chore: regens API reference docs (#889)
diff --git a/docs/dyn/dlp_v2.projects.deidentifyTemplates.html b/docs/dyn/dlp_v2.projects.deidentifyTemplates.html
index 4408665..79abd28 100644
--- a/docs/dyn/dlp_v2.projects.deidentifyTemplates.html
+++ b/docs/dyn/dlp_v2.projects.deidentifyTemplates.html
@@ -75,7 +75,7 @@
<h1><a href="dlp_v2.html">Cloud Data Loss Prevention (DLP) API</a> . <a href="dlp_v2.projects.html">projects</a> . <a href="dlp_v2.projects.deidentifyTemplates.html">deidentifyTemplates</a></h1>
<h2>Instance Methods</h2>
<p class="toc_element">
- <code><a href="#create">create(parent, body, x__xgafv=None)</a></code></p>
+ <code><a href="#create">create(parent, body=None, x__xgafv=None)</a></code></p>
<p class="firstline">Creates a DeidentifyTemplate for re-using frequently used configuration</p>
<p class="toc_element">
<code><a href="#delete">delete(name, x__xgafv=None)</a></code></p>
@@ -84,32 +84,32 @@
<code><a href="#get">get(name, x__xgafv=None)</a></code></p>
<p class="firstline">Gets a DeidentifyTemplate.</p>
<p class="toc_element">
- <code><a href="#list">list(parent, orderBy=None, pageToken=None, x__xgafv=None, pageSize=None)</a></code></p>
+ <code><a href="#list">list(parent, orderBy=None, pageSize=None, locationId=None, pageToken=None, x__xgafv=None)</a></code></p>
<p class="firstline">Lists DeidentifyTemplates.</p>
<p class="toc_element">
<code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p>
<p class="firstline">Retrieves the next page of results.</p>
<p class="toc_element">
- <code><a href="#patch">patch(name, body, x__xgafv=None)</a></code></p>
+ <code><a href="#patch">patch(name, body=None, x__xgafv=None)</a></code></p>
<p class="firstline">Updates the DeidentifyTemplate.</p>
<h3>Method Details</h3>
<div class="method">
- <code class="details" id="create">create(parent, body, x__xgafv=None)</code>
+ <code class="details" id="create">create(parent, body=None, x__xgafv=None)</code>
<pre>Creates a DeidentifyTemplate for re-using frequently used configuration
for de-identifying content, images, and storage.
See https://cloud.google.com/dlp/docs/creating-templates-deid to learn
more.
Args:
- parent: string, The parent resource name, for example projects/my-project-id or
+ parent: string, Required. The parent resource name, for example projects/my-project-id or
organizations/my-org-id. (required)
- body: object, The request body. (required)
+ body: object, The request body.
The object takes the form of:
{ # Request message for CreateDeidentifyTemplate.
- "deidentifyTemplate": { # The DeidentifyTemplates contains instructions on how to deidentify content. # The DeidentifyTemplate to create.
+ "deidentifyTemplate": { # DeidentifyTemplates contains instructions on how to de-identify content. # Required. The DeidentifyTemplate to create.
# See https://cloud.google.com/dlp/docs/concepts-templates to learn more.
- "updateTime": "A String", # The last update timestamp of a inspectTemplate, output only field.
+ "updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate.
"displayName": "A String", # Display name (max 256 chars).
"description": "A String", # Short description (max 256 chars).
"deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////
@@ -118,43 +118,12 @@
# apply various `PrimitiveTransformation`s to each finding, where the
# transformation is applied to only values that were identified as a specific
# info_type.
- "transformations": [ # Transformation for each infoType. Cannot specify more than one
- # for a given infoType. [required]
+ "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one
+ # for a given infoType.
{ # A transformation to apply to text that is identified as a specific
# info_type.
- "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
- "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
- # fixed character. Masking can start from the beginning or end of the string.
- # This can be used on data of any type (numbers, longs, and so on) and when
- # de-identifying structured data we'll attempt to preserve the original data's
- # type. (This allows you to take a long like 123 and modify it to a string like
- # **3.
- "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
- # For example, if your string is 555-555-5555 and you ask us to skip `-` and
- # mask 5 chars with * we would produce ***-*55-5555.
- { # Characters to skip when doing deidentification of a value. These will be left
- # alone and skipped.
- "commonCharactersToIgnore": "A String",
- "charactersToSkip": "A String",
- },
- ],
- "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
- # masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
- # alphabetic string such as name, or "0" for a numeric string such as ZIP
- # code or credit card number. String must have length 1. If not supplied, we
- # will default to "*" for strings, 0 for digits.
- "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
- # '0', number_to_mask is 14, and `reverse_order` is false, then
- # 1234-5678-9012-3456 -> 00000000000000-3456
- # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
- # is true, then 12345 -> 12***
- },
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
- # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
- # output would be 'My phone number is '.
- },
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
+ "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
@@ -162,21 +131,21 @@
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -184,7 +153,7 @@
# (repeating the api call will result in a different key being generated).
},
},
- "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
+ "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
@@ -208,7 +177,7 @@
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
- # format: <info type name>(<surrogate character count>):<surrogate>
+ # format: {info type name}({surrogate character count}):{surrogate}
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
@@ -218,6 +187,11 @@
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
+ # Note: For record transformations where the entire cell in a table is being
+ # transformed, surrogates are not mandatory. Surrogates are used to denote
+ # the location of the token and are necessary for re-identification in free
+ # form text.
+ #
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
@@ -230,21 +204,56 @@
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
+ # ⧝MY_TOKEN_TYPE.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
+ # characters. For example, if the input string is `555-555-5555` and you
+ # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
+ # returns `***-**5-5555`.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
+ # punctuation.
+ "charactersToSkip": "A String", # Characters to not transform when masking.
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an
+ # alphabetic string such as a name, or `0` for a numeric string such as ZIP
+ # code or credit card number. This string must have a length of 1. If not
+ # supplied, this value defaults to `*` for strings, and `0` for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
+ # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
+ # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
+ # is `true`, then the string `12345` is masked as `12***`.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
- # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
+ # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
@@ -254,18 +263,18 @@
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
+ "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
- # then all values less than 10 are replaced with the value “-10”. [Required].
+ # then all values less than 10 are replaced with the value “-10”.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -275,7 +284,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -285,31 +294,30 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
+ "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
- # [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -319,7 +327,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -329,88 +337,52 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
+ "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
- # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
},
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
# portion of the value.
- "partToExtract": "A String",
+ "partToExtract": "A String", # The part of the time to keep.
},
- "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
- # Uses SHA-256.
- # The key size must be either 32 or 64 bytes.
- # Outputs a base64 encoded representation of the hashed output
- # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
- # Currently, only string and integer values can be hashed.
- # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
- # results in the same shift for the same context and crypto_key.
+ # results in the same shift for the same context and crypto_key. If
+ # set, must also set context. Can only be applied to table items.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -418,160 +390,19 @@
# (repeating the api call will result in a different key being generated).
},
},
- "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
- # [Required]
- "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
- # [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
- # If set, must also set method. If set, shift will be consistent for the
+ # If set, must also set cryptoKey. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
- # replacement values are dynamically provided by the user for custom behavior,
- # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
- # This can be used on
- # data of type: number, long, string, timestamp.
- # If the bound `Value` type differs from the type of data being transformed, we
- # will first attempt converting the type of the data to be transformed to match
- # the type of the bound before comparing.
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
- # the default behavior will be to hyphenate the min-max range.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
- # used.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- ],
- },
- "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
@@ -584,26 +415,26 @@
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -611,13 +442,13 @@
# (repeating the api call will result in a different key being generated).
},
},
- "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
- "commonAlphabet": "A String",
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
+ "commonAlphabet": "A String", # Common alphabets.
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
- # Number of characters must be in the range [2, 62].
+ # Number of characters must be in the range [2, 95].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
@@ -671,20 +502,194 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "replaceConfig": { # Replace each input value with a given `Value`.
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ ],
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -694,7 +699,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -704,17 +709,17 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
},
},
@@ -726,7 +731,7 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
],
},
@@ -737,15 +742,15 @@
# a column within a table.
# table.
"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that
- # match any suppression rule are omitted from the output [optional].
+ # match any suppression rule are omitted from the output.
{ # Configuration to suppress records whose suppression conditions evaluate to
# true.
"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
# evaluated to be suppressed from the transformed content.
# a field.
"expressions": { # An expression, consisting or an operator and conditions. # An expression.
- "conditions": { # A collection of conditions.
- "conditions": [
+ "conditions": { # A collection of conditions. # Conditions to apply to the expression.
+ "conditions": [ # A collection of conditions.
{ # The field type of `value` and `field` do not need to match to be
# considered equal, but not all comparisons are possible.
# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
@@ -765,20 +770,20 @@
#
# If we fail to compare do to type mismatch, a warning will be given and
# the condition will evaluate to false.
- "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
- "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
+ "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
+ "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
"name": "A String", # Name describing the field.
},
- "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
+ "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -788,7 +793,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -798,17 +803,17 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
},
],
@@ -821,48 +826,707 @@
],
"fieldTransformations": [ # Transform the record by applying various field transformations.
{ # The transformation to apply to the field.
+ "fields": [ # Required. Input field(s) to apply the transformation to.
+ { # General identifier of a data field in a storage service.
+ "name": "A String", # Name describing the field.
+ },
+ ],
+ "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
+ # input. Outputs a base64 encoded representation of the encrypted output.
+ # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
+ # referential integrity such that the same identifier in two different
+ # contexts will be given a distinct surrogate. The context is appended to
+ # plaintext value being encrypted. On decryption the provided context is
+ # validated against the value used during encryption. If a context was
+ # provided during encryption, same context must be provided during decryption
+ # as well.
+ #
+ # If the context is not set, plaintext would be used as is for encryption.
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 2. the field is not present when transforming a given value,
+ #
+ # plaintext would be used as is for encryption.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom info type followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: {info type name}({surrogate character count}):{surrogate}
+ #
+ # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom info type 'Surrogate'. This facilitates reversal of the
+ # surrogate when it occurs in free text.
+ #
+ # Note: For record transformations where the entire cell in a table is being
+ # transformed, surrogates are not mandatory. Surrogates are used to denote
+ # the location of the token and are necessary for re-identification in free
+ # form text.
+ #
+ # In order for inspection to work properly, the name of this info type must
+ # not occur naturally anywhere in your data; otherwise, inspection may either
+ #
+ # - reverse a surrogate that does not correspond to an actual identifier
+ # - be unable to parse the surrogate and result in an error
+ #
+ # Therefore, choose your custom info type name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE.
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # `[a-zA-Z0-9_]{1,64}`.
+ },
+ },
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
+ # characters. For example, if the input string is `555-555-5555` and you
+ # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
+ # returns `***-**5-5555`.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
+ # punctuation.
+ "charactersToSkip": "A String", # Characters to not transform when masking.
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an
+ # alphabetic string such as a name, or `0` for a numeric string such as ZIP
+ # code or credit card number. This string must have a length of 1. If not
+ # supplied, this value defaults to `*` for strings, and `0` for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
+ # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
+ # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
+ # is `true`, then the string `12345` is masked as `12***`.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
+ # Bucketing transformation can provide all of this functionality,
+ # but requires more configuration. This message is provided as a convenience to
+ # the user for simple bucketing strategies.
+ #
+ # The transformed value will be a hyphenated string of
+ # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
+ # all values that are within this bucket will be replaced with "10-20".
+ #
+ # This can be used on data of type: double, long.
+ #
+ # If the bound Value type differs from the type of data
+ # being transformed, we will first attempt converting the type of the data to
+ # be transformed to match the type of the bound before comparing.
+ #
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
+ # grouped together into a single bucket; for example if `lower_bound` = 10,
+ # then all values less than 10 are replaced with the value “-10”.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
+ # grouped together into a single bucket; for example if `upper_bound` = 89,
+ # then all values greater than 89 are replaced with the value “89+”.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
+ # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
+ # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
+ # portion of the value.
+ "partToExtract": "A String", # The part of the time to keep.
+ },
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
+ # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
+ # to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
+ # results in the same shift for the same context and crypto_key. If
+ # set, must also set context. Can only be applied to table items.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
+ # range (inclusive ends). Negative means shift to earlier in time. Must not
+ # be more than 365250 days (1000 years) each direction.
+ #
+ # For example, 3 means shift date to at most 3 days into the future.
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
+ # If set, must also set cryptoKey. If set, shift will be consistent for the
+ # given context.
+ "name": "A String", # Name describing the field.
+ },
+ },
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
+ # (FPE) with the FFX mode of operation; however when used in the
+ # `ReidentifyContent` API method, it serves the opposite function by reversing
+ # the surrogate back into the original identifier. The identifier must be
+ # encoded as ASCII. For a given crypto key and context, the same identifier
+ # will be replaced with the same surrogate. Identifiers must be at least two
+ # characters long. In the case that the identifier is the empty string, it will
+ # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
+ # more.
+ #
+ # Note: We recommend using CryptoDeterministicConfig for all use cases which
+ # do not require preserving the input alphabet space and size, plus warrant
+ # referential integrity.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
+ "commonAlphabet": "A String", # Common alphabets.
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
+ # that the FFX mode natively supports. This happens before/after
+ # encryption/decryption.
+ # Each character listed must appear only once.
+ # Number of characters must be in the range [2, 95].
+ # This must be encoded as ASCII.
+ # The order of characters does not matter.
+ "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
+ # identifier in two different contexts won't be given the same surrogate. If
+ # the context is not set, a default tweak will be used.
+ #
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 1. the field is not present when transforming a given value,
+ #
+ # a default tweak will be used.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ # Currently, the referenced field may be of value type integer or string.
+ #
+ # The tweak is constructed as a sequence of bytes in big endian byte order
+ # such that:
+ #
+ # - a 64 bit integer is encoded followed by a single byte of value 1
+ # - a string is encoded in UTF-8 format followed by a single byte of value 2
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom infoType followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: info_type_name(surrogate_character_count):surrogate
+ #
+ # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom infoType
+ # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
+ # This facilitates reversal of the surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this infoType must
+ # not occur naturally anywhere in your data; otherwise, inspection may
+ # find a surrogate that does not correspond to an actual identifier.
+ # Therefore, choose your custom infoType name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # `[a-zA-Z0-9_]{1,64}`.
+ },
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ ],
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
+ "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ },
+ "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
+ # given `RecordCondition`. The conditions are allowed to reference fields
+ # that are not used in the actual transformation.
+ #
+ # Example Use Cases:
+ #
+ # - Apply a different bucket transformation to an age column if the zip code
+ # column for the same record is within a specific range.
+ # - Redact a field if the date of birth field is greater than 85.
+ # a field.
+ "expressions": { # An expression, consisting or an operator and conditions. # An expression.
+ "conditions": { # A collection of conditions. # Conditions to apply to the expression.
+ "conditions": [ # A collection of conditions.
+ { # The field type of `value` and `field` do not need to match to be
+ # considered equal, but not all comparisons are possible.
+ # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
+ # but all other comparisons are invalid with incompatible types.
+ # A `value` of type:
+ #
+ # - `string` can be compared against all other types
+ # - `boolean` can only be compared against other booleans
+ # - `integer` can be compared against doubles or a string if the string value
+ # can be parsed as an integer.
+ # - `double` can be compared against integers or a string if the string can
+ # be parsed as a double.
+ # - `Timestamp` can be compared against strings in RFC 3339 date string
+ # format.
+ # - `TimeOfDay` can be compared against timestamps and strings in the format
+ # of 'HH:mm:ss'.
+ #
+ # If we fail to compare do to type mismatch, a warning will be given and
+ # the condition will evaluate to false.
+ "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
+ "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
+ "name": "A String", # Name describing the field.
+ },
+ "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ ],
+ },
+ "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
+ # only supported value is `AND`.
+ },
+ },
"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
# transform content that matches an `InfoType`.
# apply various `PrimitiveTransformation`s to each finding, where the
# transformation is applied to only values that were identified as a specific
# info_type.
- "transformations": [ # Transformation for each infoType. Cannot specify more than one
- # for a given infoType. [required]
+ "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one
+ # for a given infoType.
{ # A transformation to apply to text that is identified as a specific
# info_type.
- "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
- "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
- # fixed character. Masking can start from the beginning or end of the string.
- # This can be used on data of any type (numbers, longs, and so on) and when
- # de-identifying structured data we'll attempt to preserve the original data's
- # type. (This allows you to take a long like 123 and modify it to a string like
- # **3.
- "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
- # For example, if your string is 555-555-5555 and you ask us to skip `-` and
- # mask 5 chars with * we would produce ***-*55-5555.
- { # Characters to skip when doing deidentification of a value. These will be left
- # alone and skipped.
- "commonCharactersToIgnore": "A String",
- "charactersToSkip": "A String",
- },
- ],
- "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
- # masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
- # alphabetic string such as name, or "0" for a numeric string such as ZIP
- # code or credit card number. String must have length 1. If not supplied, we
- # will default to "*" for strings, 0 for digits.
- "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
- # '0', number_to_mask is 14, and `reverse_order` is false, then
- # 1234-5678-9012-3456 -> 00000000000000-3456
- # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
- # is true, then 12345 -> 12***
- },
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
- # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
- # output would be 'My phone number is '.
- },
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
+ "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
@@ -870,21 +1534,21 @@
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -892,7 +1556,7 @@
# (repeating the api call will result in a different key being generated).
},
},
- "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
+ "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
@@ -916,7 +1580,7 @@
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
- # format: <info type name>(<surrogate character count>):<surrogate>
+ # format: {info type name}({surrogate character count}):{surrogate}
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
@@ -926,6 +1590,11 @@
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
+ # Note: For record transformations where the entire cell in a table is being
+ # transformed, surrogates are not mandatory. Surrogates are used to denote
+ # the location of the token and are necessary for re-identification in free
+ # form text.
+ #
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
@@ -938,21 +1607,56 @@
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
+ # ⧝MY_TOKEN_TYPE.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
+ # characters. For example, if the input string is `555-555-5555` and you
+ # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
+ # returns `***-**5-5555`.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
+ # punctuation.
+ "charactersToSkip": "A String", # Characters to not transform when masking.
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an
+ # alphabetic string such as a name, or `0` for a numeric string such as ZIP
+ # code or credit card number. This string must have a length of 1. If not
+ # supplied, this value defaults to `*` for strings, and `0` for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
+ # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
+ # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
+ # is `true`, then the string `12345` is masked as `12***`.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
- # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
+ # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
@@ -962,18 +1666,18 @@
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
+ "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
- # then all values less than 10 are replaced with the value “-10”. [Required].
+ # then all values less than 10 are replaced with the value “-10”.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -983,7 +1687,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -993,31 +1697,30 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
+ "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
- # [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -1027,7 +1730,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -1037,88 +1740,52 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
+ "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
- # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
},
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
# portion of the value.
- "partToExtract": "A String",
+ "partToExtract": "A String", # The part of the time to keep.
},
- "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
- # Uses SHA-256.
- # The key size must be either 32 or 64 bytes.
- # Outputs a base64 encoded representation of the hashed output
- # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
- # Currently, only string and integer values can be hashed.
- # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
- # results in the same shift for the same context and crypto_key.
+ # results in the same shift for the same context and crypto_key. If
+ # set, must also set context. Can only be applied to table items.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -1126,160 +1793,19 @@
# (repeating the api call will result in a different key being generated).
},
},
- "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
- # [Required]
- "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
- # [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
- # If set, must also set method. If set, shift will be consistent for the
+ # If set, must also set cryptoKey. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
- # replacement values are dynamically provided by the user for custom behavior,
- # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
- # This can be used on
- # data of type: number, long, string, timestamp.
- # If the bound `Value` type differs from the type of data being transformed, we
- # will first attempt converting the type of the data to be transformed to match
- # the type of the bound before comparing.
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
- # the default behavior will be to hyphenate the min-max range.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
- # used.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- ],
- },
- "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
@@ -1292,26 +1818,26 @@
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -1319,13 +1845,13 @@
# (repeating the api call will result in a different key being generated).
},
},
- "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
- "commonAlphabet": "A String",
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
+ "commonAlphabet": "A String", # Common alphabets.
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
- # Number of characters must be in the range [2, 62].
+ # Number of characters must be in the range [2, 95].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
@@ -1379,20 +1905,194 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "replaceConfig": { # Replace each input value with a given `Value`.
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ ],
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -1402,7 +2102,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -1412,17 +2112,17 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
},
},
@@ -1434,708 +2134,42 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
],
},
],
},
- "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
- "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
- # fixed character. Masking can start from the beginning or end of the string.
- # This can be used on data of any type (numbers, longs, and so on) and when
- # de-identifying structured data we'll attempt to preserve the original data's
- # type. (This allows you to take a long like 123 and modify it to a string like
- # **3.
- "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
- # For example, if your string is 555-555-5555 and you ask us to skip `-` and
- # mask 5 chars with * we would produce ***-*55-5555.
- { # Characters to skip when doing deidentification of a value. These will be left
- # alone and skipped.
- "commonCharactersToIgnore": "A String",
- "charactersToSkip": "A String",
- },
- ],
- "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
- # masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
- # alphabetic string such as name, or "0" for a numeric string such as ZIP
- # code or credit card number. String must have length 1. If not supplied, we
- # will default to "*" for strings, 0 for digits.
- "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
- # '0', number_to_mask is 14, and `reverse_order` is false, then
- # 1234-5678-9012-3456 -> 00000000000000-3456
- # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
- # is true, then 12345 -> 12***
- },
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
- # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
- # output would be 'My phone number is '.
- },
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
- # input. Outputs a base64 encoded representation of the encrypted output.
- # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
- # referential integrity such that the same identifier in two different
- # contexts will be given a distinct surrogate. The context is appended to
- # plaintext value being encrypted. On decryption the provided context is
- # validated against the value used during encryption. If a context was
- # provided during encryption, same context must be provided during decryption
- # as well.
- #
- # If the context is not set, plaintext would be used as is for encryption.
- # If the context is set but:
- #
- # 1. there is no record present when transforming a given value or
- # 2. the field is not present when transforming a given value,
- #
- # plaintext would be used as is for encryption.
- #
- # Note that case (1) is expected when an `InfoTypeTransformation` is
- # applied to both structured and non-structured `ContentItem`s.
- "name": "A String", # Name describing the field.
- },
- "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
- # This annotation will be applied to the surrogate by prefixing it with
- # the name of the custom info type followed by the number of
- # characters comprising the surrogate. The following scheme defines the
- # format: <info type name>(<surrogate character count>):<surrogate>
- #
- # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
- # the surrogate is 'abc', the full replacement value
- # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
- #
- # This annotation identifies the surrogate when inspecting content using the
- # custom info type 'Surrogate'. This facilitates reversal of the
- # surrogate when it occurs in free text.
- #
- # In order for inspection to work properly, the name of this info type must
- # not occur naturally anywhere in your data; otherwise, inspection may either
- #
- # - reverse a surrogate that does not correspond to an actual identifier
- # - be unable to parse the surrogate and result in an error
- #
- # Therefore, choose your custom info type name carefully after considering
- # what your data looks like. One way to select a name that has a high chance
- # of yielding reliable detection is to include one or more unicode characters
- # that are highly improbable to exist in your data.
- # For example, assuming your data is entered from a regular ASCII keyboard,
- # the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
- "name": "A String", # Name of the information type. Either a name of your choosing when
- # creating a CustomInfoType, or one of the names listed
- # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
- # a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
- },
- },
- "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
- # Bucketing transformation can provide all of this functionality,
- # but requires more configuration. This message is provided as a convenience to
- # the user for simple bucketing strategies.
- #
- # The transformed value will be a hyphenated string of
- # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
- # all values that are within this bucket will be replaced with "10-20".
- #
- # This can be used on data of type: double, long.
- #
- # If the bound Value type differs from the type of data
- # being transformed, we will first attempt converting the type of the data to
- # be transformed to match the type of the bound before comparing.
- #
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
- # grouped together into a single bucket; for example if `lower_bound` = 10,
- # then all values less than 10 are replaced with the value “-10”. [Required].
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
- # grouped together into a single bucket; for example if `upper_bound` = 89,
- # then all values greater than 89 are replaced with the value “89+”.
- # [Required].
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
- # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
- # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
- # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
- },
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
- # portion of the value.
- "partToExtract": "A String",
- },
- "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
- # Uses SHA-256.
- # The key size must be either 32 or 64 bytes.
- # Outputs a base64 encoded representation of the hashed output
- # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
- # Currently, only string and integer values can be hashed.
- # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
- # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
- # to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
- # results in the same shift for the same context and crypto_key.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
- # [Required]
- "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
- # range (inclusive ends). Negative means shift to earlier in time. Must not
- # be more than 365250 days (1000 years) each direction.
- #
- # For example, 3 means shift date to at most 3 days into the future.
- # [Required]
- "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
- # If set, must also set method. If set, shift will be consistent for the
- # given context.
- "name": "A String", # Name describing the field.
- },
- },
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
- # replacement values are dynamically provided by the user for custom behavior,
- # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
- # This can be used on
- # data of type: number, long, string, timestamp.
- # If the bound `Value` type differs from the type of data being transformed, we
- # will first attempt converting the type of the data to be transformed to match
- # the type of the bound before comparing.
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
- # the default behavior will be to hyphenate the min-max range.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
- # used.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- ],
- },
- "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
- # (FPE) with the FFX mode of operation; however when used in the
- # `ReidentifyContent` API method, it serves the opposite function by reversing
- # the surrogate back into the original identifier. The identifier must be
- # encoded as ASCII. For a given crypto key and context, the same identifier
- # will be replaced with the same surrogate. Identifiers must be at least two
- # characters long. In the case that the identifier is the empty string, it will
- # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
- # more.
- #
- # Note: We recommend using CryptoDeterministicConfig for all use cases which
- # do not require preserving the input alphabet space and size, plus warrant
- # referential integrity.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
- "commonAlphabet": "A String",
- "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
- # that the FFX mode natively supports. This happens before/after
- # encryption/decryption.
- # Each character listed must appear only once.
- # Number of characters must be in the range [2, 62].
- # This must be encoded as ASCII.
- # The order of characters does not matter.
- "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
- # identifier in two different contexts won't be given the same surrogate. If
- # the context is not set, a default tweak will be used.
- #
- # If the context is set but:
- #
- # 1. there is no record present when transforming a given value or
- # 1. the field is not present when transforming a given value,
- #
- # a default tweak will be used.
- #
- # Note that case (1) is expected when an `InfoTypeTransformation` is
- # applied to both structured and non-structured `ContentItem`s.
- # Currently, the referenced field may be of value type integer or string.
- #
- # The tweak is constructed as a sequence of bytes in big endian byte order
- # such that:
- #
- # - a 64 bit integer is encoded followed by a single byte of value 1
- # - a string is encoded in UTF-8 format followed by a single byte of value 2
- "name": "A String", # Name describing the field.
- },
- "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
- # This annotation will be applied to the surrogate by prefixing it with
- # the name of the custom infoType followed by the number of
- # characters comprising the surrogate. The following scheme defines the
- # format: info_type_name(surrogate_character_count):surrogate
- #
- # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
- # the surrogate is 'abc', the full replacement value
- # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
- #
- # This annotation identifies the surrogate when inspecting content using the
- # custom infoType
- # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
- # This facilitates reversal of the surrogate when it occurs in free text.
- #
- # In order for inspection to work properly, the name of this infoType must
- # not occur naturally anywhere in your data; otherwise, inspection may
- # find a surrogate that does not correspond to an actual identifier.
- # Therefore, choose your custom infoType name carefully after considering
- # what your data looks like. One way to select a name that has a high chance
- # of yielding reliable detection is to include one or more unicode characters
- # that are highly improbable to exist in your data.
- # For example, assuming your data is entered from a regular ASCII keyboard,
- # the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
- "name": "A String", # Name of the information type. Either a name of your choosing when
- # creating a CustomInfoType, or one of the names listed
- # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
- # a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
- },
- },
- "replaceConfig": { # Replace each input value with a given `Value`.
- "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- },
- "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
- # given `RecordCondition`. The conditions are allowed to reference fields
- # that are not used in the actual transformation. [optional]
- #
- # Example Use Cases:
- #
- # - Apply a different bucket transformation to an age column if the zip code
- # column for the same record is within a specific range.
- # - Redact a field if the date of birth field is greater than 85.
- # a field.
- "expressions": { # An expression, consisting or an operator and conditions. # An expression.
- "conditions": { # A collection of conditions.
- "conditions": [
- { # The field type of `value` and `field` do not need to match to be
- # considered equal, but not all comparisons are possible.
- # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
- # but all other comparisons are invalid with incompatible types.
- # A `value` of type:
- #
- # - `string` can be compared against all other types
- # - `boolean` can only be compared against other booleans
- # - `integer` can be compared against doubles or a string if the string value
- # can be parsed as an integer.
- # - `double` can be compared against integers or a string if the string can
- # be parsed as a double.
- # - `Timestamp` can be compared against strings in RFC 3339 date string
- # format.
- # - `TimeOfDay` can be compared against timestamps and strings in the format
- # of 'HH:mm:ss'.
- #
- # If we fail to compare do to type mismatch, a warning will be given and
- # the condition will evaluate to false.
- "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
- "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
- "name": "A String", # Name describing the field.
- },
- "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- ],
- },
- "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
- # only supported value is `AND`.
- },
- },
- "fields": [ # Input field(s) to apply the transformation to. [required]
- { # General identifier of a data field in a storage service.
- "name": "A String", # Name describing the field.
- },
- ],
},
],
},
+ "transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default
+ # mode is `TransformationErrorHandling.ThrowError`.
+ # transformation error occurs when the requested transformation is incompatible
+ # with the data. For example, trying to de-identify an IP address using a
+ # `DateShift` transformation would result in a transformation error, since date
+ # info cannot be extracted from an IP address.
+ # Information about any incompatible transformations, and how they were
+ # handled, is returned in the response as part of the
+ # `TransformationOverviews`.
+ "throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error
+ },
+ "leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors
+ # cause an error. For example, if a `DateShift` transformation were applied
+ # an an IP address, this mode would leave the IP address unchanged in the
+ # response.
+ },
+ },
},
- "createTime": "A String", # The creation timestamp of a inspectTemplate, output only field.
- "name": "A String", # The template name. Output only.
+ "createTime": "A String", # Output only. The creation timestamp of an inspectTemplate.
+ "name": "A String", # Output only. The template name.
#
# The template will have one of the following formats:
# `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR
# `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`
},
+ "locationId": "A String", # The geographic location to store the deidentification template. Reserved
+ # for future extensions.
"templateId": "A String", # The template id can contain uppercase and lowercase letters,
# numbers, and hyphens; that is, it must match the regular
# expression: `[a-zA-Z\\d-_]+`. The maximum length is 100
@@ -2150,9 +2184,9 @@
Returns:
An object of the form:
- { # The DeidentifyTemplates contains instructions on how to deidentify content.
+ { # DeidentifyTemplates contains instructions on how to de-identify content.
# See https://cloud.google.com/dlp/docs/concepts-templates to learn more.
- "updateTime": "A String", # The last update timestamp of a inspectTemplate, output only field.
+ "updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate.
"displayName": "A String", # Display name (max 256 chars).
"description": "A String", # Short description (max 256 chars).
"deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////
@@ -2161,43 +2195,12 @@
# apply various `PrimitiveTransformation`s to each finding, where the
# transformation is applied to only values that were identified as a specific
# info_type.
- "transformations": [ # Transformation for each infoType. Cannot specify more than one
- # for a given infoType. [required]
+ "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one
+ # for a given infoType.
{ # A transformation to apply to text that is identified as a specific
# info_type.
- "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
- "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
- # fixed character. Masking can start from the beginning or end of the string.
- # This can be used on data of any type (numbers, longs, and so on) and when
- # de-identifying structured data we'll attempt to preserve the original data's
- # type. (This allows you to take a long like 123 and modify it to a string like
- # **3.
- "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
- # For example, if your string is 555-555-5555 and you ask us to skip `-` and
- # mask 5 chars with * we would produce ***-*55-5555.
- { # Characters to skip when doing deidentification of a value. These will be left
- # alone and skipped.
- "commonCharactersToIgnore": "A String",
- "charactersToSkip": "A String",
- },
- ],
- "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
- # masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
- # alphabetic string such as name, or "0" for a numeric string such as ZIP
- # code or credit card number. String must have length 1. If not supplied, we
- # will default to "*" for strings, 0 for digits.
- "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
- # '0', number_to_mask is 14, and `reverse_order` is false, then
- # 1234-5678-9012-3456 -> 00000000000000-3456
- # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
- # is true, then 12345 -> 12***
- },
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
- # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
- # output would be 'My phone number is '.
- },
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
+ "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
@@ -2205,21 +2208,21 @@
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -2227,7 +2230,7 @@
# (repeating the api call will result in a different key being generated).
},
},
- "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
+ "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
@@ -2251,7 +2254,7 @@
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
- # format: <info type name>(<surrogate character count>):<surrogate>
+ # format: {info type name}({surrogate character count}):{surrogate}
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
@@ -2261,6 +2264,11 @@
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
+ # Note: For record transformations where the entire cell in a table is being
+ # transformed, surrogates are not mandatory. Surrogates are used to denote
+ # the location of the token and are necessary for re-identification in free
+ # form text.
+ #
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
@@ -2273,21 +2281,56 @@
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
+ # ⧝MY_TOKEN_TYPE.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
+ # characters. For example, if the input string is `555-555-5555` and you
+ # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
+ # returns `***-**5-5555`.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
+ # punctuation.
+ "charactersToSkip": "A String", # Characters to not transform when masking.
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an
+ # alphabetic string such as a name, or `0` for a numeric string such as ZIP
+ # code or credit card number. This string must have a length of 1. If not
+ # supplied, this value defaults to `*` for strings, and `0` for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
+ # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
+ # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
+ # is `true`, then the string `12345` is masked as `12***`.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
- # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
+ # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
@@ -2297,18 +2340,18 @@
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
+ "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
- # then all values less than 10 are replaced with the value “-10”. [Required].
+ # then all values less than 10 are replaced with the value “-10”.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -2318,7 +2361,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -2328,31 +2371,30 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
+ "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
- # [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -2362,7 +2404,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -2372,88 +2414,52 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
+ "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
- # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
},
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
# portion of the value.
- "partToExtract": "A String",
+ "partToExtract": "A String", # The part of the time to keep.
},
- "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
- # Uses SHA-256.
- # The key size must be either 32 or 64 bytes.
- # Outputs a base64 encoded representation of the hashed output
- # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
- # Currently, only string and integer values can be hashed.
- # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
- # results in the same shift for the same context and crypto_key.
+ # results in the same shift for the same context and crypto_key. If
+ # set, must also set context. Can only be applied to table items.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -2461,160 +2467,19 @@
# (repeating the api call will result in a different key being generated).
},
},
- "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
- # [Required]
- "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
- # [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
- # If set, must also set method. If set, shift will be consistent for the
+ # If set, must also set cryptoKey. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
- # replacement values are dynamically provided by the user for custom behavior,
- # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
- # This can be used on
- # data of type: number, long, string, timestamp.
- # If the bound `Value` type differs from the type of data being transformed, we
- # will first attempt converting the type of the data to be transformed to match
- # the type of the bound before comparing.
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
- # the default behavior will be to hyphenate the min-max range.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
- # used.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- ],
- },
- "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
@@ -2627,26 +2492,26 @@
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -2654,13 +2519,13 @@
# (repeating the api call will result in a different key being generated).
},
},
- "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
- "commonAlphabet": "A String",
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
+ "commonAlphabet": "A String", # Common alphabets.
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
- # Number of characters must be in the range [2, 62].
+ # Number of characters must be in the range [2, 95].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
@@ -2714,20 +2579,194 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "replaceConfig": { # Replace each input value with a given `Value`.
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ ],
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -2737,7 +2776,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -2747,17 +2786,17 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
},
},
@@ -2769,7 +2808,7 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
],
},
@@ -2780,15 +2819,15 @@
# a column within a table.
# table.
"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that
- # match any suppression rule are omitted from the output [optional].
+ # match any suppression rule are omitted from the output.
{ # Configuration to suppress records whose suppression conditions evaluate to
# true.
"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
# evaluated to be suppressed from the transformed content.
# a field.
"expressions": { # An expression, consisting or an operator and conditions. # An expression.
- "conditions": { # A collection of conditions.
- "conditions": [
+ "conditions": { # A collection of conditions. # Conditions to apply to the expression.
+ "conditions": [ # A collection of conditions.
{ # The field type of `value` and `field` do not need to match to be
# considered equal, but not all comparisons are possible.
# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
@@ -2808,20 +2847,20 @@
#
# If we fail to compare do to type mismatch, a warning will be given and
# the condition will evaluate to false.
- "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
- "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
+ "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
+ "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
"name": "A String", # Name describing the field.
},
- "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
+ "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -2831,7 +2870,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -2841,17 +2880,17 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
},
],
@@ -2864,48 +2903,707 @@
],
"fieldTransformations": [ # Transform the record by applying various field transformations.
{ # The transformation to apply to the field.
+ "fields": [ # Required. Input field(s) to apply the transformation to.
+ { # General identifier of a data field in a storage service.
+ "name": "A String", # Name describing the field.
+ },
+ ],
+ "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
+ # input. Outputs a base64 encoded representation of the encrypted output.
+ # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
+ # referential integrity such that the same identifier in two different
+ # contexts will be given a distinct surrogate. The context is appended to
+ # plaintext value being encrypted. On decryption the provided context is
+ # validated against the value used during encryption. If a context was
+ # provided during encryption, same context must be provided during decryption
+ # as well.
+ #
+ # If the context is not set, plaintext would be used as is for encryption.
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 2. the field is not present when transforming a given value,
+ #
+ # plaintext would be used as is for encryption.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom info type followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: {info type name}({surrogate character count}):{surrogate}
+ #
+ # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom info type 'Surrogate'. This facilitates reversal of the
+ # surrogate when it occurs in free text.
+ #
+ # Note: For record transformations where the entire cell in a table is being
+ # transformed, surrogates are not mandatory. Surrogates are used to denote
+ # the location of the token and are necessary for re-identification in free
+ # form text.
+ #
+ # In order for inspection to work properly, the name of this info type must
+ # not occur naturally anywhere in your data; otherwise, inspection may either
+ #
+ # - reverse a surrogate that does not correspond to an actual identifier
+ # - be unable to parse the surrogate and result in an error
+ #
+ # Therefore, choose your custom info type name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE.
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # `[a-zA-Z0-9_]{1,64}`.
+ },
+ },
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
+ # characters. For example, if the input string is `555-555-5555` and you
+ # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
+ # returns `***-**5-5555`.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
+ # punctuation.
+ "charactersToSkip": "A String", # Characters to not transform when masking.
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an
+ # alphabetic string such as a name, or `0` for a numeric string such as ZIP
+ # code or credit card number. This string must have a length of 1. If not
+ # supplied, this value defaults to `*` for strings, and `0` for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
+ # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
+ # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
+ # is `true`, then the string `12345` is masked as `12***`.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
+ # Bucketing transformation can provide all of this functionality,
+ # but requires more configuration. This message is provided as a convenience to
+ # the user for simple bucketing strategies.
+ #
+ # The transformed value will be a hyphenated string of
+ # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
+ # all values that are within this bucket will be replaced with "10-20".
+ #
+ # This can be used on data of type: double, long.
+ #
+ # If the bound Value type differs from the type of data
+ # being transformed, we will first attempt converting the type of the data to
+ # be transformed to match the type of the bound before comparing.
+ #
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
+ # grouped together into a single bucket; for example if `lower_bound` = 10,
+ # then all values less than 10 are replaced with the value “-10”.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
+ # grouped together into a single bucket; for example if `upper_bound` = 89,
+ # then all values greater than 89 are replaced with the value “89+”.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
+ # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
+ # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
+ # portion of the value.
+ "partToExtract": "A String", # The part of the time to keep.
+ },
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
+ # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
+ # to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
+ # results in the same shift for the same context and crypto_key. If
+ # set, must also set context. Can only be applied to table items.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
+ # range (inclusive ends). Negative means shift to earlier in time. Must not
+ # be more than 365250 days (1000 years) each direction.
+ #
+ # For example, 3 means shift date to at most 3 days into the future.
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
+ # If set, must also set cryptoKey. If set, shift will be consistent for the
+ # given context.
+ "name": "A String", # Name describing the field.
+ },
+ },
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
+ # (FPE) with the FFX mode of operation; however when used in the
+ # `ReidentifyContent` API method, it serves the opposite function by reversing
+ # the surrogate back into the original identifier. The identifier must be
+ # encoded as ASCII. For a given crypto key and context, the same identifier
+ # will be replaced with the same surrogate. Identifiers must be at least two
+ # characters long. In the case that the identifier is the empty string, it will
+ # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
+ # more.
+ #
+ # Note: We recommend using CryptoDeterministicConfig for all use cases which
+ # do not require preserving the input alphabet space and size, plus warrant
+ # referential integrity.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
+ "commonAlphabet": "A String", # Common alphabets.
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
+ # that the FFX mode natively supports. This happens before/after
+ # encryption/decryption.
+ # Each character listed must appear only once.
+ # Number of characters must be in the range [2, 95].
+ # This must be encoded as ASCII.
+ # The order of characters does not matter.
+ "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
+ # identifier in two different contexts won't be given the same surrogate. If
+ # the context is not set, a default tweak will be used.
+ #
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 1. the field is not present when transforming a given value,
+ #
+ # a default tweak will be used.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ # Currently, the referenced field may be of value type integer or string.
+ #
+ # The tweak is constructed as a sequence of bytes in big endian byte order
+ # such that:
+ #
+ # - a 64 bit integer is encoded followed by a single byte of value 1
+ # - a string is encoded in UTF-8 format followed by a single byte of value 2
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom infoType followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: info_type_name(surrogate_character_count):surrogate
+ #
+ # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom infoType
+ # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
+ # This facilitates reversal of the surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this infoType must
+ # not occur naturally anywhere in your data; otherwise, inspection may
+ # find a surrogate that does not correspond to an actual identifier.
+ # Therefore, choose your custom infoType name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # `[a-zA-Z0-9_]{1,64}`.
+ },
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ ],
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
+ "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ },
+ "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
+ # given `RecordCondition`. The conditions are allowed to reference fields
+ # that are not used in the actual transformation.
+ #
+ # Example Use Cases:
+ #
+ # - Apply a different bucket transformation to an age column if the zip code
+ # column for the same record is within a specific range.
+ # - Redact a field if the date of birth field is greater than 85.
+ # a field.
+ "expressions": { # An expression, consisting or an operator and conditions. # An expression.
+ "conditions": { # A collection of conditions. # Conditions to apply to the expression.
+ "conditions": [ # A collection of conditions.
+ { # The field type of `value` and `field` do not need to match to be
+ # considered equal, but not all comparisons are possible.
+ # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
+ # but all other comparisons are invalid with incompatible types.
+ # A `value` of type:
+ #
+ # - `string` can be compared against all other types
+ # - `boolean` can only be compared against other booleans
+ # - `integer` can be compared against doubles or a string if the string value
+ # can be parsed as an integer.
+ # - `double` can be compared against integers or a string if the string can
+ # be parsed as a double.
+ # - `Timestamp` can be compared against strings in RFC 3339 date string
+ # format.
+ # - `TimeOfDay` can be compared against timestamps and strings in the format
+ # of 'HH:mm:ss'.
+ #
+ # If we fail to compare do to type mismatch, a warning will be given and
+ # the condition will evaluate to false.
+ "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
+ "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
+ "name": "A String", # Name describing the field.
+ },
+ "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ ],
+ },
+ "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
+ # only supported value is `AND`.
+ },
+ },
"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
# transform content that matches an `InfoType`.
# apply various `PrimitiveTransformation`s to each finding, where the
# transformation is applied to only values that were identified as a specific
# info_type.
- "transformations": [ # Transformation for each infoType. Cannot specify more than one
- # for a given infoType. [required]
+ "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one
+ # for a given infoType.
{ # A transformation to apply to text that is identified as a specific
# info_type.
- "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
- "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
- # fixed character. Masking can start from the beginning or end of the string.
- # This can be used on data of any type (numbers, longs, and so on) and when
- # de-identifying structured data we'll attempt to preserve the original data's
- # type. (This allows you to take a long like 123 and modify it to a string like
- # **3.
- "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
- # For example, if your string is 555-555-5555 and you ask us to skip `-` and
- # mask 5 chars with * we would produce ***-*55-5555.
- { # Characters to skip when doing deidentification of a value. These will be left
- # alone and skipped.
- "commonCharactersToIgnore": "A String",
- "charactersToSkip": "A String",
- },
- ],
- "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
- # masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
- # alphabetic string such as name, or "0" for a numeric string such as ZIP
- # code or credit card number. String must have length 1. If not supplied, we
- # will default to "*" for strings, 0 for digits.
- "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
- # '0', number_to_mask is 14, and `reverse_order` is false, then
- # 1234-5678-9012-3456 -> 00000000000000-3456
- # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
- # is true, then 12345 -> 12***
- },
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
- # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
- # output would be 'My phone number is '.
- },
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
+ "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
@@ -2913,21 +3611,21 @@
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -2935,7 +3633,7 @@
# (repeating the api call will result in a different key being generated).
},
},
- "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
+ "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
@@ -2959,7 +3657,7 @@
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
- # format: <info type name>(<surrogate character count>):<surrogate>
+ # format: {info type name}({surrogate character count}):{surrogate}
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
@@ -2969,6 +3667,11 @@
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
+ # Note: For record transformations where the entire cell in a table is being
+ # transformed, surrogates are not mandatory. Surrogates are used to denote
+ # the location of the token and are necessary for re-identification in free
+ # form text.
+ #
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
@@ -2981,21 +3684,56 @@
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
+ # ⧝MY_TOKEN_TYPE.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
+ # characters. For example, if the input string is `555-555-5555` and you
+ # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
+ # returns `***-**5-5555`.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
+ # punctuation.
+ "charactersToSkip": "A String", # Characters to not transform when masking.
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an
+ # alphabetic string such as a name, or `0` for a numeric string such as ZIP
+ # code or credit card number. This string must have a length of 1. If not
+ # supplied, this value defaults to `*` for strings, and `0` for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
+ # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
+ # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
+ # is `true`, then the string `12345` is masked as `12***`.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
- # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
+ # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
@@ -3005,18 +3743,18 @@
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
+ "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
- # then all values less than 10 are replaced with the value “-10”. [Required].
+ # then all values less than 10 are replaced with the value “-10”.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -3026,7 +3764,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -3036,31 +3774,30 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
+ "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
- # [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -3070,7 +3807,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -3080,88 +3817,52 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
+ "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
- # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
},
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
# portion of the value.
- "partToExtract": "A String",
+ "partToExtract": "A String", # The part of the time to keep.
},
- "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
- # Uses SHA-256.
- # The key size must be either 32 or 64 bytes.
- # Outputs a base64 encoded representation of the hashed output
- # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
- # Currently, only string and integer values can be hashed.
- # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
- # results in the same shift for the same context and crypto_key.
+ # results in the same shift for the same context and crypto_key. If
+ # set, must also set context. Can only be applied to table items.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -3169,160 +3870,19 @@
# (repeating the api call will result in a different key being generated).
},
},
- "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
- # [Required]
- "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
- # [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
- # If set, must also set method. If set, shift will be consistent for the
+ # If set, must also set cryptoKey. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
- # replacement values are dynamically provided by the user for custom behavior,
- # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
- # This can be used on
- # data of type: number, long, string, timestamp.
- # If the bound `Value` type differs from the type of data being transformed, we
- # will first attempt converting the type of the data to be transformed to match
- # the type of the bound before comparing.
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
- # the default behavior will be to hyphenate the min-max range.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
- # used.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- ],
- },
- "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
@@ -3335,26 +3895,26 @@
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -3362,13 +3922,13 @@
# (repeating the api call will result in a different key being generated).
},
},
- "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
- "commonAlphabet": "A String",
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
+ "commonAlphabet": "A String", # Common alphabets.
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
- # Number of characters must be in the range [2, 62].
+ # Number of characters must be in the range [2, 95].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
@@ -3422,20 +3982,194 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "replaceConfig": { # Replace each input value with a given `Value`.
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ ],
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -3445,7 +4179,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -3455,17 +4189,17 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
},
},
@@ -3477,703 +4211,35 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
],
},
],
},
- "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
- "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
- # fixed character. Masking can start from the beginning or end of the string.
- # This can be used on data of any type (numbers, longs, and so on) and when
- # de-identifying structured data we'll attempt to preserve the original data's
- # type. (This allows you to take a long like 123 and modify it to a string like
- # **3.
- "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
- # For example, if your string is 555-555-5555 and you ask us to skip `-` and
- # mask 5 chars with * we would produce ***-*55-5555.
- { # Characters to skip when doing deidentification of a value. These will be left
- # alone and skipped.
- "commonCharactersToIgnore": "A String",
- "charactersToSkip": "A String",
- },
- ],
- "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
- # masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
- # alphabetic string such as name, or "0" for a numeric string such as ZIP
- # code or credit card number. String must have length 1. If not supplied, we
- # will default to "*" for strings, 0 for digits.
- "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
- # '0', number_to_mask is 14, and `reverse_order` is false, then
- # 1234-5678-9012-3456 -> 00000000000000-3456
- # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
- # is true, then 12345 -> 12***
- },
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
- # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
- # output would be 'My phone number is '.
- },
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
- # input. Outputs a base64 encoded representation of the encrypted output.
- # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
- # referential integrity such that the same identifier in two different
- # contexts will be given a distinct surrogate. The context is appended to
- # plaintext value being encrypted. On decryption the provided context is
- # validated against the value used during encryption. If a context was
- # provided during encryption, same context must be provided during decryption
- # as well.
- #
- # If the context is not set, plaintext would be used as is for encryption.
- # If the context is set but:
- #
- # 1. there is no record present when transforming a given value or
- # 2. the field is not present when transforming a given value,
- #
- # plaintext would be used as is for encryption.
- #
- # Note that case (1) is expected when an `InfoTypeTransformation` is
- # applied to both structured and non-structured `ContentItem`s.
- "name": "A String", # Name describing the field.
- },
- "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
- # This annotation will be applied to the surrogate by prefixing it with
- # the name of the custom info type followed by the number of
- # characters comprising the surrogate. The following scheme defines the
- # format: <info type name>(<surrogate character count>):<surrogate>
- #
- # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
- # the surrogate is 'abc', the full replacement value
- # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
- #
- # This annotation identifies the surrogate when inspecting content using the
- # custom info type 'Surrogate'. This facilitates reversal of the
- # surrogate when it occurs in free text.
- #
- # In order for inspection to work properly, the name of this info type must
- # not occur naturally anywhere in your data; otherwise, inspection may either
- #
- # - reverse a surrogate that does not correspond to an actual identifier
- # - be unable to parse the surrogate and result in an error
- #
- # Therefore, choose your custom info type name carefully after considering
- # what your data looks like. One way to select a name that has a high chance
- # of yielding reliable detection is to include one or more unicode characters
- # that are highly improbable to exist in your data.
- # For example, assuming your data is entered from a regular ASCII keyboard,
- # the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
- "name": "A String", # Name of the information type. Either a name of your choosing when
- # creating a CustomInfoType, or one of the names listed
- # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
- # a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
- },
- },
- "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
- # Bucketing transformation can provide all of this functionality,
- # but requires more configuration. This message is provided as a convenience to
- # the user for simple bucketing strategies.
- #
- # The transformed value will be a hyphenated string of
- # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
- # all values that are within this bucket will be replaced with "10-20".
- #
- # This can be used on data of type: double, long.
- #
- # If the bound Value type differs from the type of data
- # being transformed, we will first attempt converting the type of the data to
- # be transformed to match the type of the bound before comparing.
- #
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
- # grouped together into a single bucket; for example if `lower_bound` = 10,
- # then all values less than 10 are replaced with the value “-10”. [Required].
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
- # grouped together into a single bucket; for example if `upper_bound` = 89,
- # then all values greater than 89 are replaced with the value “89+”.
- # [Required].
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
- # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
- # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
- # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
- },
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
- # portion of the value.
- "partToExtract": "A String",
- },
- "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
- # Uses SHA-256.
- # The key size must be either 32 or 64 bytes.
- # Outputs a base64 encoded representation of the hashed output
- # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
- # Currently, only string and integer values can be hashed.
- # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
- # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
- # to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
- # results in the same shift for the same context and crypto_key.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
- # [Required]
- "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
- # range (inclusive ends). Negative means shift to earlier in time. Must not
- # be more than 365250 days (1000 years) each direction.
- #
- # For example, 3 means shift date to at most 3 days into the future.
- # [Required]
- "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
- # If set, must also set method. If set, shift will be consistent for the
- # given context.
- "name": "A String", # Name describing the field.
- },
- },
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
- # replacement values are dynamically provided by the user for custom behavior,
- # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
- # This can be used on
- # data of type: number, long, string, timestamp.
- # If the bound `Value` type differs from the type of data being transformed, we
- # will first attempt converting the type of the data to be transformed to match
- # the type of the bound before comparing.
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
- # the default behavior will be to hyphenate the min-max range.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
- # used.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- ],
- },
- "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
- # (FPE) with the FFX mode of operation; however when used in the
- # `ReidentifyContent` API method, it serves the opposite function by reversing
- # the surrogate back into the original identifier. The identifier must be
- # encoded as ASCII. For a given crypto key and context, the same identifier
- # will be replaced with the same surrogate. Identifiers must be at least two
- # characters long. In the case that the identifier is the empty string, it will
- # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
- # more.
- #
- # Note: We recommend using CryptoDeterministicConfig for all use cases which
- # do not require preserving the input alphabet space and size, plus warrant
- # referential integrity.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
- "commonAlphabet": "A String",
- "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
- # that the FFX mode natively supports. This happens before/after
- # encryption/decryption.
- # Each character listed must appear only once.
- # Number of characters must be in the range [2, 62].
- # This must be encoded as ASCII.
- # The order of characters does not matter.
- "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
- # identifier in two different contexts won't be given the same surrogate. If
- # the context is not set, a default tweak will be used.
- #
- # If the context is set but:
- #
- # 1. there is no record present when transforming a given value or
- # 1. the field is not present when transforming a given value,
- #
- # a default tweak will be used.
- #
- # Note that case (1) is expected when an `InfoTypeTransformation` is
- # applied to both structured and non-structured `ContentItem`s.
- # Currently, the referenced field may be of value type integer or string.
- #
- # The tweak is constructed as a sequence of bytes in big endian byte order
- # such that:
- #
- # - a 64 bit integer is encoded followed by a single byte of value 1
- # - a string is encoded in UTF-8 format followed by a single byte of value 2
- "name": "A String", # Name describing the field.
- },
- "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
- # This annotation will be applied to the surrogate by prefixing it with
- # the name of the custom infoType followed by the number of
- # characters comprising the surrogate. The following scheme defines the
- # format: info_type_name(surrogate_character_count):surrogate
- #
- # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
- # the surrogate is 'abc', the full replacement value
- # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
- #
- # This annotation identifies the surrogate when inspecting content using the
- # custom infoType
- # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
- # This facilitates reversal of the surrogate when it occurs in free text.
- #
- # In order for inspection to work properly, the name of this infoType must
- # not occur naturally anywhere in your data; otherwise, inspection may
- # find a surrogate that does not correspond to an actual identifier.
- # Therefore, choose your custom infoType name carefully after considering
- # what your data looks like. One way to select a name that has a high chance
- # of yielding reliable detection is to include one or more unicode characters
- # that are highly improbable to exist in your data.
- # For example, assuming your data is entered from a regular ASCII keyboard,
- # the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
- "name": "A String", # Name of the information type. Either a name of your choosing when
- # creating a CustomInfoType, or one of the names listed
- # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
- # a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
- },
- },
- "replaceConfig": { # Replace each input value with a given `Value`.
- "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- },
- "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
- # given `RecordCondition`. The conditions are allowed to reference fields
- # that are not used in the actual transformation. [optional]
- #
- # Example Use Cases:
- #
- # - Apply a different bucket transformation to an age column if the zip code
- # column for the same record is within a specific range.
- # - Redact a field if the date of birth field is greater than 85.
- # a field.
- "expressions": { # An expression, consisting or an operator and conditions. # An expression.
- "conditions": { # A collection of conditions.
- "conditions": [
- { # The field type of `value` and `field` do not need to match to be
- # considered equal, but not all comparisons are possible.
- # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
- # but all other comparisons are invalid with incompatible types.
- # A `value` of type:
- #
- # - `string` can be compared against all other types
- # - `boolean` can only be compared against other booleans
- # - `integer` can be compared against doubles or a string if the string value
- # can be parsed as an integer.
- # - `double` can be compared against integers or a string if the string can
- # be parsed as a double.
- # - `Timestamp` can be compared against strings in RFC 3339 date string
- # format.
- # - `TimeOfDay` can be compared against timestamps and strings in the format
- # of 'HH:mm:ss'.
- #
- # If we fail to compare do to type mismatch, a warning will be given and
- # the condition will evaluate to false.
- "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
- "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
- "name": "A String", # Name describing the field.
- },
- "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- ],
- },
- "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
- # only supported value is `AND`.
- },
- },
- "fields": [ # Input field(s) to apply the transformation to. [required]
- { # General identifier of a data field in a storage service.
- "name": "A String", # Name describing the field.
- },
- ],
},
],
},
+ "transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default
+ # mode is `TransformationErrorHandling.ThrowError`.
+ # transformation error occurs when the requested transformation is incompatible
+ # with the data. For example, trying to de-identify an IP address using a
+ # `DateShift` transformation would result in a transformation error, since date
+ # info cannot be extracted from an IP address.
+ # Information about any incompatible transformations, and how they were
+ # handled, is returned in the response as part of the
+ # `TransformationOverviews`.
+ "throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error
+ },
+ "leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors
+ # cause an error. For example, if a `DateShift` transformation were applied
+ # an an IP address, this mode would leave the IP address unchanged in the
+ # response.
+ },
+ },
},
- "createTime": "A String", # The creation timestamp of a inspectTemplate, output only field.
- "name": "A String", # The template name. Output only.
+ "createTime": "A String", # Output only. The creation timestamp of an inspectTemplate.
+ "name": "A String", # Output only. The template name.
#
# The template will have one of the following formats:
# `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR
@@ -4188,7 +4254,7 @@
more.
Args:
- name: string, Resource name of the organization and deidentify template to be deleted,
+ name: string, Required. Resource name of the organization and deidentify template to be deleted,
for example `organizations/433245324/deidentifyTemplates/432452342` or
projects/project-id/deidentifyTemplates/432452342. (required)
x__xgafv: string, V1 error format.
@@ -4218,7 +4284,7 @@
more.
Args:
- name: string, Resource name of the organization and deidentify template to be read, for
+ name: string, Required. Resource name of the organization and deidentify template to be read, for
example `organizations/433245324/deidentifyTemplates/432452342` or
projects/project-id/deidentifyTemplates/432452342. (required)
x__xgafv: string, V1 error format.
@@ -4229,9 +4295,9 @@
Returns:
An object of the form:
- { # The DeidentifyTemplates contains instructions on how to deidentify content.
+ { # DeidentifyTemplates contains instructions on how to de-identify content.
# See https://cloud.google.com/dlp/docs/concepts-templates to learn more.
- "updateTime": "A String", # The last update timestamp of a inspectTemplate, output only field.
+ "updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate.
"displayName": "A String", # Display name (max 256 chars).
"description": "A String", # Short description (max 256 chars).
"deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////
@@ -4240,43 +4306,12 @@
# apply various `PrimitiveTransformation`s to each finding, where the
# transformation is applied to only values that were identified as a specific
# info_type.
- "transformations": [ # Transformation for each infoType. Cannot specify more than one
- # for a given infoType. [required]
+ "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one
+ # for a given infoType.
{ # A transformation to apply to text that is identified as a specific
# info_type.
- "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
- "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
- # fixed character. Masking can start from the beginning or end of the string.
- # This can be used on data of any type (numbers, longs, and so on) and when
- # de-identifying structured data we'll attempt to preserve the original data's
- # type. (This allows you to take a long like 123 and modify it to a string like
- # **3.
- "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
- # For example, if your string is 555-555-5555 and you ask us to skip `-` and
- # mask 5 chars with * we would produce ***-*55-5555.
- { # Characters to skip when doing deidentification of a value. These will be left
- # alone and skipped.
- "commonCharactersToIgnore": "A String",
- "charactersToSkip": "A String",
- },
- ],
- "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
- # masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
- # alphabetic string such as name, or "0" for a numeric string such as ZIP
- # code or credit card number. String must have length 1. If not supplied, we
- # will default to "*" for strings, 0 for digits.
- "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
- # '0', number_to_mask is 14, and `reverse_order` is false, then
- # 1234-5678-9012-3456 -> 00000000000000-3456
- # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
- # is true, then 12345 -> 12***
- },
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
- # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
- # output would be 'My phone number is '.
- },
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
+ "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
@@ -4284,21 +4319,21 @@
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -4306,7 +4341,7 @@
# (repeating the api call will result in a different key being generated).
},
},
- "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
+ "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
@@ -4330,7 +4365,7 @@
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
- # format: <info type name>(<surrogate character count>):<surrogate>
+ # format: {info type name}({surrogate character count}):{surrogate}
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
@@ -4340,6 +4375,11 @@
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
+ # Note: For record transformations where the entire cell in a table is being
+ # transformed, surrogates are not mandatory. Surrogates are used to denote
+ # the location of the token and are necessary for re-identification in free
+ # form text.
+ #
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
@@ -4352,21 +4392,56 @@
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
+ # ⧝MY_TOKEN_TYPE.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
+ # characters. For example, if the input string is `555-555-5555` and you
+ # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
+ # returns `***-**5-5555`.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
+ # punctuation.
+ "charactersToSkip": "A String", # Characters to not transform when masking.
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an
+ # alphabetic string such as a name, or `0` for a numeric string such as ZIP
+ # code or credit card number. This string must have a length of 1. If not
+ # supplied, this value defaults to `*` for strings, and `0` for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
+ # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
+ # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
+ # is `true`, then the string `12345` is masked as `12***`.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
- # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
+ # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
@@ -4376,18 +4451,18 @@
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
+ "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
- # then all values less than 10 are replaced with the value “-10”. [Required].
+ # then all values less than 10 are replaced with the value “-10”.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -4397,7 +4472,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -4407,31 +4482,30 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
+ "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
- # [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -4441,7 +4515,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -4451,88 +4525,52 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
+ "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
- # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
},
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
# portion of the value.
- "partToExtract": "A String",
+ "partToExtract": "A String", # The part of the time to keep.
},
- "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
- # Uses SHA-256.
- # The key size must be either 32 or 64 bytes.
- # Outputs a base64 encoded representation of the hashed output
- # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
- # Currently, only string and integer values can be hashed.
- # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
- # results in the same shift for the same context and crypto_key.
+ # results in the same shift for the same context and crypto_key. If
+ # set, must also set context. Can only be applied to table items.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -4540,160 +4578,19 @@
# (repeating the api call will result in a different key being generated).
},
},
- "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
- # [Required]
- "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
- # [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
- # If set, must also set method. If set, shift will be consistent for the
+ # If set, must also set cryptoKey. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
- # replacement values are dynamically provided by the user for custom behavior,
- # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
- # This can be used on
- # data of type: number, long, string, timestamp.
- # If the bound `Value` type differs from the type of data being transformed, we
- # will first attempt converting the type of the data to be transformed to match
- # the type of the bound before comparing.
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
- # the default behavior will be to hyphenate the min-max range.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
- # used.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- ],
- },
- "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
@@ -4706,26 +4603,26 @@
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -4733,13 +4630,13 @@
# (repeating the api call will result in a different key being generated).
},
},
- "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
- "commonAlphabet": "A String",
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
+ "commonAlphabet": "A String", # Common alphabets.
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
- # Number of characters must be in the range [2, 62].
+ # Number of characters must be in the range [2, 95].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
@@ -4793,20 +4690,194 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "replaceConfig": { # Replace each input value with a given `Value`.
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ ],
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -4816,7 +4887,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -4826,17 +4897,17 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
},
},
@@ -4848,7 +4919,7 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
],
},
@@ -4859,15 +4930,15 @@
# a column within a table.
# table.
"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that
- # match any suppression rule are omitted from the output [optional].
+ # match any suppression rule are omitted from the output.
{ # Configuration to suppress records whose suppression conditions evaluate to
# true.
"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
# evaluated to be suppressed from the transformed content.
# a field.
"expressions": { # An expression, consisting or an operator and conditions. # An expression.
- "conditions": { # A collection of conditions.
- "conditions": [
+ "conditions": { # A collection of conditions. # Conditions to apply to the expression.
+ "conditions": [ # A collection of conditions.
{ # The field type of `value` and `field` do not need to match to be
# considered equal, but not all comparisons are possible.
# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
@@ -4887,20 +4958,20 @@
#
# If we fail to compare do to type mismatch, a warning will be given and
# the condition will evaluate to false.
- "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
- "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
+ "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
+ "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
"name": "A String", # Name describing the field.
},
- "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
+ "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -4910,7 +4981,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -4920,17 +4991,17 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
},
],
@@ -4943,48 +5014,707 @@
],
"fieldTransformations": [ # Transform the record by applying various field transformations.
{ # The transformation to apply to the field.
+ "fields": [ # Required. Input field(s) to apply the transformation to.
+ { # General identifier of a data field in a storage service.
+ "name": "A String", # Name describing the field.
+ },
+ ],
+ "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
+ # input. Outputs a base64 encoded representation of the encrypted output.
+ # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
+ # referential integrity such that the same identifier in two different
+ # contexts will be given a distinct surrogate. The context is appended to
+ # plaintext value being encrypted. On decryption the provided context is
+ # validated against the value used during encryption. If a context was
+ # provided during encryption, same context must be provided during decryption
+ # as well.
+ #
+ # If the context is not set, plaintext would be used as is for encryption.
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 2. the field is not present when transforming a given value,
+ #
+ # plaintext would be used as is for encryption.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom info type followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: {info type name}({surrogate character count}):{surrogate}
+ #
+ # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom info type 'Surrogate'. This facilitates reversal of the
+ # surrogate when it occurs in free text.
+ #
+ # Note: For record transformations where the entire cell in a table is being
+ # transformed, surrogates are not mandatory. Surrogates are used to denote
+ # the location of the token and are necessary for re-identification in free
+ # form text.
+ #
+ # In order for inspection to work properly, the name of this info type must
+ # not occur naturally anywhere in your data; otherwise, inspection may either
+ #
+ # - reverse a surrogate that does not correspond to an actual identifier
+ # - be unable to parse the surrogate and result in an error
+ #
+ # Therefore, choose your custom info type name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE.
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # `[a-zA-Z0-9_]{1,64}`.
+ },
+ },
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
+ # characters. For example, if the input string is `555-555-5555` and you
+ # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
+ # returns `***-**5-5555`.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
+ # punctuation.
+ "charactersToSkip": "A String", # Characters to not transform when masking.
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an
+ # alphabetic string such as a name, or `0` for a numeric string such as ZIP
+ # code or credit card number. This string must have a length of 1. If not
+ # supplied, this value defaults to `*` for strings, and `0` for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
+ # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
+ # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
+ # is `true`, then the string `12345` is masked as `12***`.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
+ # Bucketing transformation can provide all of this functionality,
+ # but requires more configuration. This message is provided as a convenience to
+ # the user for simple bucketing strategies.
+ #
+ # The transformed value will be a hyphenated string of
+ # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
+ # all values that are within this bucket will be replaced with "10-20".
+ #
+ # This can be used on data of type: double, long.
+ #
+ # If the bound Value type differs from the type of data
+ # being transformed, we will first attempt converting the type of the data to
+ # be transformed to match the type of the bound before comparing.
+ #
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
+ # grouped together into a single bucket; for example if `lower_bound` = 10,
+ # then all values less than 10 are replaced with the value “-10”.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
+ # grouped together into a single bucket; for example if `upper_bound` = 89,
+ # then all values greater than 89 are replaced with the value “89+”.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
+ # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
+ # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
+ # portion of the value.
+ "partToExtract": "A String", # The part of the time to keep.
+ },
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
+ # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
+ # to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
+ # results in the same shift for the same context and crypto_key. If
+ # set, must also set context. Can only be applied to table items.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
+ # range (inclusive ends). Negative means shift to earlier in time. Must not
+ # be more than 365250 days (1000 years) each direction.
+ #
+ # For example, 3 means shift date to at most 3 days into the future.
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
+ # If set, must also set cryptoKey. If set, shift will be consistent for the
+ # given context.
+ "name": "A String", # Name describing the field.
+ },
+ },
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
+ # (FPE) with the FFX mode of operation; however when used in the
+ # `ReidentifyContent` API method, it serves the opposite function by reversing
+ # the surrogate back into the original identifier. The identifier must be
+ # encoded as ASCII. For a given crypto key and context, the same identifier
+ # will be replaced with the same surrogate. Identifiers must be at least two
+ # characters long. In the case that the identifier is the empty string, it will
+ # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
+ # more.
+ #
+ # Note: We recommend using CryptoDeterministicConfig for all use cases which
+ # do not require preserving the input alphabet space and size, plus warrant
+ # referential integrity.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
+ "commonAlphabet": "A String", # Common alphabets.
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
+ # that the FFX mode natively supports. This happens before/after
+ # encryption/decryption.
+ # Each character listed must appear only once.
+ # Number of characters must be in the range [2, 95].
+ # This must be encoded as ASCII.
+ # The order of characters does not matter.
+ "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
+ # identifier in two different contexts won't be given the same surrogate. If
+ # the context is not set, a default tweak will be used.
+ #
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 1. the field is not present when transforming a given value,
+ #
+ # a default tweak will be used.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ # Currently, the referenced field may be of value type integer or string.
+ #
+ # The tweak is constructed as a sequence of bytes in big endian byte order
+ # such that:
+ #
+ # - a 64 bit integer is encoded followed by a single byte of value 1
+ # - a string is encoded in UTF-8 format followed by a single byte of value 2
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom infoType followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: info_type_name(surrogate_character_count):surrogate
+ #
+ # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom infoType
+ # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
+ # This facilitates reversal of the surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this infoType must
+ # not occur naturally anywhere in your data; otherwise, inspection may
+ # find a surrogate that does not correspond to an actual identifier.
+ # Therefore, choose your custom infoType name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # `[a-zA-Z0-9_]{1,64}`.
+ },
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ ],
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
+ "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ },
+ "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
+ # given `RecordCondition`. The conditions are allowed to reference fields
+ # that are not used in the actual transformation.
+ #
+ # Example Use Cases:
+ #
+ # - Apply a different bucket transformation to an age column if the zip code
+ # column for the same record is within a specific range.
+ # - Redact a field if the date of birth field is greater than 85.
+ # a field.
+ "expressions": { # An expression, consisting or an operator and conditions. # An expression.
+ "conditions": { # A collection of conditions. # Conditions to apply to the expression.
+ "conditions": [ # A collection of conditions.
+ { # The field type of `value` and `field` do not need to match to be
+ # considered equal, but not all comparisons are possible.
+ # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
+ # but all other comparisons are invalid with incompatible types.
+ # A `value` of type:
+ #
+ # - `string` can be compared against all other types
+ # - `boolean` can only be compared against other booleans
+ # - `integer` can be compared against doubles or a string if the string value
+ # can be parsed as an integer.
+ # - `double` can be compared against integers or a string if the string can
+ # be parsed as a double.
+ # - `Timestamp` can be compared against strings in RFC 3339 date string
+ # format.
+ # - `TimeOfDay` can be compared against timestamps and strings in the format
+ # of 'HH:mm:ss'.
+ #
+ # If we fail to compare do to type mismatch, a warning will be given and
+ # the condition will evaluate to false.
+ "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
+ "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
+ "name": "A String", # Name describing the field.
+ },
+ "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ ],
+ },
+ "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
+ # only supported value is `AND`.
+ },
+ },
"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
# transform content that matches an `InfoType`.
# apply various `PrimitiveTransformation`s to each finding, where the
# transformation is applied to only values that were identified as a specific
# info_type.
- "transformations": [ # Transformation for each infoType. Cannot specify more than one
- # for a given infoType. [required]
+ "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one
+ # for a given infoType.
{ # A transformation to apply to text that is identified as a specific
# info_type.
- "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
- "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
- # fixed character. Masking can start from the beginning or end of the string.
- # This can be used on data of any type (numbers, longs, and so on) and when
- # de-identifying structured data we'll attempt to preserve the original data's
- # type. (This allows you to take a long like 123 and modify it to a string like
- # **3.
- "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
- # For example, if your string is 555-555-5555 and you ask us to skip `-` and
- # mask 5 chars with * we would produce ***-*55-5555.
- { # Characters to skip when doing deidentification of a value. These will be left
- # alone and skipped.
- "commonCharactersToIgnore": "A String",
- "charactersToSkip": "A String",
- },
- ],
- "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
- # masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
- # alphabetic string such as name, or "0" for a numeric string such as ZIP
- # code or credit card number. String must have length 1. If not supplied, we
- # will default to "*" for strings, 0 for digits.
- "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
- # '0', number_to_mask is 14, and `reverse_order` is false, then
- # 1234-5678-9012-3456 -> 00000000000000-3456
- # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
- # is true, then 12345 -> 12***
- },
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
- # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
- # output would be 'My phone number is '.
- },
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
+ "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
@@ -4992,21 +5722,21 @@
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -5014,7 +5744,7 @@
# (repeating the api call will result in a different key being generated).
},
},
- "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
+ "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
@@ -5038,7 +5768,7 @@
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
- # format: <info type name>(<surrogate character count>):<surrogate>
+ # format: {info type name}({surrogate character count}):{surrogate}
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
@@ -5048,6 +5778,11 @@
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
+ # Note: For record transformations where the entire cell in a table is being
+ # transformed, surrogates are not mandatory. Surrogates are used to denote
+ # the location of the token and are necessary for re-identification in free
+ # form text.
+ #
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
@@ -5060,21 +5795,56 @@
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
+ # ⧝MY_TOKEN_TYPE.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
+ # characters. For example, if the input string is `555-555-5555` and you
+ # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
+ # returns `***-**5-5555`.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
+ # punctuation.
+ "charactersToSkip": "A String", # Characters to not transform when masking.
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an
+ # alphabetic string such as a name, or `0` for a numeric string such as ZIP
+ # code or credit card number. This string must have a length of 1. If not
+ # supplied, this value defaults to `*` for strings, and `0` for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
+ # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
+ # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
+ # is `true`, then the string `12345` is masked as `12***`.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
- # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
+ # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
@@ -5084,18 +5854,18 @@
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
+ "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
- # then all values less than 10 are replaced with the value “-10”. [Required].
+ # then all values less than 10 are replaced with the value “-10”.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -5105,7 +5875,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -5115,31 +5885,30 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
+ "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
- # [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -5149,7 +5918,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -5159,88 +5928,52 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
+ "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
- # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
},
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
# portion of the value.
- "partToExtract": "A String",
+ "partToExtract": "A String", # The part of the time to keep.
},
- "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
- # Uses SHA-256.
- # The key size must be either 32 or 64 bytes.
- # Outputs a base64 encoded representation of the hashed output
- # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
- # Currently, only string and integer values can be hashed.
- # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
- # results in the same shift for the same context and crypto_key.
+ # results in the same shift for the same context and crypto_key. If
+ # set, must also set context. Can only be applied to table items.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -5248,160 +5981,19 @@
# (repeating the api call will result in a different key being generated).
},
},
- "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
- # [Required]
- "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
- # [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
- # If set, must also set method. If set, shift will be consistent for the
+ # If set, must also set cryptoKey. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
- # replacement values are dynamically provided by the user for custom behavior,
- # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
- # This can be used on
- # data of type: number, long, string, timestamp.
- # If the bound `Value` type differs from the type of data being transformed, we
- # will first attempt converting the type of the data to be transformed to match
- # the type of the bound before comparing.
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
- # the default behavior will be to hyphenate the min-max range.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
- # used.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- ],
- },
- "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
@@ -5414,26 +6006,26 @@
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -5441,13 +6033,13 @@
# (repeating the api call will result in a different key being generated).
},
},
- "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
- "commonAlphabet": "A String",
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
+ "commonAlphabet": "A String", # Common alphabets.
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
- # Number of characters must be in the range [2, 62].
+ # Number of characters must be in the range [2, 95].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
@@ -5501,20 +6093,194 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "replaceConfig": { # Replace each input value with a given `Value`.
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ ],
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -5524,7 +6290,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -5534,17 +6300,17 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
},
},
@@ -5556,703 +6322,35 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
],
},
],
},
- "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
- "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
- # fixed character. Masking can start from the beginning or end of the string.
- # This can be used on data of any type (numbers, longs, and so on) and when
- # de-identifying structured data we'll attempt to preserve the original data's
- # type. (This allows you to take a long like 123 and modify it to a string like
- # **3.
- "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
- # For example, if your string is 555-555-5555 and you ask us to skip `-` and
- # mask 5 chars with * we would produce ***-*55-5555.
- { # Characters to skip when doing deidentification of a value. These will be left
- # alone and skipped.
- "commonCharactersToIgnore": "A String",
- "charactersToSkip": "A String",
- },
- ],
- "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
- # masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
- # alphabetic string such as name, or "0" for a numeric string such as ZIP
- # code or credit card number. String must have length 1. If not supplied, we
- # will default to "*" for strings, 0 for digits.
- "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
- # '0', number_to_mask is 14, and `reverse_order` is false, then
- # 1234-5678-9012-3456 -> 00000000000000-3456
- # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
- # is true, then 12345 -> 12***
- },
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
- # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
- # output would be 'My phone number is '.
- },
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
- # input. Outputs a base64 encoded representation of the encrypted output.
- # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
- # referential integrity such that the same identifier in two different
- # contexts will be given a distinct surrogate. The context is appended to
- # plaintext value being encrypted. On decryption the provided context is
- # validated against the value used during encryption. If a context was
- # provided during encryption, same context must be provided during decryption
- # as well.
- #
- # If the context is not set, plaintext would be used as is for encryption.
- # If the context is set but:
- #
- # 1. there is no record present when transforming a given value or
- # 2. the field is not present when transforming a given value,
- #
- # plaintext would be used as is for encryption.
- #
- # Note that case (1) is expected when an `InfoTypeTransformation` is
- # applied to both structured and non-structured `ContentItem`s.
- "name": "A String", # Name describing the field.
- },
- "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
- # This annotation will be applied to the surrogate by prefixing it with
- # the name of the custom info type followed by the number of
- # characters comprising the surrogate. The following scheme defines the
- # format: <info type name>(<surrogate character count>):<surrogate>
- #
- # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
- # the surrogate is 'abc', the full replacement value
- # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
- #
- # This annotation identifies the surrogate when inspecting content using the
- # custom info type 'Surrogate'. This facilitates reversal of the
- # surrogate when it occurs in free text.
- #
- # In order for inspection to work properly, the name of this info type must
- # not occur naturally anywhere in your data; otherwise, inspection may either
- #
- # - reverse a surrogate that does not correspond to an actual identifier
- # - be unable to parse the surrogate and result in an error
- #
- # Therefore, choose your custom info type name carefully after considering
- # what your data looks like. One way to select a name that has a high chance
- # of yielding reliable detection is to include one or more unicode characters
- # that are highly improbable to exist in your data.
- # For example, assuming your data is entered from a regular ASCII keyboard,
- # the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
- "name": "A String", # Name of the information type. Either a name of your choosing when
- # creating a CustomInfoType, or one of the names listed
- # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
- # a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
- },
- },
- "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
- # Bucketing transformation can provide all of this functionality,
- # but requires more configuration. This message is provided as a convenience to
- # the user for simple bucketing strategies.
- #
- # The transformed value will be a hyphenated string of
- # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
- # all values that are within this bucket will be replaced with "10-20".
- #
- # This can be used on data of type: double, long.
- #
- # If the bound Value type differs from the type of data
- # being transformed, we will first attempt converting the type of the data to
- # be transformed to match the type of the bound before comparing.
- #
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
- # grouped together into a single bucket; for example if `lower_bound` = 10,
- # then all values less than 10 are replaced with the value “-10”. [Required].
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
- # grouped together into a single bucket; for example if `upper_bound` = 89,
- # then all values greater than 89 are replaced with the value “89+”.
- # [Required].
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
- # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
- # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
- # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
- },
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
- # portion of the value.
- "partToExtract": "A String",
- },
- "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
- # Uses SHA-256.
- # The key size must be either 32 or 64 bytes.
- # Outputs a base64 encoded representation of the hashed output
- # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
- # Currently, only string and integer values can be hashed.
- # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
- # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
- # to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
- # results in the same shift for the same context and crypto_key.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
- # [Required]
- "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
- # range (inclusive ends). Negative means shift to earlier in time. Must not
- # be more than 365250 days (1000 years) each direction.
- #
- # For example, 3 means shift date to at most 3 days into the future.
- # [Required]
- "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
- # If set, must also set method. If set, shift will be consistent for the
- # given context.
- "name": "A String", # Name describing the field.
- },
- },
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
- # replacement values are dynamically provided by the user for custom behavior,
- # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
- # This can be used on
- # data of type: number, long, string, timestamp.
- # If the bound `Value` type differs from the type of data being transformed, we
- # will first attempt converting the type of the data to be transformed to match
- # the type of the bound before comparing.
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
- # the default behavior will be to hyphenate the min-max range.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
- # used.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- ],
- },
- "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
- # (FPE) with the FFX mode of operation; however when used in the
- # `ReidentifyContent` API method, it serves the opposite function by reversing
- # the surrogate back into the original identifier. The identifier must be
- # encoded as ASCII. For a given crypto key and context, the same identifier
- # will be replaced with the same surrogate. Identifiers must be at least two
- # characters long. In the case that the identifier is the empty string, it will
- # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
- # more.
- #
- # Note: We recommend using CryptoDeterministicConfig for all use cases which
- # do not require preserving the input alphabet space and size, plus warrant
- # referential integrity.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
- "commonAlphabet": "A String",
- "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
- # that the FFX mode natively supports. This happens before/after
- # encryption/decryption.
- # Each character listed must appear only once.
- # Number of characters must be in the range [2, 62].
- # This must be encoded as ASCII.
- # The order of characters does not matter.
- "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
- # identifier in two different contexts won't be given the same surrogate. If
- # the context is not set, a default tweak will be used.
- #
- # If the context is set but:
- #
- # 1. there is no record present when transforming a given value or
- # 1. the field is not present when transforming a given value,
- #
- # a default tweak will be used.
- #
- # Note that case (1) is expected when an `InfoTypeTransformation` is
- # applied to both structured and non-structured `ContentItem`s.
- # Currently, the referenced field may be of value type integer or string.
- #
- # The tweak is constructed as a sequence of bytes in big endian byte order
- # such that:
- #
- # - a 64 bit integer is encoded followed by a single byte of value 1
- # - a string is encoded in UTF-8 format followed by a single byte of value 2
- "name": "A String", # Name describing the field.
- },
- "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
- # This annotation will be applied to the surrogate by prefixing it with
- # the name of the custom infoType followed by the number of
- # characters comprising the surrogate. The following scheme defines the
- # format: info_type_name(surrogate_character_count):surrogate
- #
- # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
- # the surrogate is 'abc', the full replacement value
- # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
- #
- # This annotation identifies the surrogate when inspecting content using the
- # custom infoType
- # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
- # This facilitates reversal of the surrogate when it occurs in free text.
- #
- # In order for inspection to work properly, the name of this infoType must
- # not occur naturally anywhere in your data; otherwise, inspection may
- # find a surrogate that does not correspond to an actual identifier.
- # Therefore, choose your custom infoType name carefully after considering
- # what your data looks like. One way to select a name that has a high chance
- # of yielding reliable detection is to include one or more unicode characters
- # that are highly improbable to exist in your data.
- # For example, assuming your data is entered from a regular ASCII keyboard,
- # the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
- "name": "A String", # Name of the information type. Either a name of your choosing when
- # creating a CustomInfoType, or one of the names listed
- # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
- # a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
- },
- },
- "replaceConfig": { # Replace each input value with a given `Value`.
- "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- },
- "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
- # given `RecordCondition`. The conditions are allowed to reference fields
- # that are not used in the actual transformation. [optional]
- #
- # Example Use Cases:
- #
- # - Apply a different bucket transformation to an age column if the zip code
- # column for the same record is within a specific range.
- # - Redact a field if the date of birth field is greater than 85.
- # a field.
- "expressions": { # An expression, consisting or an operator and conditions. # An expression.
- "conditions": { # A collection of conditions.
- "conditions": [
- { # The field type of `value` and `field` do not need to match to be
- # considered equal, but not all comparisons are possible.
- # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
- # but all other comparisons are invalid with incompatible types.
- # A `value` of type:
- #
- # - `string` can be compared against all other types
- # - `boolean` can only be compared against other booleans
- # - `integer` can be compared against doubles or a string if the string value
- # can be parsed as an integer.
- # - `double` can be compared against integers or a string if the string can
- # be parsed as a double.
- # - `Timestamp` can be compared against strings in RFC 3339 date string
- # format.
- # - `TimeOfDay` can be compared against timestamps and strings in the format
- # of 'HH:mm:ss'.
- #
- # If we fail to compare do to type mismatch, a warning will be given and
- # the condition will evaluate to false.
- "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
- "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
- "name": "A String", # Name describing the field.
- },
- "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- ],
- },
- "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
- # only supported value is `AND`.
- },
- },
- "fields": [ # Input field(s) to apply the transformation to. [required]
- { # General identifier of a data field in a storage service.
- "name": "A String", # Name describing the field.
- },
- ],
},
],
},
+ "transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default
+ # mode is `TransformationErrorHandling.ThrowError`.
+ # transformation error occurs when the requested transformation is incompatible
+ # with the data. For example, trying to de-identify an IP address using a
+ # `DateShift` transformation would result in a transformation error, since date
+ # info cannot be extracted from an IP address.
+ # Information about any incompatible transformations, and how they were
+ # handled, is returned in the response as part of the
+ # `TransformationOverviews`.
+ "throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error
+ },
+ "leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors
+ # cause an error. For example, if a `DateShift` transformation were applied
+ # an an IP address, this mode would leave the IP address unchanged in the
+ # response.
+ },
+ },
},
- "createTime": "A String", # The creation timestamp of a inspectTemplate, output only field.
- "name": "A String", # The template name. Output only.
+ "createTime": "A String", # Output only. The creation timestamp of an inspectTemplate.
+ "name": "A String", # Output only. The template name.
#
# The template will have one of the following formats:
# `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR
@@ -6261,15 +6359,15 @@
</div>
<div class="method">
- <code class="details" id="list">list(parent, orderBy=None, pageToken=None, x__xgafv=None, pageSize=None)</code>
+ <code class="details" id="list">list(parent, orderBy=None, pageSize=None, locationId=None, pageToken=None, x__xgafv=None)</code>
<pre>Lists DeidentifyTemplates.
See https://cloud.google.com/dlp/docs/creating-templates-deid to learn
more.
Args:
- parent: string, The parent resource name, for example projects/my-project-id or
+ parent: string, Required. The parent resource name, for example projects/my-project-id or
organizations/my-org-id. (required)
- orderBy: string, Optional comma separated list of fields to order by,
+ orderBy: string, Comma separated list of fields to order by,
followed by `asc` or `desc` postfix. This list is case-insensitive,
default sorting order is ascending, redundant space characters are
insignificant.
@@ -6282,14 +6380,16 @@
- `update_time`: corresponds to time the template was last updated.
- `name`: corresponds to template's name.
- `display_name`: corresponds to template's display name.
- pageToken: string, Optional page token to continue retrieval. Comes from previous call
+ pageSize: integer, Size of the page, can be limited by server. If zero server returns
+a page of max size 100.
+ locationId: string, The geographic location where deidentifications templates will be retrieved
+from. Use `-` for all locations. Reserved for future extensions.
+ pageToken: string, Page token to continue retrieval. Comes from previous call
to `ListDeidentifyTemplates`.
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
- pageSize: integer, Optional size of the page, can be limited by server. If zero server returns
-a page of max size 100.
Returns:
An object of the form:
@@ -6299,9 +6399,9 @@
# in following ListDeidentifyTemplates request.
"deidentifyTemplates": [ # List of deidentify templates, up to page_size in
# ListDeidentifyTemplatesRequest.
- { # The DeidentifyTemplates contains instructions on how to deidentify content.
+ { # DeidentifyTemplates contains instructions on how to de-identify content.
# See https://cloud.google.com/dlp/docs/concepts-templates to learn more.
- "updateTime": "A String", # The last update timestamp of a inspectTemplate, output only field.
+ "updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate.
"displayName": "A String", # Display name (max 256 chars).
"description": "A String", # Short description (max 256 chars).
"deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////
@@ -6310,43 +6410,12 @@
# apply various `PrimitiveTransformation`s to each finding, where the
# transformation is applied to only values that were identified as a specific
# info_type.
- "transformations": [ # Transformation for each infoType. Cannot specify more than one
- # for a given infoType. [required]
+ "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one
+ # for a given infoType.
{ # A transformation to apply to text that is identified as a specific
# info_type.
- "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
- "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
- # fixed character. Masking can start from the beginning or end of the string.
- # This can be used on data of any type (numbers, longs, and so on) and when
- # de-identifying structured data we'll attempt to preserve the original data's
- # type. (This allows you to take a long like 123 and modify it to a string like
- # **3.
- "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
- # For example, if your string is 555-555-5555 and you ask us to skip `-` and
- # mask 5 chars with * we would produce ***-*55-5555.
- { # Characters to skip when doing deidentification of a value. These will be left
- # alone and skipped.
- "commonCharactersToIgnore": "A String",
- "charactersToSkip": "A String",
- },
- ],
- "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
- # masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
- # alphabetic string such as name, or "0" for a numeric string such as ZIP
- # code or credit card number. String must have length 1. If not supplied, we
- # will default to "*" for strings, 0 for digits.
- "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
- # '0', number_to_mask is 14, and `reverse_order` is false, then
- # 1234-5678-9012-3456 -> 00000000000000-3456
- # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
- # is true, then 12345 -> 12***
- },
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
- # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
- # output would be 'My phone number is '.
- },
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
+ "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
@@ -6354,21 +6423,21 @@
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -6376,7 +6445,7 @@
# (repeating the api call will result in a different key being generated).
},
},
- "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
+ "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
@@ -6400,7 +6469,7 @@
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
- # format: <info type name>(<surrogate character count>):<surrogate>
+ # format: {info type name}({surrogate character count}):{surrogate}
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
@@ -6410,6 +6479,11 @@
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
+ # Note: For record transformations where the entire cell in a table is being
+ # transformed, surrogates are not mandatory. Surrogates are used to denote
+ # the location of the token and are necessary for re-identification in free
+ # form text.
+ #
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
@@ -6422,21 +6496,56 @@
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
+ # ⧝MY_TOKEN_TYPE.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
+ # characters. For example, if the input string is `555-555-5555` and you
+ # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
+ # returns `***-**5-5555`.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
+ # punctuation.
+ "charactersToSkip": "A String", # Characters to not transform when masking.
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an
+ # alphabetic string such as a name, or `0` for a numeric string such as ZIP
+ # code or credit card number. This string must have a length of 1. If not
+ # supplied, this value defaults to `*` for strings, and `0` for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
+ # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
+ # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
+ # is `true`, then the string `12345` is masked as `12***`.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
- # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
+ # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
@@ -6446,18 +6555,18 @@
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
+ "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
- # then all values less than 10 are replaced with the value “-10”. [Required].
+ # then all values less than 10 are replaced with the value “-10”.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -6467,7 +6576,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -6477,31 +6586,30 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
+ "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
- # [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -6511,7 +6619,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -6521,88 +6629,52 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
+ "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
- # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
},
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
# portion of the value.
- "partToExtract": "A String",
+ "partToExtract": "A String", # The part of the time to keep.
},
- "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
- # Uses SHA-256.
- # The key size must be either 32 or 64 bytes.
- # Outputs a base64 encoded representation of the hashed output
- # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
- # Currently, only string and integer values can be hashed.
- # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
- # results in the same shift for the same context and crypto_key.
+ # results in the same shift for the same context and crypto_key. If
+ # set, must also set context. Can only be applied to table items.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -6610,160 +6682,19 @@
# (repeating the api call will result in a different key being generated).
},
},
- "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
- # [Required]
- "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
- # [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
- # If set, must also set method. If set, shift will be consistent for the
+ # If set, must also set cryptoKey. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
- # replacement values are dynamically provided by the user for custom behavior,
- # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
- # This can be used on
- # data of type: number, long, string, timestamp.
- # If the bound `Value` type differs from the type of data being transformed, we
- # will first attempt converting the type of the data to be transformed to match
- # the type of the bound before comparing.
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
- # the default behavior will be to hyphenate the min-max range.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
- # used.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- ],
- },
- "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
@@ -6776,26 +6707,26 @@
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -6803,13 +6734,13 @@
# (repeating the api call will result in a different key being generated).
},
},
- "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
- "commonAlphabet": "A String",
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
+ "commonAlphabet": "A String", # Common alphabets.
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
- # Number of characters must be in the range [2, 62].
+ # Number of characters must be in the range [2, 95].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
@@ -6863,20 +6794,194 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "replaceConfig": { # Replace each input value with a given `Value`.
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ ],
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -6886,7 +6991,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -6896,17 +7001,17 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
},
},
@@ -6918,7 +7023,7 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
],
},
@@ -6929,15 +7034,15 @@
# a column within a table.
# table.
"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that
- # match any suppression rule are omitted from the output [optional].
+ # match any suppression rule are omitted from the output.
{ # Configuration to suppress records whose suppression conditions evaluate to
# true.
"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
# evaluated to be suppressed from the transformed content.
# a field.
"expressions": { # An expression, consisting or an operator and conditions. # An expression.
- "conditions": { # A collection of conditions.
- "conditions": [
+ "conditions": { # A collection of conditions. # Conditions to apply to the expression.
+ "conditions": [ # A collection of conditions.
{ # The field type of `value` and `field` do not need to match to be
# considered equal, but not all comparisons are possible.
# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
@@ -6957,20 +7062,20 @@
#
# If we fail to compare do to type mismatch, a warning will be given and
# the condition will evaluate to false.
- "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
- "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
+ "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
+ "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
"name": "A String", # Name describing the field.
},
- "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
+ "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -6980,7 +7085,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -6990,17 +7095,17 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
},
],
@@ -7013,48 +7118,707 @@
],
"fieldTransformations": [ # Transform the record by applying various field transformations.
{ # The transformation to apply to the field.
+ "fields": [ # Required. Input field(s) to apply the transformation to.
+ { # General identifier of a data field in a storage service.
+ "name": "A String", # Name describing the field.
+ },
+ ],
+ "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
+ # input. Outputs a base64 encoded representation of the encrypted output.
+ # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
+ # referential integrity such that the same identifier in two different
+ # contexts will be given a distinct surrogate. The context is appended to
+ # plaintext value being encrypted. On decryption the provided context is
+ # validated against the value used during encryption. If a context was
+ # provided during encryption, same context must be provided during decryption
+ # as well.
+ #
+ # If the context is not set, plaintext would be used as is for encryption.
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 2. the field is not present when transforming a given value,
+ #
+ # plaintext would be used as is for encryption.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom info type followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: {info type name}({surrogate character count}):{surrogate}
+ #
+ # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom info type 'Surrogate'. This facilitates reversal of the
+ # surrogate when it occurs in free text.
+ #
+ # Note: For record transformations where the entire cell in a table is being
+ # transformed, surrogates are not mandatory. Surrogates are used to denote
+ # the location of the token and are necessary for re-identification in free
+ # form text.
+ #
+ # In order for inspection to work properly, the name of this info type must
+ # not occur naturally anywhere in your data; otherwise, inspection may either
+ #
+ # - reverse a surrogate that does not correspond to an actual identifier
+ # - be unable to parse the surrogate and result in an error
+ #
+ # Therefore, choose your custom info type name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE.
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # `[a-zA-Z0-9_]{1,64}`.
+ },
+ },
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
+ # characters. For example, if the input string is `555-555-5555` and you
+ # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
+ # returns `***-**5-5555`.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
+ # punctuation.
+ "charactersToSkip": "A String", # Characters to not transform when masking.
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an
+ # alphabetic string such as a name, or `0` for a numeric string such as ZIP
+ # code or credit card number. This string must have a length of 1. If not
+ # supplied, this value defaults to `*` for strings, and `0` for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
+ # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
+ # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
+ # is `true`, then the string `12345` is masked as `12***`.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
+ # Bucketing transformation can provide all of this functionality,
+ # but requires more configuration. This message is provided as a convenience to
+ # the user for simple bucketing strategies.
+ #
+ # The transformed value will be a hyphenated string of
+ # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
+ # all values that are within this bucket will be replaced with "10-20".
+ #
+ # This can be used on data of type: double, long.
+ #
+ # If the bound Value type differs from the type of data
+ # being transformed, we will first attempt converting the type of the data to
+ # be transformed to match the type of the bound before comparing.
+ #
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
+ # grouped together into a single bucket; for example if `lower_bound` = 10,
+ # then all values less than 10 are replaced with the value “-10”.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
+ # grouped together into a single bucket; for example if `upper_bound` = 89,
+ # then all values greater than 89 are replaced with the value “89+”.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
+ # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
+ # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
+ # portion of the value.
+ "partToExtract": "A String", # The part of the time to keep.
+ },
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
+ # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
+ # to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
+ # results in the same shift for the same context and crypto_key. If
+ # set, must also set context. Can only be applied to table items.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
+ # range (inclusive ends). Negative means shift to earlier in time. Must not
+ # be more than 365250 days (1000 years) each direction.
+ #
+ # For example, 3 means shift date to at most 3 days into the future.
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
+ # If set, must also set cryptoKey. If set, shift will be consistent for the
+ # given context.
+ "name": "A String", # Name describing the field.
+ },
+ },
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
+ # (FPE) with the FFX mode of operation; however when used in the
+ # `ReidentifyContent` API method, it serves the opposite function by reversing
+ # the surrogate back into the original identifier. The identifier must be
+ # encoded as ASCII. For a given crypto key and context, the same identifier
+ # will be replaced with the same surrogate. Identifiers must be at least two
+ # characters long. In the case that the identifier is the empty string, it will
+ # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
+ # more.
+ #
+ # Note: We recommend using CryptoDeterministicConfig for all use cases which
+ # do not require preserving the input alphabet space and size, plus warrant
+ # referential integrity.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
+ "commonAlphabet": "A String", # Common alphabets.
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
+ # that the FFX mode natively supports. This happens before/after
+ # encryption/decryption.
+ # Each character listed must appear only once.
+ # Number of characters must be in the range [2, 95].
+ # This must be encoded as ASCII.
+ # The order of characters does not matter.
+ "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
+ # identifier in two different contexts won't be given the same surrogate. If
+ # the context is not set, a default tweak will be used.
+ #
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 1. the field is not present when transforming a given value,
+ #
+ # a default tweak will be used.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ # Currently, the referenced field may be of value type integer or string.
+ #
+ # The tweak is constructed as a sequence of bytes in big endian byte order
+ # such that:
+ #
+ # - a 64 bit integer is encoded followed by a single byte of value 1
+ # - a string is encoded in UTF-8 format followed by a single byte of value 2
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom infoType followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: info_type_name(surrogate_character_count):surrogate
+ #
+ # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom infoType
+ # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
+ # This facilitates reversal of the surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this infoType must
+ # not occur naturally anywhere in your data; otherwise, inspection may
+ # find a surrogate that does not correspond to an actual identifier.
+ # Therefore, choose your custom infoType name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # `[a-zA-Z0-9_]{1,64}`.
+ },
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ ],
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
+ "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ },
+ "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
+ # given `RecordCondition`. The conditions are allowed to reference fields
+ # that are not used in the actual transformation.
+ #
+ # Example Use Cases:
+ #
+ # - Apply a different bucket transformation to an age column if the zip code
+ # column for the same record is within a specific range.
+ # - Redact a field if the date of birth field is greater than 85.
+ # a field.
+ "expressions": { # An expression, consisting or an operator and conditions. # An expression.
+ "conditions": { # A collection of conditions. # Conditions to apply to the expression.
+ "conditions": [ # A collection of conditions.
+ { # The field type of `value` and `field` do not need to match to be
+ # considered equal, but not all comparisons are possible.
+ # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
+ # but all other comparisons are invalid with incompatible types.
+ # A `value` of type:
+ #
+ # - `string` can be compared against all other types
+ # - `boolean` can only be compared against other booleans
+ # - `integer` can be compared against doubles or a string if the string value
+ # can be parsed as an integer.
+ # - `double` can be compared against integers or a string if the string can
+ # be parsed as a double.
+ # - `Timestamp` can be compared against strings in RFC 3339 date string
+ # format.
+ # - `TimeOfDay` can be compared against timestamps and strings in the format
+ # of 'HH:mm:ss'.
+ #
+ # If we fail to compare do to type mismatch, a warning will be given and
+ # the condition will evaluate to false.
+ "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
+ "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
+ "name": "A String", # Name describing the field.
+ },
+ "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ ],
+ },
+ "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
+ # only supported value is `AND`.
+ },
+ },
"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
# transform content that matches an `InfoType`.
# apply various `PrimitiveTransformation`s to each finding, where the
# transformation is applied to only values that were identified as a specific
# info_type.
- "transformations": [ # Transformation for each infoType. Cannot specify more than one
- # for a given infoType. [required]
+ "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one
+ # for a given infoType.
{ # A transformation to apply to text that is identified as a specific
# info_type.
- "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
- "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
- # fixed character. Masking can start from the beginning or end of the string.
- # This can be used on data of any type (numbers, longs, and so on) and when
- # de-identifying structured data we'll attempt to preserve the original data's
- # type. (This allows you to take a long like 123 and modify it to a string like
- # **3.
- "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
- # For example, if your string is 555-555-5555 and you ask us to skip `-` and
- # mask 5 chars with * we would produce ***-*55-5555.
- { # Characters to skip when doing deidentification of a value. These will be left
- # alone and skipped.
- "commonCharactersToIgnore": "A String",
- "charactersToSkip": "A String",
- },
- ],
- "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
- # masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
- # alphabetic string such as name, or "0" for a numeric string such as ZIP
- # code or credit card number. String must have length 1. If not supplied, we
- # will default to "*" for strings, 0 for digits.
- "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
- # '0', number_to_mask is 14, and `reverse_order` is false, then
- # 1234-5678-9012-3456 -> 00000000000000-3456
- # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
- # is true, then 12345 -> 12***
- },
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
- # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
- # output would be 'My phone number is '.
- },
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
+ "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
@@ -7062,21 +7826,21 @@
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -7084,7 +7848,7 @@
# (repeating the api call will result in a different key being generated).
},
},
- "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
+ "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
@@ -7108,7 +7872,7 @@
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
- # format: <info type name>(<surrogate character count>):<surrogate>
+ # format: {info type name}({surrogate character count}):{surrogate}
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
@@ -7118,6 +7882,11 @@
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
+ # Note: For record transformations where the entire cell in a table is being
+ # transformed, surrogates are not mandatory. Surrogates are used to denote
+ # the location of the token and are necessary for re-identification in free
+ # form text.
+ #
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
@@ -7130,21 +7899,56 @@
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
+ # ⧝MY_TOKEN_TYPE.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
+ # characters. For example, if the input string is `555-555-5555` and you
+ # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
+ # returns `***-**5-5555`.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
+ # punctuation.
+ "charactersToSkip": "A String", # Characters to not transform when masking.
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an
+ # alphabetic string such as a name, or `0` for a numeric string such as ZIP
+ # code or credit card number. This string must have a length of 1. If not
+ # supplied, this value defaults to `*` for strings, and `0` for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
+ # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
+ # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
+ # is `true`, then the string `12345` is masked as `12***`.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
- # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
+ # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
@@ -7154,18 +7958,18 @@
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
+ "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
- # then all values less than 10 are replaced with the value “-10”. [Required].
+ # then all values less than 10 are replaced with the value “-10”.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -7175,7 +7979,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -7185,31 +7989,30 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
+ "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
- # [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -7219,7 +8022,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -7229,88 +8032,52 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
+ "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
- # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
},
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
# portion of the value.
- "partToExtract": "A String",
+ "partToExtract": "A String", # The part of the time to keep.
},
- "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
- # Uses SHA-256.
- # The key size must be either 32 or 64 bytes.
- # Outputs a base64 encoded representation of the hashed output
- # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
- # Currently, only string and integer values can be hashed.
- # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
- # results in the same shift for the same context and crypto_key.
+ # results in the same shift for the same context and crypto_key. If
+ # set, must also set context. Can only be applied to table items.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -7318,160 +8085,19 @@
# (repeating the api call will result in a different key being generated).
},
},
- "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
- # [Required]
- "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
- # [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
- # If set, must also set method. If set, shift will be consistent for the
+ # If set, must also set cryptoKey. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
- # replacement values are dynamically provided by the user for custom behavior,
- # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
- # This can be used on
- # data of type: number, long, string, timestamp.
- # If the bound `Value` type differs from the type of data being transformed, we
- # will first attempt converting the type of the data to be transformed to match
- # the type of the bound before comparing.
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
- # the default behavior will be to hyphenate the min-max range.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
- # used.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- ],
- },
- "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
@@ -7484,26 +8110,26 @@
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -7511,13 +8137,13 @@
# (repeating the api call will result in a different key being generated).
},
},
- "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
- "commonAlphabet": "A String",
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
+ "commonAlphabet": "A String", # Common alphabets.
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
- # Number of characters must be in the range [2, 62].
+ # Number of characters must be in the range [2, 95].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
@@ -7571,20 +8197,194 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "replaceConfig": { # Replace each input value with a given `Value`.
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ ],
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -7594,7 +8394,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -7604,17 +8404,17 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
},
},
@@ -7626,703 +8426,35 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
],
},
],
},
- "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
- "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
- # fixed character. Masking can start from the beginning or end of the string.
- # This can be used on data of any type (numbers, longs, and so on) and when
- # de-identifying structured data we'll attempt to preserve the original data's
- # type. (This allows you to take a long like 123 and modify it to a string like
- # **3.
- "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
- # For example, if your string is 555-555-5555 and you ask us to skip `-` and
- # mask 5 chars with * we would produce ***-*55-5555.
- { # Characters to skip when doing deidentification of a value. These will be left
- # alone and skipped.
- "commonCharactersToIgnore": "A String",
- "charactersToSkip": "A String",
- },
- ],
- "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
- # masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
- # alphabetic string such as name, or "0" for a numeric string such as ZIP
- # code or credit card number. String must have length 1. If not supplied, we
- # will default to "*" for strings, 0 for digits.
- "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
- # '0', number_to_mask is 14, and `reverse_order` is false, then
- # 1234-5678-9012-3456 -> 00000000000000-3456
- # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
- # is true, then 12345 -> 12***
- },
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
- # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
- # output would be 'My phone number is '.
- },
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
- # input. Outputs a base64 encoded representation of the encrypted output.
- # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
- # referential integrity such that the same identifier in two different
- # contexts will be given a distinct surrogate. The context is appended to
- # plaintext value being encrypted. On decryption the provided context is
- # validated against the value used during encryption. If a context was
- # provided during encryption, same context must be provided during decryption
- # as well.
- #
- # If the context is not set, plaintext would be used as is for encryption.
- # If the context is set but:
- #
- # 1. there is no record present when transforming a given value or
- # 2. the field is not present when transforming a given value,
- #
- # plaintext would be used as is for encryption.
- #
- # Note that case (1) is expected when an `InfoTypeTransformation` is
- # applied to both structured and non-structured `ContentItem`s.
- "name": "A String", # Name describing the field.
- },
- "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
- # This annotation will be applied to the surrogate by prefixing it with
- # the name of the custom info type followed by the number of
- # characters comprising the surrogate. The following scheme defines the
- # format: <info type name>(<surrogate character count>):<surrogate>
- #
- # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
- # the surrogate is 'abc', the full replacement value
- # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
- #
- # This annotation identifies the surrogate when inspecting content using the
- # custom info type 'Surrogate'. This facilitates reversal of the
- # surrogate when it occurs in free text.
- #
- # In order for inspection to work properly, the name of this info type must
- # not occur naturally anywhere in your data; otherwise, inspection may either
- #
- # - reverse a surrogate that does not correspond to an actual identifier
- # - be unable to parse the surrogate and result in an error
- #
- # Therefore, choose your custom info type name carefully after considering
- # what your data looks like. One way to select a name that has a high chance
- # of yielding reliable detection is to include one or more unicode characters
- # that are highly improbable to exist in your data.
- # For example, assuming your data is entered from a regular ASCII keyboard,
- # the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
- "name": "A String", # Name of the information type. Either a name of your choosing when
- # creating a CustomInfoType, or one of the names listed
- # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
- # a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
- },
- },
- "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
- # Bucketing transformation can provide all of this functionality,
- # but requires more configuration. This message is provided as a convenience to
- # the user for simple bucketing strategies.
- #
- # The transformed value will be a hyphenated string of
- # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
- # all values that are within this bucket will be replaced with "10-20".
- #
- # This can be used on data of type: double, long.
- #
- # If the bound Value type differs from the type of data
- # being transformed, we will first attempt converting the type of the data to
- # be transformed to match the type of the bound before comparing.
- #
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
- # grouped together into a single bucket; for example if `lower_bound` = 10,
- # then all values less than 10 are replaced with the value “-10”. [Required].
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
- # grouped together into a single bucket; for example if `upper_bound` = 89,
- # then all values greater than 89 are replaced with the value “89+”.
- # [Required].
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
- # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
- # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
- # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
- },
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
- # portion of the value.
- "partToExtract": "A String",
- },
- "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
- # Uses SHA-256.
- # The key size must be either 32 or 64 bytes.
- # Outputs a base64 encoded representation of the hashed output
- # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
- # Currently, only string and integer values can be hashed.
- # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
- # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
- # to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
- # results in the same shift for the same context and crypto_key.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
- # [Required]
- "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
- # range (inclusive ends). Negative means shift to earlier in time. Must not
- # be more than 365250 days (1000 years) each direction.
- #
- # For example, 3 means shift date to at most 3 days into the future.
- # [Required]
- "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
- # If set, must also set method. If set, shift will be consistent for the
- # given context.
- "name": "A String", # Name describing the field.
- },
- },
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
- # replacement values are dynamically provided by the user for custom behavior,
- # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
- # This can be used on
- # data of type: number, long, string, timestamp.
- # If the bound `Value` type differs from the type of data being transformed, we
- # will first attempt converting the type of the data to be transformed to match
- # the type of the bound before comparing.
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
- # the default behavior will be to hyphenate the min-max range.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
- # used.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- ],
- },
- "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
- # (FPE) with the FFX mode of operation; however when used in the
- # `ReidentifyContent` API method, it serves the opposite function by reversing
- # the surrogate back into the original identifier. The identifier must be
- # encoded as ASCII. For a given crypto key and context, the same identifier
- # will be replaced with the same surrogate. Identifiers must be at least two
- # characters long. In the case that the identifier is the empty string, it will
- # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
- # more.
- #
- # Note: We recommend using CryptoDeterministicConfig for all use cases which
- # do not require preserving the input alphabet space and size, plus warrant
- # referential integrity.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
- "commonAlphabet": "A String",
- "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
- # that the FFX mode natively supports. This happens before/after
- # encryption/decryption.
- # Each character listed must appear only once.
- # Number of characters must be in the range [2, 62].
- # This must be encoded as ASCII.
- # The order of characters does not matter.
- "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
- # identifier in two different contexts won't be given the same surrogate. If
- # the context is not set, a default tweak will be used.
- #
- # If the context is set but:
- #
- # 1. there is no record present when transforming a given value or
- # 1. the field is not present when transforming a given value,
- #
- # a default tweak will be used.
- #
- # Note that case (1) is expected when an `InfoTypeTransformation` is
- # applied to both structured and non-structured `ContentItem`s.
- # Currently, the referenced field may be of value type integer or string.
- #
- # The tweak is constructed as a sequence of bytes in big endian byte order
- # such that:
- #
- # - a 64 bit integer is encoded followed by a single byte of value 1
- # - a string is encoded in UTF-8 format followed by a single byte of value 2
- "name": "A String", # Name describing the field.
- },
- "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
- # This annotation will be applied to the surrogate by prefixing it with
- # the name of the custom infoType followed by the number of
- # characters comprising the surrogate. The following scheme defines the
- # format: info_type_name(surrogate_character_count):surrogate
- #
- # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
- # the surrogate is 'abc', the full replacement value
- # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
- #
- # This annotation identifies the surrogate when inspecting content using the
- # custom infoType
- # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
- # This facilitates reversal of the surrogate when it occurs in free text.
- #
- # In order for inspection to work properly, the name of this infoType must
- # not occur naturally anywhere in your data; otherwise, inspection may
- # find a surrogate that does not correspond to an actual identifier.
- # Therefore, choose your custom infoType name carefully after considering
- # what your data looks like. One way to select a name that has a high chance
- # of yielding reliable detection is to include one or more unicode characters
- # that are highly improbable to exist in your data.
- # For example, assuming your data is entered from a regular ASCII keyboard,
- # the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
- "name": "A String", # Name of the information type. Either a name of your choosing when
- # creating a CustomInfoType, or one of the names listed
- # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
- # a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
- },
- },
- "replaceConfig": { # Replace each input value with a given `Value`.
- "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- },
- "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
- # given `RecordCondition`. The conditions are allowed to reference fields
- # that are not used in the actual transformation. [optional]
- #
- # Example Use Cases:
- #
- # - Apply a different bucket transformation to an age column if the zip code
- # column for the same record is within a specific range.
- # - Redact a field if the date of birth field is greater than 85.
- # a field.
- "expressions": { # An expression, consisting or an operator and conditions. # An expression.
- "conditions": { # A collection of conditions.
- "conditions": [
- { # The field type of `value` and `field` do not need to match to be
- # considered equal, but not all comparisons are possible.
- # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
- # but all other comparisons are invalid with incompatible types.
- # A `value` of type:
- #
- # - `string` can be compared against all other types
- # - `boolean` can only be compared against other booleans
- # - `integer` can be compared against doubles or a string if the string value
- # can be parsed as an integer.
- # - `double` can be compared against integers or a string if the string can
- # be parsed as a double.
- # - `Timestamp` can be compared against strings in RFC 3339 date string
- # format.
- # - `TimeOfDay` can be compared against timestamps and strings in the format
- # of 'HH:mm:ss'.
- #
- # If we fail to compare do to type mismatch, a warning will be given and
- # the condition will evaluate to false.
- "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
- "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
- "name": "A String", # Name describing the field.
- },
- "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- ],
- },
- "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
- # only supported value is `AND`.
- },
- },
- "fields": [ # Input field(s) to apply the transformation to. [required]
- { # General identifier of a data field in a storage service.
- "name": "A String", # Name describing the field.
- },
- ],
},
],
},
+ "transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default
+ # mode is `TransformationErrorHandling.ThrowError`.
+ # transformation error occurs when the requested transformation is incompatible
+ # with the data. For example, trying to de-identify an IP address using a
+ # `DateShift` transformation would result in a transformation error, since date
+ # info cannot be extracted from an IP address.
+ # Information about any incompatible transformations, and how they were
+ # handled, is returned in the response as part of the
+ # `TransformationOverviews`.
+ "throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error
+ },
+ "leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors
+ # cause an error. For example, if a `DateShift` transformation were applied
+ # an an IP address, this mode would leave the IP address unchanged in the
+ # response.
+ },
+ },
},
- "createTime": "A String", # The creation timestamp of a inspectTemplate, output only field.
- "name": "A String", # The template name. Output only.
+ "createTime": "A String", # Output only. The creation timestamp of an inspectTemplate.
+ "name": "A String", # Output only. The template name.
#
# The template will have one of the following formats:
# `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR
@@ -8347,22 +8479,22 @@
</div>
<div class="method">
- <code class="details" id="patch">patch(name, body, x__xgafv=None)</code>
+ <code class="details" id="patch">patch(name, body=None, x__xgafv=None)</code>
<pre>Updates the DeidentifyTemplate.
See https://cloud.google.com/dlp/docs/creating-templates-deid to learn
more.
Args:
- name: string, Resource name of organization and deidentify template to be updated, for
+ name: string, Required. Resource name of organization and deidentify template to be updated, for
example `organizations/433245324/deidentifyTemplates/432452342` or
projects/project-id/deidentifyTemplates/432452342. (required)
- body: object, The request body. (required)
+ body: object, The request body.
The object takes the form of:
{ # Request message for UpdateDeidentifyTemplate.
- "deidentifyTemplate": { # The DeidentifyTemplates contains instructions on how to deidentify content. # New DeidentifyTemplate value.
+ "deidentifyTemplate": { # DeidentifyTemplates contains instructions on how to de-identify content. # New DeidentifyTemplate value.
# See https://cloud.google.com/dlp/docs/concepts-templates to learn more.
- "updateTime": "A String", # The last update timestamp of a inspectTemplate, output only field.
+ "updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate.
"displayName": "A String", # Display name (max 256 chars).
"description": "A String", # Short description (max 256 chars).
"deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////
@@ -8371,43 +8503,12 @@
# apply various `PrimitiveTransformation`s to each finding, where the
# transformation is applied to only values that were identified as a specific
# info_type.
- "transformations": [ # Transformation for each infoType. Cannot specify more than one
- # for a given infoType. [required]
+ "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one
+ # for a given infoType.
{ # A transformation to apply to text that is identified as a specific
# info_type.
- "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
- "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
- # fixed character. Masking can start from the beginning or end of the string.
- # This can be used on data of any type (numbers, longs, and so on) and when
- # de-identifying structured data we'll attempt to preserve the original data's
- # type. (This allows you to take a long like 123 and modify it to a string like
- # **3.
- "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
- # For example, if your string is 555-555-5555 and you ask us to skip `-` and
- # mask 5 chars with * we would produce ***-*55-5555.
- { # Characters to skip when doing deidentification of a value. These will be left
- # alone and skipped.
- "commonCharactersToIgnore": "A String",
- "charactersToSkip": "A String",
- },
- ],
- "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
- # masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
- # alphabetic string such as name, or "0" for a numeric string such as ZIP
- # code or credit card number. String must have length 1. If not supplied, we
- # will default to "*" for strings, 0 for digits.
- "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
- # '0', number_to_mask is 14, and `reverse_order` is false, then
- # 1234-5678-9012-3456 -> 00000000000000-3456
- # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
- # is true, then 12345 -> 12***
- },
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
- # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
- # output would be 'My phone number is '.
- },
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
+ "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
@@ -8415,21 +8516,21 @@
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -8437,7 +8538,7 @@
# (repeating the api call will result in a different key being generated).
},
},
- "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
+ "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
@@ -8461,7 +8562,7 @@
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
- # format: <info type name>(<surrogate character count>):<surrogate>
+ # format: {info type name}({surrogate character count}):{surrogate}
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
@@ -8471,6 +8572,11 @@
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
+ # Note: For record transformations where the entire cell in a table is being
+ # transformed, surrogates are not mandatory. Surrogates are used to denote
+ # the location of the token and are necessary for re-identification in free
+ # form text.
+ #
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
@@ -8483,21 +8589,56 @@
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
+ # ⧝MY_TOKEN_TYPE.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
+ # characters. For example, if the input string is `555-555-5555` and you
+ # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
+ # returns `***-**5-5555`.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
+ # punctuation.
+ "charactersToSkip": "A String", # Characters to not transform when masking.
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an
+ # alphabetic string such as a name, or `0` for a numeric string such as ZIP
+ # code or credit card number. This string must have a length of 1. If not
+ # supplied, this value defaults to `*` for strings, and `0` for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
+ # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
+ # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
+ # is `true`, then the string `12345` is masked as `12***`.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
- # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
+ # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
@@ -8507,18 +8648,18 @@
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
+ "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
- # then all values less than 10 are replaced with the value “-10”. [Required].
+ # then all values less than 10 are replaced with the value “-10”.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -8528,7 +8669,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -8538,31 +8679,30 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
+ "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
- # [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -8572,7 +8712,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -8582,88 +8722,52 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
+ "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
- # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
},
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
# portion of the value.
- "partToExtract": "A String",
+ "partToExtract": "A String", # The part of the time to keep.
},
- "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
- # Uses SHA-256.
- # The key size must be either 32 or 64 bytes.
- # Outputs a base64 encoded representation of the hashed output
- # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
- # Currently, only string and integer values can be hashed.
- # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
- # results in the same shift for the same context and crypto_key.
+ # results in the same shift for the same context and crypto_key. If
+ # set, must also set context. Can only be applied to table items.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -8671,160 +8775,19 @@
# (repeating the api call will result in a different key being generated).
},
},
- "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
- # [Required]
- "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
- # [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
- # If set, must also set method. If set, shift will be consistent for the
+ # If set, must also set cryptoKey. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
- # replacement values are dynamically provided by the user for custom behavior,
- # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
- # This can be used on
- # data of type: number, long, string, timestamp.
- # If the bound `Value` type differs from the type of data being transformed, we
- # will first attempt converting the type of the data to be transformed to match
- # the type of the bound before comparing.
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
- # the default behavior will be to hyphenate the min-max range.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
- # used.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- ],
- },
- "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
@@ -8837,26 +8800,26 @@
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -8864,13 +8827,13 @@
# (repeating the api call will result in a different key being generated).
},
},
- "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
- "commonAlphabet": "A String",
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
+ "commonAlphabet": "A String", # Common alphabets.
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
- # Number of characters must be in the range [2, 62].
+ # Number of characters must be in the range [2, 95].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
@@ -8924,20 +8887,194 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "replaceConfig": { # Replace each input value with a given `Value`.
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ ],
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -8947,7 +9084,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -8957,17 +9094,17 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
},
},
@@ -8979,7 +9116,7 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
],
},
@@ -8990,15 +9127,15 @@
# a column within a table.
# table.
"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that
- # match any suppression rule are omitted from the output [optional].
+ # match any suppression rule are omitted from the output.
{ # Configuration to suppress records whose suppression conditions evaluate to
# true.
"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
# evaluated to be suppressed from the transformed content.
# a field.
"expressions": { # An expression, consisting or an operator and conditions. # An expression.
- "conditions": { # A collection of conditions.
- "conditions": [
+ "conditions": { # A collection of conditions. # Conditions to apply to the expression.
+ "conditions": [ # A collection of conditions.
{ # The field type of `value` and `field` do not need to match to be
# considered equal, but not all comparisons are possible.
# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
@@ -9018,20 +9155,20 @@
#
# If we fail to compare do to type mismatch, a warning will be given and
# the condition will evaluate to false.
- "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
- "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
+ "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
+ "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
"name": "A String", # Name describing the field.
},
- "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
+ "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -9041,7 +9178,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -9051,17 +9188,17 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
},
],
@@ -9074,48 +9211,707 @@
],
"fieldTransformations": [ # Transform the record by applying various field transformations.
{ # The transformation to apply to the field.
+ "fields": [ # Required. Input field(s) to apply the transformation to.
+ { # General identifier of a data field in a storage service.
+ "name": "A String", # Name describing the field.
+ },
+ ],
+ "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
+ # input. Outputs a base64 encoded representation of the encrypted output.
+ # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
+ # referential integrity such that the same identifier in two different
+ # contexts will be given a distinct surrogate. The context is appended to
+ # plaintext value being encrypted. On decryption the provided context is
+ # validated against the value used during encryption. If a context was
+ # provided during encryption, same context must be provided during decryption
+ # as well.
+ #
+ # If the context is not set, plaintext would be used as is for encryption.
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 2. the field is not present when transforming a given value,
+ #
+ # plaintext would be used as is for encryption.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom info type followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: {info type name}({surrogate character count}):{surrogate}
+ #
+ # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom info type 'Surrogate'. This facilitates reversal of the
+ # surrogate when it occurs in free text.
+ #
+ # Note: For record transformations where the entire cell in a table is being
+ # transformed, surrogates are not mandatory. Surrogates are used to denote
+ # the location of the token and are necessary for re-identification in free
+ # form text.
+ #
+ # In order for inspection to work properly, the name of this info type must
+ # not occur naturally anywhere in your data; otherwise, inspection may either
+ #
+ # - reverse a surrogate that does not correspond to an actual identifier
+ # - be unable to parse the surrogate and result in an error
+ #
+ # Therefore, choose your custom info type name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE.
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # `[a-zA-Z0-9_]{1,64}`.
+ },
+ },
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
+ # characters. For example, if the input string is `555-555-5555` and you
+ # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
+ # returns `***-**5-5555`.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
+ # punctuation.
+ "charactersToSkip": "A String", # Characters to not transform when masking.
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an
+ # alphabetic string such as a name, or `0` for a numeric string such as ZIP
+ # code or credit card number. This string must have a length of 1. If not
+ # supplied, this value defaults to `*` for strings, and `0` for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
+ # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
+ # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
+ # is `true`, then the string `12345` is masked as `12***`.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
+ # Bucketing transformation can provide all of this functionality,
+ # but requires more configuration. This message is provided as a convenience to
+ # the user for simple bucketing strategies.
+ #
+ # The transformed value will be a hyphenated string of
+ # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
+ # all values that are within this bucket will be replaced with "10-20".
+ #
+ # This can be used on data of type: double, long.
+ #
+ # If the bound Value type differs from the type of data
+ # being transformed, we will first attempt converting the type of the data to
+ # be transformed to match the type of the bound before comparing.
+ #
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
+ # grouped together into a single bucket; for example if `lower_bound` = 10,
+ # then all values less than 10 are replaced with the value “-10”.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
+ # grouped together into a single bucket; for example if `upper_bound` = 89,
+ # then all values greater than 89 are replaced with the value “89+”.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
+ # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
+ # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
+ # portion of the value.
+ "partToExtract": "A String", # The part of the time to keep.
+ },
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
+ # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
+ # to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
+ # results in the same shift for the same context and crypto_key. If
+ # set, must also set context. Can only be applied to table items.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
+ # range (inclusive ends). Negative means shift to earlier in time. Must not
+ # be more than 365250 days (1000 years) each direction.
+ #
+ # For example, 3 means shift date to at most 3 days into the future.
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
+ # If set, must also set cryptoKey. If set, shift will be consistent for the
+ # given context.
+ "name": "A String", # Name describing the field.
+ },
+ },
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
+ # (FPE) with the FFX mode of operation; however when used in the
+ # `ReidentifyContent` API method, it serves the opposite function by reversing
+ # the surrogate back into the original identifier. The identifier must be
+ # encoded as ASCII. For a given crypto key and context, the same identifier
+ # will be replaced with the same surrogate. Identifiers must be at least two
+ # characters long. In the case that the identifier is the empty string, it will
+ # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
+ # more.
+ #
+ # Note: We recommend using CryptoDeterministicConfig for all use cases which
+ # do not require preserving the input alphabet space and size, plus warrant
+ # referential integrity.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
+ "commonAlphabet": "A String", # Common alphabets.
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
+ # that the FFX mode natively supports. This happens before/after
+ # encryption/decryption.
+ # Each character listed must appear only once.
+ # Number of characters must be in the range [2, 95].
+ # This must be encoded as ASCII.
+ # The order of characters does not matter.
+ "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
+ # identifier in two different contexts won't be given the same surrogate. If
+ # the context is not set, a default tweak will be used.
+ #
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 1. the field is not present when transforming a given value,
+ #
+ # a default tweak will be used.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ # Currently, the referenced field may be of value type integer or string.
+ #
+ # The tweak is constructed as a sequence of bytes in big endian byte order
+ # such that:
+ #
+ # - a 64 bit integer is encoded followed by a single byte of value 1
+ # - a string is encoded in UTF-8 format followed by a single byte of value 2
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom infoType followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: info_type_name(surrogate_character_count):surrogate
+ #
+ # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom infoType
+ # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
+ # This facilitates reversal of the surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this infoType must
+ # not occur naturally anywhere in your data; otherwise, inspection may
+ # find a surrogate that does not correspond to an actual identifier.
+ # Therefore, choose your custom infoType name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # `[a-zA-Z0-9_]{1,64}`.
+ },
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ ],
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
+ "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ },
+ "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
+ # given `RecordCondition`. The conditions are allowed to reference fields
+ # that are not used in the actual transformation.
+ #
+ # Example Use Cases:
+ #
+ # - Apply a different bucket transformation to an age column if the zip code
+ # column for the same record is within a specific range.
+ # - Redact a field if the date of birth field is greater than 85.
+ # a field.
+ "expressions": { # An expression, consisting or an operator and conditions. # An expression.
+ "conditions": { # A collection of conditions. # Conditions to apply to the expression.
+ "conditions": [ # A collection of conditions.
+ { # The field type of `value` and `field` do not need to match to be
+ # considered equal, but not all comparisons are possible.
+ # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
+ # but all other comparisons are invalid with incompatible types.
+ # A `value` of type:
+ #
+ # - `string` can be compared against all other types
+ # - `boolean` can only be compared against other booleans
+ # - `integer` can be compared against doubles or a string if the string value
+ # can be parsed as an integer.
+ # - `double` can be compared against integers or a string if the string can
+ # be parsed as a double.
+ # - `Timestamp` can be compared against strings in RFC 3339 date string
+ # format.
+ # - `TimeOfDay` can be compared against timestamps and strings in the format
+ # of 'HH:mm:ss'.
+ #
+ # If we fail to compare do to type mismatch, a warning will be given and
+ # the condition will evaluate to false.
+ "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
+ "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
+ "name": "A String", # Name describing the field.
+ },
+ "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ ],
+ },
+ "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
+ # only supported value is `AND`.
+ },
+ },
"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
# transform content that matches an `InfoType`.
# apply various `PrimitiveTransformation`s to each finding, where the
# transformation is applied to only values that were identified as a specific
# info_type.
- "transformations": [ # Transformation for each infoType. Cannot specify more than one
- # for a given infoType. [required]
+ "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one
+ # for a given infoType.
{ # A transformation to apply to text that is identified as a specific
# info_type.
- "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
- "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
- # fixed character. Masking can start from the beginning or end of the string.
- # This can be used on data of any type (numbers, longs, and so on) and when
- # de-identifying structured data we'll attempt to preserve the original data's
- # type. (This allows you to take a long like 123 and modify it to a string like
- # **3.
- "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
- # For example, if your string is 555-555-5555 and you ask us to skip `-` and
- # mask 5 chars with * we would produce ***-*55-5555.
- { # Characters to skip when doing deidentification of a value. These will be left
- # alone and skipped.
- "commonCharactersToIgnore": "A String",
- "charactersToSkip": "A String",
- },
- ],
- "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
- # masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
- # alphabetic string such as name, or "0" for a numeric string such as ZIP
- # code or credit card number. String must have length 1. If not supplied, we
- # will default to "*" for strings, 0 for digits.
- "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
- # '0', number_to_mask is 14, and `reverse_order` is false, then
- # 1234-5678-9012-3456 -> 00000000000000-3456
- # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
- # is true, then 12345 -> 12***
- },
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
- # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
- # output would be 'My phone number is '.
- },
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
+ "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
@@ -9123,21 +9919,21 @@
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -9145,7 +9941,7 @@
# (repeating the api call will result in a different key being generated).
},
},
- "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
+ "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
@@ -9169,7 +9965,7 @@
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
- # format: <info type name>(<surrogate character count>):<surrogate>
+ # format: {info type name}({surrogate character count}):{surrogate}
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
@@ -9179,6 +9975,11 @@
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
+ # Note: For record transformations where the entire cell in a table is being
+ # transformed, surrogates are not mandatory. Surrogates are used to denote
+ # the location of the token and are necessary for re-identification in free
+ # form text.
+ #
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
@@ -9191,21 +9992,56 @@
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
+ # ⧝MY_TOKEN_TYPE.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
+ # characters. For example, if the input string is `555-555-5555` and you
+ # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
+ # returns `***-**5-5555`.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
+ # punctuation.
+ "charactersToSkip": "A String", # Characters to not transform when masking.
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an
+ # alphabetic string such as a name, or `0` for a numeric string such as ZIP
+ # code or credit card number. This string must have a length of 1. If not
+ # supplied, this value defaults to `*` for strings, and `0` for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
+ # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
+ # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
+ # is `true`, then the string `12345` is masked as `12***`.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
- # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
+ # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
@@ -9215,18 +10051,18 @@
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
+ "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
- # then all values less than 10 are replaced with the value “-10”. [Required].
+ # then all values less than 10 are replaced with the value “-10”.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -9236,7 +10072,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -9246,31 +10082,30 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
+ "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
- # [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -9280,7 +10115,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -9290,88 +10125,52 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
+ "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
- # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
},
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
# portion of the value.
- "partToExtract": "A String",
+ "partToExtract": "A String", # The part of the time to keep.
},
- "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
- # Uses SHA-256.
- # The key size must be either 32 or 64 bytes.
- # Outputs a base64 encoded representation of the hashed output
- # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
- # Currently, only string and integer values can be hashed.
- # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
- # results in the same shift for the same context and crypto_key.
+ # results in the same shift for the same context and crypto_key. If
+ # set, must also set context. Can only be applied to table items.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -9379,160 +10178,19 @@
# (repeating the api call will result in a different key being generated).
},
},
- "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
- # [Required]
- "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
- # [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
- # If set, must also set method. If set, shift will be consistent for the
+ # If set, must also set cryptoKey. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
- # replacement values are dynamically provided by the user for custom behavior,
- # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
- # This can be used on
- # data of type: number, long, string, timestamp.
- # If the bound `Value` type differs from the type of data being transformed, we
- # will first attempt converting the type of the data to be transformed to match
- # the type of the bound before comparing.
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
- # the default behavior will be to hyphenate the min-max range.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
- # used.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- ],
- },
- "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
@@ -9545,26 +10203,26 @@
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -9572,13 +10230,13 @@
# (repeating the api call will result in a different key being generated).
},
},
- "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
- "commonAlphabet": "A String",
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
+ "commonAlphabet": "A String", # Common alphabets.
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
- # Number of characters must be in the range [2, 62].
+ # Number of characters must be in the range [2, 95].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
@@ -9632,20 +10290,194 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "replaceConfig": { # Replace each input value with a given `Value`.
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ ],
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -9655,7 +10487,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -9665,17 +10497,17 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
},
},
@@ -9687,703 +10519,35 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
],
},
],
},
- "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
- "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
- # fixed character. Masking can start from the beginning or end of the string.
- # This can be used on data of any type (numbers, longs, and so on) and when
- # de-identifying structured data we'll attempt to preserve the original data's
- # type. (This allows you to take a long like 123 and modify it to a string like
- # **3.
- "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
- # For example, if your string is 555-555-5555 and you ask us to skip `-` and
- # mask 5 chars with * we would produce ***-*55-5555.
- { # Characters to skip when doing deidentification of a value. These will be left
- # alone and skipped.
- "commonCharactersToIgnore": "A String",
- "charactersToSkip": "A String",
- },
- ],
- "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
- # masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
- # alphabetic string such as name, or "0" for a numeric string such as ZIP
- # code or credit card number. String must have length 1. If not supplied, we
- # will default to "*" for strings, 0 for digits.
- "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
- # '0', number_to_mask is 14, and `reverse_order` is false, then
- # 1234-5678-9012-3456 -> 00000000000000-3456
- # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
- # is true, then 12345 -> 12***
- },
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
- # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
- # output would be 'My phone number is '.
- },
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
- # input. Outputs a base64 encoded representation of the encrypted output.
- # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
- # referential integrity such that the same identifier in two different
- # contexts will be given a distinct surrogate. The context is appended to
- # plaintext value being encrypted. On decryption the provided context is
- # validated against the value used during encryption. If a context was
- # provided during encryption, same context must be provided during decryption
- # as well.
- #
- # If the context is not set, plaintext would be used as is for encryption.
- # If the context is set but:
- #
- # 1. there is no record present when transforming a given value or
- # 2. the field is not present when transforming a given value,
- #
- # plaintext would be used as is for encryption.
- #
- # Note that case (1) is expected when an `InfoTypeTransformation` is
- # applied to both structured and non-structured `ContentItem`s.
- "name": "A String", # Name describing the field.
- },
- "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
- # This annotation will be applied to the surrogate by prefixing it with
- # the name of the custom info type followed by the number of
- # characters comprising the surrogate. The following scheme defines the
- # format: <info type name>(<surrogate character count>):<surrogate>
- #
- # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
- # the surrogate is 'abc', the full replacement value
- # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
- #
- # This annotation identifies the surrogate when inspecting content using the
- # custom info type 'Surrogate'. This facilitates reversal of the
- # surrogate when it occurs in free text.
- #
- # In order for inspection to work properly, the name of this info type must
- # not occur naturally anywhere in your data; otherwise, inspection may either
- #
- # - reverse a surrogate that does not correspond to an actual identifier
- # - be unable to parse the surrogate and result in an error
- #
- # Therefore, choose your custom info type name carefully after considering
- # what your data looks like. One way to select a name that has a high chance
- # of yielding reliable detection is to include one or more unicode characters
- # that are highly improbable to exist in your data.
- # For example, assuming your data is entered from a regular ASCII keyboard,
- # the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
- "name": "A String", # Name of the information type. Either a name of your choosing when
- # creating a CustomInfoType, or one of the names listed
- # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
- # a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
- },
- },
- "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
- # Bucketing transformation can provide all of this functionality,
- # but requires more configuration. This message is provided as a convenience to
- # the user for simple bucketing strategies.
- #
- # The transformed value will be a hyphenated string of
- # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
- # all values that are within this bucket will be replaced with "10-20".
- #
- # This can be used on data of type: double, long.
- #
- # If the bound Value type differs from the type of data
- # being transformed, we will first attempt converting the type of the data to
- # be transformed to match the type of the bound before comparing.
- #
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
- # grouped together into a single bucket; for example if `lower_bound` = 10,
- # then all values less than 10 are replaced with the value “-10”. [Required].
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
- # grouped together into a single bucket; for example if `upper_bound` = 89,
- # then all values greater than 89 are replaced with the value “89+”.
- # [Required].
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
- # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
- # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
- # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
- },
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
- # portion of the value.
- "partToExtract": "A String",
- },
- "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
- # Uses SHA-256.
- # The key size must be either 32 or 64 bytes.
- # Outputs a base64 encoded representation of the hashed output
- # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
- # Currently, only string and integer values can be hashed.
- # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
- # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
- # to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
- # results in the same shift for the same context and crypto_key.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
- # [Required]
- "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
- # range (inclusive ends). Negative means shift to earlier in time. Must not
- # be more than 365250 days (1000 years) each direction.
- #
- # For example, 3 means shift date to at most 3 days into the future.
- # [Required]
- "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
- # If set, must also set method. If set, shift will be consistent for the
- # given context.
- "name": "A String", # Name describing the field.
- },
- },
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
- # replacement values are dynamically provided by the user for custom behavior,
- # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
- # This can be used on
- # data of type: number, long, string, timestamp.
- # If the bound `Value` type differs from the type of data being transformed, we
- # will first attempt converting the type of the data to be transformed to match
- # the type of the bound before comparing.
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
- # the default behavior will be to hyphenate the min-max range.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
- # used.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- ],
- },
- "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
- # (FPE) with the FFX mode of operation; however when used in the
- # `ReidentifyContent` API method, it serves the opposite function by reversing
- # the surrogate back into the original identifier. The identifier must be
- # encoded as ASCII. For a given crypto key and context, the same identifier
- # will be replaced with the same surrogate. Identifiers must be at least two
- # characters long. In the case that the identifier is the empty string, it will
- # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
- # more.
- #
- # Note: We recommend using CryptoDeterministicConfig for all use cases which
- # do not require preserving the input alphabet space and size, plus warrant
- # referential integrity.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
- "commonAlphabet": "A String",
- "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
- # that the FFX mode natively supports. This happens before/after
- # encryption/decryption.
- # Each character listed must appear only once.
- # Number of characters must be in the range [2, 62].
- # This must be encoded as ASCII.
- # The order of characters does not matter.
- "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
- # identifier in two different contexts won't be given the same surrogate. If
- # the context is not set, a default tweak will be used.
- #
- # If the context is set but:
- #
- # 1. there is no record present when transforming a given value or
- # 1. the field is not present when transforming a given value,
- #
- # a default tweak will be used.
- #
- # Note that case (1) is expected when an `InfoTypeTransformation` is
- # applied to both structured and non-structured `ContentItem`s.
- # Currently, the referenced field may be of value type integer or string.
- #
- # The tweak is constructed as a sequence of bytes in big endian byte order
- # such that:
- #
- # - a 64 bit integer is encoded followed by a single byte of value 1
- # - a string is encoded in UTF-8 format followed by a single byte of value 2
- "name": "A String", # Name describing the field.
- },
- "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
- # This annotation will be applied to the surrogate by prefixing it with
- # the name of the custom infoType followed by the number of
- # characters comprising the surrogate. The following scheme defines the
- # format: info_type_name(surrogate_character_count):surrogate
- #
- # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
- # the surrogate is 'abc', the full replacement value
- # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
- #
- # This annotation identifies the surrogate when inspecting content using the
- # custom infoType
- # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
- # This facilitates reversal of the surrogate when it occurs in free text.
- #
- # In order for inspection to work properly, the name of this infoType must
- # not occur naturally anywhere in your data; otherwise, inspection may
- # find a surrogate that does not correspond to an actual identifier.
- # Therefore, choose your custom infoType name carefully after considering
- # what your data looks like. One way to select a name that has a high chance
- # of yielding reliable detection is to include one or more unicode characters
- # that are highly improbable to exist in your data.
- # For example, assuming your data is entered from a regular ASCII keyboard,
- # the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
- "name": "A String", # Name of the information type. Either a name of your choosing when
- # creating a CustomInfoType, or one of the names listed
- # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
- # a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
- },
- },
- "replaceConfig": { # Replace each input value with a given `Value`.
- "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- },
- "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
- # given `RecordCondition`. The conditions are allowed to reference fields
- # that are not used in the actual transformation. [optional]
- #
- # Example Use Cases:
- #
- # - Apply a different bucket transformation to an age column if the zip code
- # column for the same record is within a specific range.
- # - Redact a field if the date of birth field is greater than 85.
- # a field.
- "expressions": { # An expression, consisting or an operator and conditions. # An expression.
- "conditions": { # A collection of conditions.
- "conditions": [
- { # The field type of `value` and `field` do not need to match to be
- # considered equal, but not all comparisons are possible.
- # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
- # but all other comparisons are invalid with incompatible types.
- # A `value` of type:
- #
- # - `string` can be compared against all other types
- # - `boolean` can only be compared against other booleans
- # - `integer` can be compared against doubles or a string if the string value
- # can be parsed as an integer.
- # - `double` can be compared against integers or a string if the string can
- # be parsed as a double.
- # - `Timestamp` can be compared against strings in RFC 3339 date string
- # format.
- # - `TimeOfDay` can be compared against timestamps and strings in the format
- # of 'HH:mm:ss'.
- #
- # If we fail to compare do to type mismatch, a warning will be given and
- # the condition will evaluate to false.
- "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
- "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
- "name": "A String", # Name describing the field.
- },
- "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- ],
- },
- "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
- # only supported value is `AND`.
- },
- },
- "fields": [ # Input field(s) to apply the transformation to. [required]
- { # General identifier of a data field in a storage service.
- "name": "A String", # Name describing the field.
- },
- ],
},
],
},
+ "transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default
+ # mode is `TransformationErrorHandling.ThrowError`.
+ # transformation error occurs when the requested transformation is incompatible
+ # with the data. For example, trying to de-identify an IP address using a
+ # `DateShift` transformation would result in a transformation error, since date
+ # info cannot be extracted from an IP address.
+ # Information about any incompatible transformations, and how they were
+ # handled, is returned in the response as part of the
+ # `TransformationOverviews`.
+ "throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error
+ },
+ "leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors
+ # cause an error. For example, if a `DateShift` transformation were applied
+ # an an IP address, this mode would leave the IP address unchanged in the
+ # response.
+ },
+ },
},
- "createTime": "A String", # The creation timestamp of a inspectTemplate, output only field.
- "name": "A String", # The template name. Output only.
+ "createTime": "A String", # Output only. The creation timestamp of an inspectTemplate.
+ "name": "A String", # Output only. The template name.
#
# The template will have one of the following formats:
# `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR
@@ -10400,9 +10564,9 @@
Returns:
An object of the form:
- { # The DeidentifyTemplates contains instructions on how to deidentify content.
+ { # DeidentifyTemplates contains instructions on how to de-identify content.
# See https://cloud.google.com/dlp/docs/concepts-templates to learn more.
- "updateTime": "A String", # The last update timestamp of a inspectTemplate, output only field.
+ "updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate.
"displayName": "A String", # Display name (max 256 chars).
"description": "A String", # Short description (max 256 chars).
"deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////
@@ -10411,43 +10575,12 @@
# apply various `PrimitiveTransformation`s to each finding, where the
# transformation is applied to only values that were identified as a specific
# info_type.
- "transformations": [ # Transformation for each infoType. Cannot specify more than one
- # for a given infoType. [required]
+ "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one
+ # for a given infoType.
{ # A transformation to apply to text that is identified as a specific
# info_type.
- "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
- "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
- # fixed character. Masking can start from the beginning or end of the string.
- # This can be used on data of any type (numbers, longs, and so on) and when
- # de-identifying structured data we'll attempt to preserve the original data's
- # type. (This allows you to take a long like 123 and modify it to a string like
- # **3.
- "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
- # For example, if your string is 555-555-5555 and you ask us to skip `-` and
- # mask 5 chars with * we would produce ***-*55-5555.
- { # Characters to skip when doing deidentification of a value. These will be left
- # alone and skipped.
- "commonCharactersToIgnore": "A String",
- "charactersToSkip": "A String",
- },
- ],
- "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
- # masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
- # alphabetic string such as name, or "0" for a numeric string such as ZIP
- # code or credit card number. String must have length 1. If not supplied, we
- # will default to "*" for strings, 0 for digits.
- "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
- # '0', number_to_mask is 14, and `reverse_order` is false, then
- # 1234-5678-9012-3456 -> 00000000000000-3456
- # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
- # is true, then 12345 -> 12***
- },
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
- # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
- # output would be 'My phone number is '.
- },
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
+ "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
@@ -10455,21 +10588,21 @@
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -10477,7 +10610,7 @@
# (repeating the api call will result in a different key being generated).
},
},
- "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
+ "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
@@ -10501,7 +10634,7 @@
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
- # format: <info type name>(<surrogate character count>):<surrogate>
+ # format: {info type name}({surrogate character count}):{surrogate}
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
@@ -10511,6 +10644,11 @@
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
+ # Note: For record transformations where the entire cell in a table is being
+ # transformed, surrogates are not mandatory. Surrogates are used to denote
+ # the location of the token and are necessary for re-identification in free
+ # form text.
+ #
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
@@ -10523,21 +10661,56 @@
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
+ # ⧝MY_TOKEN_TYPE.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
+ # characters. For example, if the input string is `555-555-5555` and you
+ # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
+ # returns `***-**5-5555`.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
+ # punctuation.
+ "charactersToSkip": "A String", # Characters to not transform when masking.
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an
+ # alphabetic string such as a name, or `0` for a numeric string such as ZIP
+ # code or credit card number. This string must have a length of 1. If not
+ # supplied, this value defaults to `*` for strings, and `0` for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
+ # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
+ # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
+ # is `true`, then the string `12345` is masked as `12***`.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
- # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
+ # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
@@ -10547,18 +10720,18 @@
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
+ "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
- # then all values less than 10 are replaced with the value “-10”. [Required].
+ # then all values less than 10 are replaced with the value “-10”.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -10568,7 +10741,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -10578,31 +10751,30 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
+ "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
- # [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -10612,7 +10784,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -10622,88 +10794,52 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
+ "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
- # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
},
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
# portion of the value.
- "partToExtract": "A String",
+ "partToExtract": "A String", # The part of the time to keep.
},
- "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
- # Uses SHA-256.
- # The key size must be either 32 or 64 bytes.
- # Outputs a base64 encoded representation of the hashed output
- # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
- # Currently, only string and integer values can be hashed.
- # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
- # results in the same shift for the same context and crypto_key.
+ # results in the same shift for the same context and crypto_key. If
+ # set, must also set context. Can only be applied to table items.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -10711,160 +10847,19 @@
# (repeating the api call will result in a different key being generated).
},
},
- "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
- # [Required]
- "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
- # [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
- # If set, must also set method. If set, shift will be consistent for the
+ # If set, must also set cryptoKey. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
- # replacement values are dynamically provided by the user for custom behavior,
- # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
- # This can be used on
- # data of type: number, long, string, timestamp.
- # If the bound `Value` type differs from the type of data being transformed, we
- # will first attempt converting the type of the data to be transformed to match
- # the type of the bound before comparing.
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
- # the default behavior will be to hyphenate the min-max range.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
- # used.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- ],
- },
- "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
@@ -10877,26 +10872,26 @@
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -10904,13 +10899,13 @@
# (repeating the api call will result in a different key being generated).
},
},
- "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
- "commonAlphabet": "A String",
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
+ "commonAlphabet": "A String", # Common alphabets.
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
- # Number of characters must be in the range [2, 62].
+ # Number of characters must be in the range [2, 95].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
@@ -10964,20 +10959,194 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "replaceConfig": { # Replace each input value with a given `Value`.
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ ],
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -10987,7 +11156,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -10997,17 +11166,17 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
},
},
@@ -11019,7 +11188,7 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
],
},
@@ -11030,15 +11199,15 @@
# a column within a table.
# table.
"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that
- # match any suppression rule are omitted from the output [optional].
+ # match any suppression rule are omitted from the output.
{ # Configuration to suppress records whose suppression conditions evaluate to
# true.
"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
# evaluated to be suppressed from the transformed content.
# a field.
"expressions": { # An expression, consisting or an operator and conditions. # An expression.
- "conditions": { # A collection of conditions.
- "conditions": [
+ "conditions": { # A collection of conditions. # Conditions to apply to the expression.
+ "conditions": [ # A collection of conditions.
{ # The field type of `value` and `field` do not need to match to be
# considered equal, but not all comparisons are possible.
# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
@@ -11058,20 +11227,20 @@
#
# If we fail to compare do to type mismatch, a warning will be given and
# the condition will evaluate to false.
- "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
- "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
+ "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
+ "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
"name": "A String", # Name describing the field.
},
- "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
+ "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -11081,7 +11250,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -11091,17 +11260,17 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
},
],
@@ -11114,48 +11283,707 @@
],
"fieldTransformations": [ # Transform the record by applying various field transformations.
{ # The transformation to apply to the field.
+ "fields": [ # Required. Input field(s) to apply the transformation to.
+ { # General identifier of a data field in a storage service.
+ "name": "A String", # Name describing the field.
+ },
+ ],
+ "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
+ # input. Outputs a base64 encoded representation of the encrypted output.
+ # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
+ # referential integrity such that the same identifier in two different
+ # contexts will be given a distinct surrogate. The context is appended to
+ # plaintext value being encrypted. On decryption the provided context is
+ # validated against the value used during encryption. If a context was
+ # provided during encryption, same context must be provided during decryption
+ # as well.
+ #
+ # If the context is not set, plaintext would be used as is for encryption.
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 2. the field is not present when transforming a given value,
+ #
+ # plaintext would be used as is for encryption.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom info type followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: {info type name}({surrogate character count}):{surrogate}
+ #
+ # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom info type 'Surrogate'. This facilitates reversal of the
+ # surrogate when it occurs in free text.
+ #
+ # Note: For record transformations where the entire cell in a table is being
+ # transformed, surrogates are not mandatory. Surrogates are used to denote
+ # the location of the token and are necessary for re-identification in free
+ # form text.
+ #
+ # In order for inspection to work properly, the name of this info type must
+ # not occur naturally anywhere in your data; otherwise, inspection may either
+ #
+ # - reverse a surrogate that does not correspond to an actual identifier
+ # - be unable to parse the surrogate and result in an error
+ #
+ # Therefore, choose your custom info type name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE.
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # `[a-zA-Z0-9_]{1,64}`.
+ },
+ },
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
+ # characters. For example, if the input string is `555-555-5555` and you
+ # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
+ # returns `***-**5-5555`.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
+ # punctuation.
+ "charactersToSkip": "A String", # Characters to not transform when masking.
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an
+ # alphabetic string such as a name, or `0` for a numeric string such as ZIP
+ # code or credit card number. This string must have a length of 1. If not
+ # supplied, this value defaults to `*` for strings, and `0` for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
+ # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
+ # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
+ # is `true`, then the string `12345` is masked as `12***`.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
+ # Bucketing transformation can provide all of this functionality,
+ # but requires more configuration. This message is provided as a convenience to
+ # the user for simple bucketing strategies.
+ #
+ # The transformed value will be a hyphenated string of
+ # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
+ # all values that are within this bucket will be replaced with "10-20".
+ #
+ # This can be used on data of type: double, long.
+ #
+ # If the bound Value type differs from the type of data
+ # being transformed, we will first attempt converting the type of the data to
+ # be transformed to match the type of the bound before comparing.
+ #
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
+ # grouped together into a single bucket; for example if `lower_bound` = 10,
+ # then all values less than 10 are replaced with the value “-10”.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
+ # grouped together into a single bucket; for example if `upper_bound` = 89,
+ # then all values greater than 89 are replaced with the value “89+”.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
+ # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
+ # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
+ },
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
+ # portion of the value.
+ "partToExtract": "A String", # The part of the time to keep.
+ },
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
+ # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
+ # to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
+ # results in the same shift for the same context and crypto_key. If
+ # set, must also set context. Can only be applied to table items.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
+ # range (inclusive ends). Negative means shift to earlier in time. Must not
+ # be more than 365250 days (1000 years) each direction.
+ #
+ # For example, 3 means shift date to at most 3 days into the future.
+ "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
+ # If set, must also set cryptoKey. If set, shift will be consistent for the
+ # given context.
+ "name": "A String", # Name describing the field.
+ },
+ },
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
+ # (FPE) with the FFX mode of operation; however when used in the
+ # `ReidentifyContent` API method, it serves the opposite function by reversing
+ # the surrogate back into the original identifier. The identifier must be
+ # encoded as ASCII. For a given crypto key and context, the same identifier
+ # will be replaced with the same surrogate. Identifiers must be at least two
+ # characters long. In the case that the identifier is the empty string, it will
+ # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
+ # more.
+ #
+ # Note: We recommend using CryptoDeterministicConfig for all use cases which
+ # do not require preserving the input alphabet space and size, plus warrant
+ # referential integrity.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
+ "commonAlphabet": "A String", # Common alphabets.
+ "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
+ # that the FFX mode natively supports. This happens before/after
+ # encryption/decryption.
+ # Each character listed must appear only once.
+ # Number of characters must be in the range [2, 95].
+ # This must be encoded as ASCII.
+ # The order of characters does not matter.
+ "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
+ # identifier in two different contexts won't be given the same surrogate. If
+ # the context is not set, a default tweak will be used.
+ #
+ # If the context is set but:
+ #
+ # 1. there is no record present when transforming a given value or
+ # 1. the field is not present when transforming a given value,
+ #
+ # a default tweak will be used.
+ #
+ # Note that case (1) is expected when an `InfoTypeTransformation` is
+ # applied to both structured and non-structured `ContentItem`s.
+ # Currently, the referenced field may be of value type integer or string.
+ #
+ # The tweak is constructed as a sequence of bytes in big endian byte order
+ # such that:
+ #
+ # - a 64 bit integer is encoded followed by a single byte of value 1
+ # - a string is encoded in UTF-8 format followed by a single byte of value 2
+ "name": "A String", # Name describing the field.
+ },
+ "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
+ # This annotation will be applied to the surrogate by prefixing it with
+ # the name of the custom infoType followed by the number of
+ # characters comprising the surrogate. The following scheme defines the
+ # format: info_type_name(surrogate_character_count):surrogate
+ #
+ # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
+ # the surrogate is 'abc', the full replacement value
+ # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
+ #
+ # This annotation identifies the surrogate when inspecting content using the
+ # custom infoType
+ # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
+ # This facilitates reversal of the surrogate when it occurs in free text.
+ #
+ # In order for inspection to work properly, the name of this infoType must
+ # not occur naturally anywhere in your data; otherwise, inspection may
+ # find a surrogate that does not correspond to an actual identifier.
+ # Therefore, choose your custom infoType name carefully after considering
+ # what your data looks like. One way to select a name that has a high chance
+ # of yielding reliable detection is to include one or more unicode characters
+ # that are highly improbable to exist in your data.
+ # For example, assuming your data is entered from a regular ASCII keyboard,
+ # the symbol with the hex code point 29DD might be used like so:
+ # ⧝MY_TOKEN_TYPE
+ "name": "A String", # Name of the information type. Either a name of your choosing when
+ # creating a CustomInfoType, or one of the names listed
+ # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
+ # a built-in type. InfoType names should conform to the pattern
+ # `[a-zA-Z0-9_]{1,64}`.
+ },
+ },
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ ],
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
+ "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ },
+ "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
+ # given `RecordCondition`. The conditions are allowed to reference fields
+ # that are not used in the actual transformation.
+ #
+ # Example Use Cases:
+ #
+ # - Apply a different bucket transformation to an age column if the zip code
+ # column for the same record is within a specific range.
+ # - Redact a field if the date of birth field is greater than 85.
+ # a field.
+ "expressions": { # An expression, consisting or an operator and conditions. # An expression.
+ "conditions": { # A collection of conditions. # Conditions to apply to the expression.
+ "conditions": [ # A collection of conditions.
+ { # The field type of `value` and `field` do not need to match to be
+ # considered equal, but not all comparisons are possible.
+ # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
+ # but all other comparisons are invalid with incompatible types.
+ # A `value` of type:
+ #
+ # - `string` can be compared against all other types
+ # - `boolean` can only be compared against other booleans
+ # - `integer` can be compared against doubles or a string if the string value
+ # can be parsed as an integer.
+ # - `double` can be compared against integers or a string if the string can
+ # be parsed as a double.
+ # - `Timestamp` can be compared against strings in RFC 3339 date string
+ # format.
+ # - `TimeOfDay` can be compared against timestamps and strings in the format
+ # of 'HH:mm:ss'.
+ #
+ # If we fail to compare do to type mismatch, a warning will be given and
+ # the condition will evaluate to false.
+ "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
+ "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
+ "name": "A String", # Name describing the field.
+ },
+ "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ ],
+ },
+ "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
+ # only supported value is `AND`.
+ },
+ },
"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
# transform content that matches an `InfoType`.
# apply various `PrimitiveTransformation`s to each finding, where the
# transformation is applied to only values that were identified as a specific
# info_type.
- "transformations": [ # Transformation for each infoType. Cannot specify more than one
- # for a given infoType. [required]
+ "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one
+ # for a given infoType.
{ # A transformation to apply to text that is identified as a specific
# info_type.
- "primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
- "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
- # fixed character. Masking can start from the beginning or end of the string.
- # This can be used on data of any type (numbers, longs, and so on) and when
- # de-identifying structured data we'll attempt to preserve the original data's
- # type. (This allows you to take a long like 123 and modify it to a string like
- # **3.
- "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
- # For example, if your string is 555-555-5555 and you ask us to skip `-` and
- # mask 5 chars with * we would produce ***-*55-5555.
- { # Characters to skip when doing deidentification of a value. These will be left
- # alone and skipped.
- "commonCharactersToIgnore": "A String",
- "charactersToSkip": "A String",
- },
- ],
- "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
- # masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
- # alphabetic string such as name, or "0" for a numeric string such as ZIP
- # code or credit card number. String must have length 1. If not supplied, we
- # will default to "*" for strings, 0 for digits.
- "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
- # '0', number_to_mask is 14, and `reverse_order` is false, then
- # 1234-5678-9012-3456 -> 00000000000000-3456
- # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
- # is true, then 12345 -> 12***
- },
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
- # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
- # output would be 'My phone number is '.
- },
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
+ "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
+ "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
@@ -11163,21 +11991,21 @@
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -11185,7 +12013,7 @@
# (repeating the api call will result in a different key being generated).
},
},
- "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
+ "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
@@ -11209,7 +12037,7 @@
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
- # format: <info type name>(<surrogate character count>):<surrogate>
+ # format: {info type name}({surrogate character count}):{surrogate}
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
@@ -11219,6 +12047,11 @@
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
+ # Note: For record transformations where the entire cell in a table is being
+ # transformed, surrogates are not mandatory. Surrogates are used to denote
+ # the location of the token and are necessary for re-identification in free
+ # form text.
+ #
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
@@ -11231,21 +12064,56 @@
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
+ # ⧝MY_TOKEN_TYPE.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
+ "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
+ # fixed character. Masking can start from the beginning or end of the string.
+ # This can be used on data of any type (numbers, longs, and so on) and when
+ # de-identifying structured data we'll attempt to preserve the original data's
+ # type. (This allows you to take a long like 123 and modify it to a string like
+ # **3.
+ "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
+ # characters. For example, if the input string is `555-555-5555` and you
+ # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
+ # returns `***-**5-5555`.
+ { # Characters to skip when doing deidentification of a value. These will be left
+ # alone and skipped.
+ "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
+ # punctuation.
+ "charactersToSkip": "A String", # Characters to not transform when masking.
+ },
+ ],
+ "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
+ # masked. Skipped characters do not count towards this tally.
+ "maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an
+ # alphabetic string such as a name, or `0` for a numeric string such as ZIP
+ # code or credit card number. This string must have a length of 1. If not
+ # supplied, this value defaults to `*` for strings, and `0` for digits.
+ "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
+ # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
+ # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
+ # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
+ # is `true`, then the string `12345` is masked as `12***`.
+ },
+ "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
+ # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
+ # output would be 'My phone number is '.
+ },
+ "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
+ },
+ "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
- # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
+ # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
@@ -11255,18 +12123,18 @@
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
+ "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
- # then all values less than 10 are replaced with the value “-10”. [Required].
+ # then all values less than 10 are replaced with the value “-10”.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -11276,7 +12144,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -11286,31 +12154,30 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
+ "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
- # [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -11320,7 +12187,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -11330,88 +12197,52 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
- "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
+ "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
- # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
+ # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
},
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
+ "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
# portion of the value.
- "partToExtract": "A String",
+ "partToExtract": "A String", # The part of the time to keep.
},
- "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
- # Uses SHA-256.
- # The key size must be either 32 or 64 bytes.
- # Outputs a base64 encoded representation of the hashed output
- # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
- # Currently, only string and integer values can be hashed.
- # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
+ "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
- # results in the same shift for the same context and crypto_key.
+ # results in the same shift for the same context and crypto_key. If
+ # set, must also set context. Can only be applied to table items.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -11419,160 +12250,19 @@
# (repeating the api call will result in a different key being generated).
},
},
- "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
- # [Required]
- "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
+ "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
+ "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
- # [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
- # If set, must also set method. If set, shift will be consistent for the
+ # If set, must also set cryptoKey. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
- # replacement values are dynamically provided by the user for custom behavior,
- # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
- # This can be used on
- # data of type: number, long, string, timestamp.
- # If the bound `Value` type differs from the type of data being transformed, we
- # will first attempt converting the type of the data to be transformed to match
- # the type of the bound before comparing.
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
- # the default behavior will be to hyphenate the min-max range.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
- # used.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- ],
- },
- "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
+ "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
@@ -11585,26 +12275,26 @@
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
},
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
# leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
+ "key": "A String", # Required. A 128/192/256 bit key.
},
- "transient": { # Use this to have a random data crypto key generated.
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
# It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
+ "name": "A String", # Required. Name of the key.
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
@@ -11612,13 +12302,13 @@
# (repeating the api call will result in a different key being generated).
},
},
- "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
- "commonAlphabet": "A String",
+ "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
+ "commonAlphabet": "A String", # Common alphabets.
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
- # Number of characters must be in the range [2, 62].
+ # Number of characters must be in the range [2, 95].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
@@ -11672,20 +12362,194 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
},
- "replaceConfig": { # Replace each input value with a given `Value`.
+ "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
+ # replacement values are dynamically provided by the user for custom behavior,
+ # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
+ # This can be used on
+ # data of type: number, long, string, timestamp.
+ # If the bound `Value` type differs from the type of data being transformed, we
+ # will first attempt converting the type of the data to be transformed to match
+ # the type of the bound before comparing.
+ # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
+ "buckets": [ # Set of buckets. Ranges must be non-overlapping.
+ { # Bucket is represented as a range, along with replacement values.
+ "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
+ # the default behavior will be to hyphenate the min-max range.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
+ # used.
+ # Note that for the purposes of inspection or transformation, the number
+ # of bytes considered to comprise a 'Value' is based on its representation
+ # as a UTF-8 encoded string. For example, if 'integer_value' is set to
+ # 123456789, the number of bytes would be counted as 9, even though an
+ # int64 only holds up to 8 bytes of data.
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
+ # or are specified elsewhere. An API may choose to allow leap seconds. Related
+ # types are google.type.Date and `google.protobuf.Timestamp`.
+ "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
+ # to allow the value "24:00:00" for scenarios like business closing time.
+ "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
+ "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
+ # allow the value 60 if it allows leap-seconds.
+ "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
+ },
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
+ # and time zone are either specified elsewhere or are not significant. The date
+ # is relative to the Proleptic Gregorian Calendar. This can represent:
+ #
+ # * A full date, with non-zero year, month and day values
+ # * A month and day value, with a zero year, e.g. an anniversary
+ # * A year on its own, with zero month and day values
+ # * A year and month value, with a zero day, e.g. a credit card expiration date
+ #
+ # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
+ "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
+ # if specifying a year by itself or a year and month where the day is not
+ # significant.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
+ },
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
+ },
+ },
+ ],
+ },
+ "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
+ # Uses SHA-256.
+ # The key size must be either 32 or 64 bytes.
+ # Outputs a base64 encoded representation of the hashed output
+ # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
+ # Currently, only string and integer values can be hashed.
+ # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
+ "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
+ # a key encryption key (KEK) stored by KMS).
+ # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
+ # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
+ # unwrap the data crypto key.
+ "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
+ # The wrapped key must be a 128/192/256 bit key.
+ # Authorization requires the following IAM permissions when sending a request
+ # to perform a crypto transformation using a kms-wrapped crypto key:
+ # dlp.kms.encrypt
+ "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
+ "wrappedKey": "A String", # Required. The wrapped data crypto key.
+ },
+ "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
+ # leaking the key. Choose another type of key if possible.
+ "key": "A String", # Required. A 128/192/256 bit key.
+ },
+ "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
+ # It will be discarded after the request finishes.
+ "name": "A String", # Required. Name of the key.
+ # This is an arbitrary string used to differentiate different keys.
+ # A unique key is generated per name: two separate `TransientCryptoKey`
+ # protos share the same generated key if their names are the same.
+ # When the data crypto key is generated, this name is not used in any way
+ # (repeating the api call will result in a different key being generated).
+ },
+ },
+ },
+ "replaceConfig": { # Replace each input value with a given `Value`. # Replace
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
+ "floatValue": 3.14, # float
+ "timestampValue": "A String", # timestamp
+ "dayOfWeekValue": "A String", # day of week
+ "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
@@ -11695,7 +12559,7 @@
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
+ "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
@@ -11705,17 +12569,17 @@
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
+ "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
+ # month and day.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
+ "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
+ # a year.
},
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
+ "stringValue": "A String", # string
+ "booleanValue": True or False, # boolean
+ "integerValue": "A String", # integer
},
},
},
@@ -11727,703 +12591,35 @@
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
+ # `[a-zA-Z0-9_]{1,64}`.
},
],
},
],
},
- "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
- "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
- # fixed character. Masking can start from the beginning or end of the string.
- # This can be used on data of any type (numbers, longs, and so on) and when
- # de-identifying structured data we'll attempt to preserve the original data's
- # type. (This allows you to take a long like 123 and modify it to a string like
- # **3.
- "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
- # For example, if your string is 555-555-5555 and you ask us to skip `-` and
- # mask 5 chars with * we would produce ***-*55-5555.
- { # Characters to skip when doing deidentification of a value. These will be left
- # alone and skipped.
- "commonCharactersToIgnore": "A String",
- "charactersToSkip": "A String",
- },
- ],
- "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
- # masked. Skipped characters do not count towards this tally.
- "maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
- # alphabetic string such as name, or "0" for a numeric string such as ZIP
- # code or credit card number. String must have length 1. If not supplied, we
- # will default to "*" for strings, 0 for digits.
- "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
- # '0', number_to_mask is 14, and `reverse_order` is false, then
- # 1234-5678-9012-3456 -> 00000000000000-3456
- # If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
- # is true, then 12345 -> 12***
- },
- "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
- # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
- # output would be 'My phone number is '.
- },
- "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
- # input. Outputs a base64 encoded representation of the encrypted output.
- # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- "context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
- # referential integrity such that the same identifier in two different
- # contexts will be given a distinct surrogate. The context is appended to
- # plaintext value being encrypted. On decryption the provided context is
- # validated against the value used during encryption. If a context was
- # provided during encryption, same context must be provided during decryption
- # as well.
- #
- # If the context is not set, plaintext would be used as is for encryption.
- # If the context is set but:
- #
- # 1. there is no record present when transforming a given value or
- # 2. the field is not present when transforming a given value,
- #
- # plaintext would be used as is for encryption.
- #
- # Note that case (1) is expected when an `InfoTypeTransformation` is
- # applied to both structured and non-structured `ContentItem`s.
- "name": "A String", # Name describing the field.
- },
- "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
- # This annotation will be applied to the surrogate by prefixing it with
- # the name of the custom info type followed by the number of
- # characters comprising the surrogate. The following scheme defines the
- # format: <info type name>(<surrogate character count>):<surrogate>
- #
- # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
- # the surrogate is 'abc', the full replacement value
- # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
- #
- # This annotation identifies the surrogate when inspecting content using the
- # custom info type 'Surrogate'. This facilitates reversal of the
- # surrogate when it occurs in free text.
- #
- # In order for inspection to work properly, the name of this info type must
- # not occur naturally anywhere in your data; otherwise, inspection may either
- #
- # - reverse a surrogate that does not correspond to an actual identifier
- # - be unable to parse the surrogate and result in an error
- #
- # Therefore, choose your custom info type name carefully after considering
- # what your data looks like. One way to select a name that has a high chance
- # of yielding reliable detection is to include one or more unicode characters
- # that are highly improbable to exist in your data.
- # For example, assuming your data is entered from a regular ASCII keyboard,
- # the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
- "name": "A String", # Name of the information type. Either a name of your choosing when
- # creating a CustomInfoType, or one of the names listed
- # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
- # a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
- },
- },
- "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
- # Bucketing transformation can provide all of this functionality,
- # but requires more configuration. This message is provided as a convenience to
- # the user for simple bucketing strategies.
- #
- # The transformed value will be a hyphenated string of
- # <lower_bound>-<upper_bound>, i.e if lower_bound = 10 and upper_bound = 20
- # all values that are within this bucket will be replaced with "10-20".
- #
- # This can be used on data of type: double, long.
- #
- # If the bound Value type differs from the type of data
- # being transformed, we will first attempt converting the type of the data to
- # be transformed to match the type of the bound before comparing.
- #
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
- # grouped together into a single bucket; for example if `lower_bound` = 10,
- # then all values less than 10 are replaced with the value “-10”. [Required].
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
- # grouped together into a single bucket; for example if `upper_bound` = 89,
- # then all values greater than 89 are replaced with the value “89+”.
- # [Required].
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
- # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
- # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
- # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
- },
- "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
- },
- "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
- # portion of the value.
- "partToExtract": "A String",
- },
- "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
- # Uses SHA-256.
- # The key size must be either 32 or 64 bytes.
- # Outputs a base64 encoded representation of the hashed output
- # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
- # Currently, only string and integer values can be hashed.
- # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- },
- "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
- # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
- # to learn more.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
- # results in the same shift for the same context and crypto_key.
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- "lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
- # [Required]
- "upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
- # range (inclusive ends). Negative means shift to earlier in time. Must not
- # be more than 365250 days (1000 years) each direction.
- #
- # For example, 3 means shift date to at most 3 days into the future.
- # [Required]
- "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
- # If set, must also set method. If set, shift will be consistent for the
- # given context.
- "name": "A String", # Name describing the field.
- },
- },
- "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
- # replacement values are dynamically provided by the user for custom behavior,
- # such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
- # This can be used on
- # data of type: number, long, string, timestamp.
- # If the bound `Value` type differs from the type of data being transformed, we
- # will first attempt converting the type of the data to be transformed to match
- # the type of the bound before comparing.
- # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
- "buckets": [ # Set of buckets. Ranges must be non-overlapping.
- { # Bucket is represented as a range, along with replacement values.
- "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
- # the default behavior will be to hyphenate the min-max range.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
- # used.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- ],
- },
- "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
- # (FPE) with the FFX mode of operation; however when used in the
- # `ReidentifyContent` API method, it serves the opposite function by reversing
- # the surrogate back into the original identifier. The identifier must be
- # encoded as ASCII. For a given crypto key and context, the same identifier
- # will be replaced with the same surrogate. Identifiers must be at least two
- # characters long. In the case that the identifier is the empty string, it will
- # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
- # more.
- #
- # Note: We recommend using CryptoDeterministicConfig for all use cases which
- # do not require preserving the input alphabet space and size, plus warrant
- # referential integrity.
- "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
- # a key encryption key (KEK) stored by KMS).
- # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
- # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
- # unwrap the data crypto key.
- "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
- # The wrapped key must be a 128/192/256 bit key.
- # Authorization requires the following IAM permissions when sending a request
- # to perform a crypto transformation using a kms-wrapped crypto key:
- # dlp.kms.encrypt
- "cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
- "wrappedKey": "A String", # The wrapped data crypto key. [required]
- },
- "unwrapped": { # Using raw keys is prone to security risks due to accidentally
- # leaking the key. Choose another type of key if possible.
- "key": "A String", # A 128/192/256 bit key. [required]
- },
- "transient": { # Use this to have a random data crypto key generated.
- # It will be discarded after the request finishes.
- "name": "A String", # Name of the key. [required]
- # This is an arbitrary string used to differentiate different keys.
- # A unique key is generated per name: two separate `TransientCryptoKey`
- # protos share the same generated key if their names are the same.
- # When the data crypto key is generated, this name is not used in any way
- # (repeating the api call will result in a different key being generated).
- },
- },
- "radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
- "commonAlphabet": "A String",
- "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
- # that the FFX mode natively supports. This happens before/after
- # encryption/decryption.
- # Each character listed must appear only once.
- # Number of characters must be in the range [2, 62].
- # This must be encoded as ASCII.
- # The order of characters does not matter.
- "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
- # identifier in two different contexts won't be given the same surrogate. If
- # the context is not set, a default tweak will be used.
- #
- # If the context is set but:
- #
- # 1. there is no record present when transforming a given value or
- # 1. the field is not present when transforming a given value,
- #
- # a default tweak will be used.
- #
- # Note that case (1) is expected when an `InfoTypeTransformation` is
- # applied to both structured and non-structured `ContentItem`s.
- # Currently, the referenced field may be of value type integer or string.
- #
- # The tweak is constructed as a sequence of bytes in big endian byte order
- # such that:
- #
- # - a 64 bit integer is encoded followed by a single byte of value 1
- # - a string is encoded in UTF-8 format followed by a single byte of value 2
- "name": "A String", # Name describing the field.
- },
- "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
- # This annotation will be applied to the surrogate by prefixing it with
- # the name of the custom infoType followed by the number of
- # characters comprising the surrogate. The following scheme defines the
- # format: info_type_name(surrogate_character_count):surrogate
- #
- # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
- # the surrogate is 'abc', the full replacement value
- # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
- #
- # This annotation identifies the surrogate when inspecting content using the
- # custom infoType
- # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
- # This facilitates reversal of the surrogate when it occurs in free text.
- #
- # In order for inspection to work properly, the name of this infoType must
- # not occur naturally anywhere in your data; otherwise, inspection may
- # find a surrogate that does not correspond to an actual identifier.
- # Therefore, choose your custom infoType name carefully after considering
- # what your data looks like. One way to select a name that has a high chance
- # of yielding reliable detection is to include one or more unicode characters
- # that are highly improbable to exist in your data.
- # For example, assuming your data is entered from a regular ASCII keyboard,
- # the symbol with the hex code point 29DD might be used like so:
- # ⧝MY_TOKEN_TYPE
- "name": "A String", # Name of the information type. Either a name of your choosing when
- # creating a CustomInfoType, or one of the names listed
- # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
- # a built-in type. InfoType names should conform to the pattern
- # [a-zA-Z0-9_]{1,64}.
- },
- },
- "replaceConfig": { # Replace each input value with a given `Value`.
- "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- },
- "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
- # given `RecordCondition`. The conditions are allowed to reference fields
- # that are not used in the actual transformation. [optional]
- #
- # Example Use Cases:
- #
- # - Apply a different bucket transformation to an age column if the zip code
- # column for the same record is within a specific range.
- # - Redact a field if the date of birth field is greater than 85.
- # a field.
- "expressions": { # An expression, consisting or an operator and conditions. # An expression.
- "conditions": { # A collection of conditions.
- "conditions": [
- { # The field type of `value` and `field` do not need to match to be
- # considered equal, but not all comparisons are possible.
- # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
- # but all other comparisons are invalid with incompatible types.
- # A `value` of type:
- #
- # - `string` can be compared against all other types
- # - `boolean` can only be compared against other booleans
- # - `integer` can be compared against doubles or a string if the string value
- # can be parsed as an integer.
- # - `double` can be compared against integers or a string if the string can
- # be parsed as a double.
- # - `Timestamp` can be compared against strings in RFC 3339 date string
- # format.
- # - `TimeOfDay` can be compared against timestamps and strings in the format
- # of 'HH:mm:ss'.
- #
- # If we fail to compare do to type mismatch, a warning will be given and
- # the condition will evaluate to false.
- "operator": "A String", # Operator used to compare the field or infoType to the value. [required]
- "field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
- "name": "A String", # Name describing the field.
- },
- "value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
- # Note that for the purposes of inspection or transformation, the number
- # of bytes considered to comprise a 'Value' is based on its representation
- # as a UTF-8 encoded string. For example, if 'integer_value' is set to
- # 123456789, the number of bytes would be counted as 9, even though an
- # int64 only holds up to 8 bytes of data.
- "floatValue": 3.14,
- "timestampValue": "A String",
- "dayOfWeekValue": "A String",
- "timeValue": { # Represents a time of day. The date and time zone are either not significant
- # or are specified elsewhere. An API may choose to allow leap seconds. Related
- # types are google.type.Date and `google.protobuf.Timestamp`.
- "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
- # to allow the value "24:00:00" for scenarios like business closing time.
- "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
- "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
- # allow the value 60 if it allows leap-seconds.
- "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
- },
- "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
- # and time zone are either specified elsewhere or are not significant. The date
- # is relative to the Proleptic Gregorian Calendar. This can represent:
- #
- # * A full date, with non-zero year, month and day values
- # * A month and day value, with a zero year, e.g. an anniversary
- # * A year on its own, with zero month and day values
- # * A year and month value, with a zero day, e.g. a credit card expiration date
- #
- # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
- "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
- # a year.
- "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
- # if specifying a year by itself or a year and month where the day is not
- # significant.
- "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
- # month and day.
- },
- "stringValue": "A String",
- "booleanValue": True or False,
- "integerValue": "A String",
- },
- },
- ],
- },
- "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
- # only supported value is `AND`.
- },
- },
- "fields": [ # Input field(s) to apply the transformation to. [required]
- { # General identifier of a data field in a storage service.
- "name": "A String", # Name describing the field.
- },
- ],
},
],
},
+ "transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default
+ # mode is `TransformationErrorHandling.ThrowError`.
+ # transformation error occurs when the requested transformation is incompatible
+ # with the data. For example, trying to de-identify an IP address using a
+ # `DateShift` transformation would result in a transformation error, since date
+ # info cannot be extracted from an IP address.
+ # Information about any incompatible transformations, and how they were
+ # handled, is returned in the response as part of the
+ # `TransformationOverviews`.
+ "throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error
+ },
+ "leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors
+ # cause an error. For example, if a `DateShift` transformation were applied
+ # an an IP address, this mode would leave the IP address unchanged in the
+ # response.
+ },
+ },
},
- "createTime": "A String", # The creation timestamp of a inspectTemplate, output only field.
- "name": "A String", # The template name. Output only.
+ "createTime": "A String", # Output only. The creation timestamp of an inspectTemplate.
+ "name": "A String", # Output only. The template name.
#
# The template will have one of the following formats:
# `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR