaults to `*` for strings, and `0` for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
+ # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
+ # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
+ # is `true`, then the string `12345` is masked as `12***`.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
- # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
+ # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
@@ -9199,18 +9433,18 @@
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
+ "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
- # then all values less than 10 are replaced with the value “-10”. [Required].
+ # then all values less than 10 are replaced with the value “-10”.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -9220,7 +9454,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -9230,31 +9464,30 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
+ "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
- # [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -9264,7 +9497,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -9274,88 +9507,52 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
+ "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
- # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
},
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
# portion of the value.
- "partToExtract": "A String",
+ "partToExtract": "A String", # The part of the time to keep.
},
- "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
- # Uses SHA-256.
- # The key size must be either 32 or 64 bytes.
- # Outputs a base64 encoded representation of the hashed output
- # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
- # Currently, only string and integer values can be hashed.
- # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
- # results in the same shift for the same context and crypto_key.
+ # results in the same shift for the same context and crypto_key. If
+ # set, must also set context. Can only be applied to table items.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -9363,160 +9560,19 @@
# (repeating the api call will result in a different key being generated).
},
},
- "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
- # [Required]
- "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
- # [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
- # If set, must also set method. If set, shift will be consistent for the
+ # If set, must also set cryptoKey. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
- # replacement values are dynamically provided by the user for custom behavior,
- # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
- # This can be used on
- # data of type: number, long, string, timestamp.
- # If the bound `Value` type differs from the type of data being transformed, we
- # will first attempt converting the type of the data to be transformed to match
- # the type of the bound before comparing.
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
- # the default behavior will be to hyphenate the min-max range.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
- # used.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- ],
- },
- "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
@@ -9529,26 +9585,26 @@
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -9556,13 +9612,13 @@
# (repeating the api call will result in a different key being generated).
},
},
- "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
- "commonAlphabet": "A String",
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
+ "commonAlphabet": "A String", # Common alphabets.
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
- # Number of characters must be in the range [2, 62].
+ # Number of characters must be in the range [2, 95].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
@@ -9616,20 +9672,194 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "replaceConfig": { # Replace each input value with a given `Value`.
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ ],
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -9639,7 +9869,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -9649,17 +9879,17 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
},
},
@@ -9667,71 +9897,6 @@
],
"transformedBytes": "A String", # Total size in bytes that were transformed in some way.
},
- "item": { # Container structure for the content to inspect. # The re-identified item.
- "table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. # Structured content for inspection. See
- # https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to
- # learn more.
- # See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to
- # learn more.
- "headers": [
- { # General identifier of a data field in a storage service.
- "name": "A String", # Name describing the field.
- },
- ],
- "rows": [
- {
- "values": [
- { # Set of primitive values supported by the system.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- ],
- },
- ],
- },
- "byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.
- "type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.
- "data": "A String", # Content data to inspect or redact.
- },
- "value": "A String", # String data to inspect or redact.
- },
}</pre>
</div>