Blame - docs/dyn/dlp_v2.projects.deidentifyTemplates.html - platform/external/python/google-api-python-client

2020-05-01 07:42:23 -0700

[diff] [blame]

78

<code><a href="#create">create(parent, body=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

79

<p class="firstline">Creates a DeidentifyTemplate for re-using frequently used configuration</p>

80

81

<code><a href="#delete">delete(name, x__xgafv=None)</a></code></p>

82

<p class="firstline">Deletes a DeidentifyTemplate.</p>

83

84

<code><a href="#get">get(name, x__xgafv=None)</a></code></p>

85

<p class="firstline">Gets a DeidentifyTemplate.</p>

86

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

87

<code><a href="#list">list(parent, orderBy=None, pageToken=None, locationId=None, pageSize=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

88

<p class="firstline">Lists DeidentifyTemplates.</p>

89

90

<code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p>

91

<p class="firstline">Retrieves the next page of results.</p>

92

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

93

<code><a href="#patch">patch(name, body=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

94

<p class="firstline">Updates the DeidentifyTemplate.</p>

95

<h3>Method Details</h3>

96

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

97

<code class="details" id="create">create(parent, body=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

98

<pre>Creates a DeidentifyTemplate for re-using frequently used configuration

99

for de-identifying content, images, and storage.

100

See https://cloud.google.com/dlp/docs/creating-templates-deid to learn

101

more.

102

103

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

104

parent: string, Required. The parent resource name, for example projects/my-project-id or

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

105

organizations/my-org-id. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

106

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

107

The object takes the form of:

108

109

{ # Request message for CreateDeidentifyTemplate.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

110

"templateId": "A String", # The template id can contain uppercase and lowercase letters,

111

# numbers, and hyphens; that is, it must match the regular

112

# expression: `[a-zA-Z\\d-_]+`. The maximum length is 100

113

# characters. Can be empty to allow the system to generate one.

114

"deidentifyTemplate": { # DeidentifyTemplates contains instructions on how to de-identify content. # Required. The DeidentifyTemplate to create.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

115

# See https://cloud.google.com/dlp/docs/concepts-templates to learn more.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

116

"name": "A String", # Output only. The template name.

117

#

118

# The template will have one of the following formats:

119

# `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR

120

# `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`

121

"description": "A String", # Short description (max 256 chars).

122

"displayName": "A String", # Display name (max 256 chars).

123

"createTime": "A String", # Output only. The creation timestamp of an inspectTemplate.

124

"updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate.

125

"deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

126

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text

127

# transformation everywhere.

128

# apply various `PrimitiveTransformation`s to each finding, where the

129

# transformation is applied to only values that were identified as a specific

130

# info_type.

131

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

132

# for a given infoType.

133

{ # A transformation to apply to text that is identified as a specific

134

# info_type.

135

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

136

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

137

# portion of the value.

138

"partToExtract": "A String", # The part of the time to keep.

139

},

140

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

141

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

142

# to learn more.

143

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

144

# If set, must also set cryptoKey. If set, shift will be consistent for the

145

# given context.

146

"name": "A String", # Name describing the field.

147

},

148

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

149

# range (inclusive ends). Negative means shift to earlier in time. Must not

150

# be more than 365250 days (1000 years) each direction.

151

#

152

# For example, 3 means shift date to at most 3 days into the future.

153

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

154

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

155

# results in the same shift for the same context and crypto_key. If

156

# set, must also set context. Can only be applied to table items.

157

# a key encryption key (KEK) stored by KMS).

158

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

159

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

160

# unwrap the data crypto key.

161

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

162

# leaking the key. Choose another type of key if possible.

163

"key": "A String", # Required. A 128/192/256 bit key.

164

},

165

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

166

# It will be discarded after the request finishes.

167

"name": "A String", # Required. Name of the key.

168

# This is an arbitrary string used to differentiate different keys.

169

# A unique key is generated per name: two separate `TransientCryptoKey`

170

# protos share the same generated key if their names are the same.

171

# When the data crypto key is generated, this name is not used in any way

172

# (repeating the api call will result in a different key being generated).

173

},

174

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

175

# The wrapped key must be a 128/192/256 bit key.

176

# Authorization requires the following IAM permissions when sending a request

177

# to perform a crypto transformation using a kms-wrapped crypto key:

178

# dlp.kms.encrypt

179

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

180

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

185

},

186

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

187

# Uses SHA-256.

188

# The key size must be either 32 or 64 bytes.

189

# Outputs a base64 encoded representation of the hashed output

190

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

191

# Currently, only string and integer values can be hashed.

192

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

193

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

194

# a key encryption key (KEK) stored by KMS).

195

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

196

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

197

# unwrap the data crypto key.

198

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

199

# leaking the key. Choose another type of key if possible.

200

"key": "A String", # Required. A 128/192/256 bit key.

201

},

202

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

203

# It will be discarded after the request finishes.

204

"name": "A String", # Required. Name of the key.

205

# This is an arbitrary string used to differentiate different keys.

206

# A unique key is generated per name: two separate `TransientCryptoKey`

207

# protos share the same generated key if their names are the same.

208

# When the data crypto key is generated, this name is not used in any way

209

# (repeating the api call will result in a different key being generated).

210

},

211

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

212

# The wrapped key must be a 128/192/256 bit key.

213

# Authorization requires the following IAM permissions when sending a request

214

# to perform a crypto transformation using a kms-wrapped crypto key:

215

# dlp.kms.encrypt

216

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

217

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

222

# (FPE) with the FFX mode of operation; however when used in the

223

# `ReidentifyContent` API method, it serves the opposite function by reversing

224

# the surrogate back into the original identifier. The identifier must be

225

# encoded as ASCII. For a given crypto key and context, the same identifier

226

# will be replaced with the same surrogate. Identifiers must be at least two

227

# characters long. In the case that the identifier is the empty string, it will

228

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

229

# more.

230

#

231

# Note: We recommend using CryptoDeterministicConfig for all use cases which

232

# do not require preserving the input alphabet space and size, plus warrant

233

# referential integrity.

234

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

235

# This annotation will be applied to the surrogate by prefixing it with

236

# the name of the custom infoType followed by the number of

237

# characters comprising the surrogate. The following scheme defines the

238

# format: info_type_name(surrogate_character_count):surrogate

239

#

240

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

241

# the surrogate is 'abc', the full replacement value

242

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

243

#

244

# This annotation identifies the surrogate when inspecting content using the

245

# custom infoType

246

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

247

# This facilitates reversal of the surrogate when it occurs in free text.

248

#

249

# In order for inspection to work properly, the name of this infoType must

250

# not occur naturally anywhere in your data; otherwise, inspection may

251

# find a surrogate that does not correspond to an actual identifier.

252

# Therefore, choose your custom infoType name carefully after considering

253

# what your data looks like. One way to select a name that has a high chance

254

# of yielding reliable detection is to include one or more unicode characters

255

# that are highly improbable to exist in your data.

256

# For example, assuming your data is entered from a regular ASCII keyboard,

257

# the symbol with the hex code point 29DD might be used like so:

258

# ⧝MY_TOKEN_TYPE

259

"name": "A String", # Name of the information type. Either a name of your choosing when

260

# creating a CustomInfoType, or one of the names listed

261

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

262

# a built-in type. InfoType names should conform to the pattern

263

# `[a-zA-Z0-9_]{1,64}`.

264

},

265

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

266

# identifier in two different contexts won't be given the same surrogate. If

267

# the context is not set, a default tweak will be used.

268

#

269

# If the context is set but:

270

#

271

# 1. there is no record present when transforming a given value or

272

# 1. the field is not present when transforming a given value,

273

#

274

# a default tweak will be used.

275

#

276

# Note that case (1) is expected when an `InfoTypeTransformation` is

277

# applied to both structured and non-structured `ContentItem`s.

278

# Currently, the referenced field may be of value type integer or string.

279

#

280

# The tweak is constructed as a sequence of bytes in big endian byte order

281

# such that:

282

#

283

# - a 64 bit integer is encoded followed by a single byte of value 1

284

# - a string is encoded in UTF-8 format followed by a single byte of value 2

285

"name": "A String", # Name describing the field.

286

},

287

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

288

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

289

# a key encryption key (KEK) stored by KMS).

290

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

291

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

292

# unwrap the data crypto key.

293

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

294

# leaking the key. Choose another type of key if possible.

295

"key": "A String", # Required. A 128/192/256 bit key.

296

},

297

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

298

# It will be discarded after the request finishes.

299

"name": "A String", # Required. Name of the key.

300

# This is an arbitrary string used to differentiate different keys.

301

# A unique key is generated per name: two separate `TransientCryptoKey`

302

# protos share the same generated key if their names are the same.

303

# When the data crypto key is generated, this name is not used in any way

304

# (repeating the api call will result in a different key being generated).

305

},

306

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

307

# The wrapped key must be a 128/192/256 bit key.

308

# Authorization requires the following IAM permissions when sending a request

309

# to perform a crypto transformation using a kms-wrapped crypto key:

310

# dlp.kms.encrypt

311

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

312

"wrappedKey": "A String", # Required. The wrapped data crypto key.

313

},

314

},

315

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

316

# that the FFX mode natively supports. This happens before/after

317

# encryption/decryption.

318

# Each character listed must appear only once.

319

# Number of characters must be in the range [2, 95].

320

# This must be encoded as ASCII.

321

# The order of characters does not matter.

322

"commonAlphabet": "A String", # Common alphabets.

323

},

324

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

325

# input. Outputs a base64 encoded representation of the encrypted output.

326

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

327

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

328

# This annotation will be applied to the surrogate by prefixing it with

329

# the name of the custom info type followed by the number of

330

# characters comprising the surrogate. The following scheme defines the

331

# format: {info type name}({surrogate character count}):{surrogate}

332

#

333

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

334

# the surrogate is 'abc', the full replacement value

335

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

336

#

337

# This annotation identifies the surrogate when inspecting content using the

338

# custom info type 'Surrogate'. This facilitates reversal of the

339

# surrogate when it occurs in free text.

340

#

341

# Note: For record transformations where the entire cell in a table is being

342

# transformed, surrogates are not mandatory. Surrogates are used to denote

343

# the location of the token and are necessary for re-identification in free

344

# form text.

345

#

346

# In order for inspection to work properly, the name of this info type must

347

# not occur naturally anywhere in your data; otherwise, inspection may either

348

#

349

# - reverse a surrogate that does not correspond to an actual identifier

350

# - be unable to parse the surrogate and result in an error

351

#

352

# Therefore, choose your custom info type name carefully after considering

353

# what your data looks like. One way to select a name that has a high chance

354

# of yielding reliable detection is to include one or more unicode characters

355

# that are highly improbable to exist in your data.

356

# For example, assuming your data is entered from a regular ASCII keyboard,

357

# the symbol with the hex code point 29DD might be used like so:

358

# ⧝MY_TOKEN_TYPE.

359

"name": "A String", # Name of the information type. Either a name of your choosing when

360

# creating a CustomInfoType, or one of the names listed

361

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

362

# a built-in type. InfoType names should conform to the pattern

363

# `[a-zA-Z0-9_]{1,64}`.

364

},

365

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

366

# referential integrity such that the same identifier in two different

367

# contexts will be given a distinct surrogate. The context is appended to

368

# plaintext value being encrypted. On decryption the provided context is

369

# validated against the value used during encryption. If a context was

370

# provided during encryption, same context must be provided during decryption

371

# as well.

372

#

373

# If the context is not set, plaintext would be used as is for encryption.

374

# If the context is set but:

375

#

376

# 1. there is no record present when transforming a given value or

377

# 2. the field is not present when transforming a given value,

378

#

379

# plaintext would be used as is for encryption.

380

#

381

# Note that case (1) is expected when an `InfoTypeTransformation` is

382

# applied to both structured and non-structured `ContentItem`s.

383

"name": "A String", # Name describing the field.

384

},

385

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

386

# a key encryption key (KEK) stored by KMS).

387

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

388

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

389

# unwrap the data crypto key.

390

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

391

# leaking the key. Choose another type of key if possible.

392

"key": "A String", # Required. A 128/192/256 bit key.

393

},

394

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

395

# It will be discarded after the request finishes.

396

"name": "A String", # Required. Name of the key.

397

# This is an arbitrary string used to differentiate different keys.

398

# A unique key is generated per name: two separate `TransientCryptoKey`

399

# protos share the same generated key if their names are the same.

400

# When the data crypto key is generated, this name is not used in any way

401

# (repeating the api call will result in a different key being generated).

402

},

403

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

404

# The wrapped key must be a 128/192/256 bit key.

405

# Authorization requires the following IAM permissions when sending a request

406

# to perform a crypto transformation using a kms-wrapped crypto key:

407

# dlp.kms.encrypt

408

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

409

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

414

# replacement values are dynamically provided by the user for custom behavior,

415

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

416

# This can be used on

417

# data of type: number, long, string, timestamp.

418

# If the bound `Value` type differs from the type of data being transformed, we

419

# will first attempt converting the type of the data to be transformed to match

420

# the type of the bound before comparing.

421

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

422

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

423

{ # Bucket is represented as a range, along with replacement values.

424

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

425

# the default behavior will be to hyphenate the min-max range.

426

# Note that for the purposes of inspection or transformation, the number

427

# of bytes considered to comprise a 'Value' is based on its representation

428

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

429

# 123456789, the number of bytes would be counted as 9, even though an

430

# int64 only holds up to 8 bytes of data.

431

"timestampValue": "A String", # timestamp

432

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

433

# and time zone are either specified elsewhere or are not significant. The date

434

# is relative to the Proleptic Gregorian Calendar. This can represent:

435

#

436

# * A full date, with non-zero year, month and day values

437

# * A month and day value, with a zero year, e.g. an anniversary

438

# * A year on its own, with zero month and day values

439

# * A year and month value, with a zero day, e.g. a credit card expiration date

440

#

441

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

442

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

443

# a year.

444

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

445

# month and day.

446

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

447

# if specifying a year by itself or a year and month where the day is not

448

# significant.

449

},

450

"stringValue": "A String", # string

451

"integerValue": "A String", # integer

452

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

453

# or are specified elsewhere. An API may choose to allow leap seconds. Related

454

# types are google.type.Date and `google.protobuf.Timestamp`.

455

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

456

# to allow the value "24:00:00" for scenarios like business closing time.

457

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

458

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

459

# allow the value 60 if it allows leap-seconds.

460

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

461

},

462

"booleanValue": True or False, # boolean

463

"floatValue": 3.14, # float

464

"dayOfWeekValue": "A String", # day of week

465

},

466

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

467

# used.

468

# Note that for the purposes of inspection or transformation, the number

469

# of bytes considered to comprise a 'Value' is based on its representation

470

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

471

# 123456789, the number of bytes would be counted as 9, even though an

472

# int64 only holds up to 8 bytes of data.

473

"timestampValue": "A String", # timestamp

474

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

475

# and time zone are either specified elsewhere or are not significant. The date

476

# is relative to the Proleptic Gregorian Calendar. This can represent:

477

#

478

# * A full date, with non-zero year, month and day values

479

# * A month and day value, with a zero year, e.g. an anniversary

480

# * A year on its own, with zero month and day values

481

# * A year and month value, with a zero day, e.g. a credit card expiration date

482

#

483

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

484

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

485

# a year.

486

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

487

# month and day.

488

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

489

# if specifying a year by itself or a year and month where the day is not

490

# significant.

491

},

492

"stringValue": "A String", # string

493

"integerValue": "A String", # integer

494

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

495

# or are specified elsewhere. An API may choose to allow leap seconds. Related

496

# types are google.type.Date and `google.protobuf.Timestamp`.

497

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

498

# to allow the value "24:00:00" for scenarios like business closing time.

499

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

500

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

501

# allow the value 60 if it allows leap-seconds.

502

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

503

},

504

"booleanValue": True or False, # boolean

505

"floatValue": 3.14, # float

506

"dayOfWeekValue": "A String", # day of week

507

},

508

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

509

# Note that for the purposes of inspection or transformation, the number

510

# of bytes considered to comprise a 'Value' is based on its representation

511

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

512

# 123456789, the number of bytes would be counted as 9, even though an

513

# int64 only holds up to 8 bytes of data.

514

"timestampValue": "A String", # timestamp

515

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

516

# and time zone are either specified elsewhere or are not significant. The date

517

# is relative to the Proleptic Gregorian Calendar. This can represent:

518

#

519

# * A full date, with non-zero year, month and day values

520

# * A month and day value, with a zero year, e.g. an anniversary

521

# * A year on its own, with zero month and day values

522

# * A year and month value, with a zero day, e.g. a credit card expiration date

523

#

524

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

525

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

526

# a year.

527

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

528

# month and day.

529

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

530

# if specifying a year by itself or a year and month where the day is not

531

# significant.

532

},

533

"stringValue": "A String", # string

534

"integerValue": "A String", # integer

535

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

536

# or are specified elsewhere. An API may choose to allow leap seconds. Related

537

# types are google.type.Date and `google.protobuf.Timestamp`.

538

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

539

# to allow the value "24:00:00" for scenarios like business closing time.

540

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

541

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

542

# allow the value 60 if it allows leap-seconds.

543

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

544

},

545

"booleanValue": True or False, # boolean

546

"floatValue": 3.14, # float

547

"dayOfWeekValue": "A String", # day of week

},

},

],

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

553

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

554

# output would be 'My phone number is '.

555

},

556

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

557

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

558

# Note that for the purposes of inspection or transformation, the number

559

# of bytes considered to comprise a 'Value' is based on its representation

560

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

561

# 123456789, the number of bytes would be counted as 9, even though an

562

# int64 only holds up to 8 bytes of data.

563

"timestampValue": "A String", # timestamp

564

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

565

# and time zone are either specified elsewhere or are not significant. The date

566

# is relative to the Proleptic Gregorian Calendar. This can represent:

567

#

568

# * A full date, with non-zero year, month and day values

569

# * A month and day value, with a zero year, e.g. an anniversary

570

# * A year on its own, with zero month and day values

571

# * A year and month value, with a zero day, e.g. a credit card expiration date

572

#

573

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

574

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

575

# a year.

576

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

577

# month and day.

578

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

579

# if specifying a year by itself or a year and month where the day is not

580

# significant.

581

},

582

"stringValue": "A String", # string

583

"integerValue": "A String", # integer

584

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

585

# or are specified elsewhere. An API may choose to allow leap seconds. Related

586

# types are google.type.Date and `google.protobuf.Timestamp`.

587

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

588

# to allow the value "24:00:00" for scenarios like business closing time.

589

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

590

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

591

# allow the value 60 if it allows leap-seconds.

592

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

593

},

594

"booleanValue": True or False, # boolean

595

"floatValue": 3.14, # float

596

"dayOfWeekValue": "A String", # day of week

597

},

598

},

599

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

600

# Bucketing transformation can provide all of this functionality,

601

# but requires more configuration. This message is provided as a convenience to

602

# the user for simple bucketing strategies.

603

#

604

# The transformed value will be a hyphenated string of

605

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

606

# all values that are within this bucket will be replaced with "10-20".

607

#

608

# This can be used on data of type: double, long.

609

#

610

# If the bound Value type differs from the type of data

611

# being transformed, we will first attempt converting the type of the data to

612

# be transformed to match the type of the bound before comparing.

613

#

614

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

615

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

616

# grouped together into a single bucket; for example if `upper_bound` = 89,

617

# then all values greater than 89 are replaced with the value "89+".

618

# Note that for the purposes of inspection or transformation, the number

619

# of bytes considered to comprise a 'Value' is based on its representation

620

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

621

# 123456789, the number of bytes would be counted as 9, even though an

622

# int64 only holds up to 8 bytes of data.

623

"timestampValue": "A String", # timestamp

624

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

625

# and time zone are either specified elsewhere or are not significant. The date

626

# is relative to the Proleptic Gregorian Calendar. This can represent:

627

#

628

# * A full date, with non-zero year, month and day values

629

# * A month and day value, with a zero year, e.g. an anniversary

630

# * A year on its own, with zero month and day values

631

# * A year and month value, with a zero day, e.g. a credit card expiration date

632

#

633

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

634

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

635

# a year.

636

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

637

# month and day.

638

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

639

# if specifying a year by itself or a year and month where the day is not

640

# significant.

641

},

642

"stringValue": "A String", # string

643

"integerValue": "A String", # integer

644

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

645

# or are specified elsewhere. An API may choose to allow leap seconds. Related

646

# types are google.type.Date and `google.protobuf.Timestamp`.

647

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

648

# to allow the value "24:00:00" for scenarios like business closing time.

649

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

650

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

651

# allow the value 60 if it allows leap-seconds.

652

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

653

},

654

"booleanValue": True or False, # boolean

655

"floatValue": 3.14, # float

656

"dayOfWeekValue": "A String", # day of week

657

},

658

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

659

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

660

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

661

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

662

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

663

# grouped together into a single bucket; for example if `lower_bound` = 10,

664

# then all values less than 10 are replaced with the value "-10".

665

# Note that for the purposes of inspection or transformation, the number

666

# of bytes considered to comprise a 'Value' is based on its representation

667

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

668

# 123456789, the number of bytes would be counted as 9, even though an

669

# int64 only holds up to 8 bytes of data.

670

"timestampValue": "A String", # timestamp

671

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

672

# and time zone are either specified elsewhere or are not significant. The date

673

# is relative to the Proleptic Gregorian Calendar. This can represent:

674

#

675

# * A full date, with non-zero year, month and day values

676

# * A month and day value, with a zero year, e.g. an anniversary

677

# * A year on its own, with zero month and day values

678

# * A year and month value, with a zero day, e.g. a credit card expiration date

679

#

680

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

681

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

682

# a year.

683

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

684

# month and day.

685

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

686

# if specifying a year by itself or a year and month where the day is not

687

# significant.

688

},

689

"stringValue": "A String", # string

690

"integerValue": "A String", # integer

691

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

692

# or are specified elsewhere. An API may choose to allow leap seconds. Related

693

# types are google.type.Date and `google.protobuf.Timestamp`.

694

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

695

# to allow the value "24:00:00" for scenarios like business closing time.

696

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

697

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

698

# allow the value 60 if it allows leap-seconds.

699

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

700

},

701

"booleanValue": True or False, # boolean

702

"floatValue": 3.14, # float

703

"dayOfWeekValue": "A String", # day of week

704

},

705

},

706

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

707

# fixed character. Masking can start from the beginning or end of the string.

708

# This can be used on data of any type (numbers, longs, and so on) and when

709

# de-identifying structured data we'll attempt to preserve the original data's

710

# type. (This allows you to take a long like 123 and modify it to a string like

711

# **3.

712

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

713

# characters. For example, if the input string is `555-555-5555` and you

714

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

715

# returns `***-**5-5555`.

716

{ # Characters to skip when doing deidentification of a value. These will be left

717

# alone and skipped.

718

"charactersToSkip": "A String", # Characters to not transform when masking.

719

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

724

# masked. Skipped characters do not count towards this tally.

725

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

726

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

727

# code or credit card number. This string must have a length of 1. If not

728

# supplied, this value defaults to `*` for strings, and `0` for digits.

729

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

730

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

731

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

732

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

733

# is `true`, then the string `12345` is masked as `12***`.

734

},

735

},

736

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

737

# this transformation to apply to all findings that correspond to

738

# infoTypes that were requested in `InspectConfig`.

739

{ # Type of information detected by the API.

740

"name": "A String", # Name of the information type. Either a name of your choosing when

741

# creating a CustomInfoType, or one of the names listed

742

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

743

# a built-in type. InfoType names should conform to the pattern

744

# `[a-zA-Z0-9_]{1,64}`.

},

],

},

],

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

750

"transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default

751

# mode is `TransformationErrorHandling.ThrowError`.

752

# transformation error occurs when the requested transformation is incompatible

753

# with the data. For example, trying to de-identify an IP address using a

754

# `DateShift` transformation would result in a transformation error, since date

755

# info cannot be extracted from an IP address.

756

# Information about any incompatible transformations, and how they were

757

# handled, is returned in the response as part of the

758

# `TransformationOverviews`.

759

"throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error

760

},

761

"leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors

762

# cause an error. For example, if a `DateShift` transformation were applied

763

# an an IP address, this mode would leave the IP address unchanged in the

764

# response.

765

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

766

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

767

"recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

768

# specific locations within structured datasets, such as transforming

769

# a column within a table.

770

# table.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

771

"fieldTransformations": [ # Transform the record by applying various field transformations.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

772

{ # The transformation to apply to the field.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

773

"fields": [ # Required. Input field(s) to apply the transformation to.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

774

{ # General identifier of a data field in a storage service.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

775

"name": "A String", # Name describing the field.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

776

},

777

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

778

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

779

# transform content that matches an `InfoType`.

780

# apply various `PrimitiveTransformation`s to each finding, where the

781

# transformation is applied to only values that were identified as a specific

782

# info_type.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

783

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

784

# for a given infoType.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

785

{ # A transformation to apply to text that is identified as a specific

786

# info_type.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

787

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

788

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

789

# portion of the value.

790

"partToExtract": "A String", # The part of the time to keep.

791

},

792

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

793

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

794

# to learn more.

795

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

796

# If set, must also set cryptoKey. If set, shift will be consistent for the

797

# given context.

798

"name": "A String", # Name describing the field.

799

},

800

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

801

# range (inclusive ends). Negative means shift to earlier in time. Must not

802

# be more than 365250 days (1000 years) each direction.

803

#

804

# For example, 3 means shift date to at most 3 days into the future.

805

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

806

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

807

# results in the same shift for the same context and crypto_key. If

808

# set, must also set context. Can only be applied to table items.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

809

# a key encryption key (KEK) stored by KMS).

810

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

811

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

812

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

813

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

814

# leaking the key. Choose another type of key if possible.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

815

"key": "A String", # Required. A 128/192/256 bit key.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

816

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

817

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

818

# It will be discarded after the request finishes.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

819

"name": "A String", # Required. Name of the key.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

820

# This is an arbitrary string used to differentiate different keys.

821

# A unique key is generated per name: two separate `TransientCryptoKey`

822

# protos share the same generated key if their names are the same.

823

# When the data crypto key is generated, this name is not used in any way

824

# (repeating the api call will result in a different key being generated).

825

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

826

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

827

# The wrapped key must be a 128/192/256 bit key.

828

# Authorization requires the following IAM permissions when sending a request

829

# to perform a crypto transformation using a kms-wrapped crypto key:

830

# dlp.kms.encrypt

831

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

832

"wrappedKey": "A String", # Required. The wrapped data crypto key.

833

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

834

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

835

},

836

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

837

},

838

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

839

# Uses SHA-256.

840

# The key size must be either 32 or 64 bytes.

841

# Outputs a base64 encoded representation of the hashed output

842

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

843

# Currently, only string and integer values can be hashed.

844

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

845

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

846

# a key encryption key (KEK) stored by KMS).

847

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

848

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

849

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

850

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

851

# leaking the key. Choose another type of key if possible.

852

"key": "A String", # Required. A 128/192/256 bit key.

853

},

854

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

855

# It will be discarded after the request finishes.

856

"name": "A String", # Required. Name of the key.

857

# This is an arbitrary string used to differentiate different keys.

858

# A unique key is generated per name: two separate `TransientCryptoKey`

859

# protos share the same generated key if their names are the same.

860

# When the data crypto key is generated, this name is not used in any way

861

# (repeating the api call will result in a different key being generated).

862

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

863

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

864

# The wrapped key must be a 128/192/256 bit key.

865

# Authorization requires the following IAM permissions when sending a request

866

# to perform a crypto transformation using a kms-wrapped crypto key:

867

# dlp.kms.encrypt

868

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

869

"wrappedKey": "A String", # Required. The wrapped data crypto key.

870

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

871

},

872

},

873

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

874

# (FPE) with the FFX mode of operation; however when used in the

875

# `ReidentifyContent` API method, it serves the opposite function by reversing

876

# the surrogate back into the original identifier. The identifier must be

877

# encoded as ASCII. For a given crypto key and context, the same identifier

878

# will be replaced with the same surrogate. Identifiers must be at least two

879

# characters long. In the case that the identifier is the empty string, it will

880

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

881

# more.

882

#

883

# Note: We recommend using CryptoDeterministicConfig for all use cases which

884

# do not require preserving the input alphabet space and size, plus warrant

885

# referential integrity.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

886

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

887

# This annotation will be applied to the surrogate by prefixing it with

888

# the name of the custom infoType followed by the number of

889

# characters comprising the surrogate. The following scheme defines the

890

# format: info_type_name(surrogate_character_count):surrogate

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

891

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

892

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

893

# the surrogate is 'abc', the full replacement value

894

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

895

#

896

# This annotation identifies the surrogate when inspecting content using the

897

# custom infoType

898

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

899

# This facilitates reversal of the surrogate when it occurs in free text.

900

#

901

# In order for inspection to work properly, the name of this infoType must

902

# not occur naturally anywhere in your data; otherwise, inspection may

903

# find a surrogate that does not correspond to an actual identifier.

904

# Therefore, choose your custom infoType name carefully after considering

905

# what your data looks like. One way to select a name that has a high chance

906

# of yielding reliable detection is to include one or more unicode characters

907

# that are highly improbable to exist in your data.

908

# For example, assuming your data is entered from a regular ASCII keyboard,

909

# the symbol with the hex code point 29DD might be used like so:

910

# ⧝MY_TOKEN_TYPE

911

"name": "A String", # Name of the information type. Either a name of your choosing when

912

# creating a CustomInfoType, or one of the names listed

913

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

914

# a built-in type. InfoType names should conform to the pattern

915

# `[a-zA-Z0-9_]{1,64}`.

916

},

917

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

918

# identifier in two different contexts won't be given the same surrogate. If

919

# the context is not set, a default tweak will be used.

920

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

921

# If the context is set but:

922

#

923

# 1. there is no record present when transforming a given value or

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

924

# 1. the field is not present when transforming a given value,

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

925

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

926

# a default tweak will be used.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

927

#

928

# Note that case (1) is expected when an `InfoTypeTransformation` is

929

# applied to both structured and non-structured `ContentItem`s.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

930

# Currently, the referenced field may be of value type integer or string.

931

#

932

# The tweak is constructed as a sequence of bytes in big endian byte order

933

# such that:

934

#

935

# - a 64 bit integer is encoded followed by a single byte of value 1

936

# - a string is encoded in UTF-8 format followed by a single byte of value 2

937

"name": "A String", # Name describing the field.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

938

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

939

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

940

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

941

# a key encryption key (KEK) stored by KMS).

942

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

943

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

944

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

945

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

946

# leaking the key. Choose another type of key if possible.

947

"key": "A String", # Required. A 128/192/256 bit key.

948

},

949

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

950

# It will be discarded after the request finishes.

951

"name": "A String", # Required. Name of the key.

952

# This is an arbitrary string used to differentiate different keys.

953

# A unique key is generated per name: two separate `TransientCryptoKey`

954

# protos share the same generated key if their names are the same.

955

# When the data crypto key is generated, this name is not used in any way

956

# (repeating the api call will result in a different key being generated).

957

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

958

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

959

# The wrapped key must be a 128/192/256 bit key.

960

# Authorization requires the following IAM permissions when sending a request

961

# to perform a crypto transformation using a kms-wrapped crypto key:

962

# dlp.kms.encrypt

963

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

964

"wrappedKey": "A String", # Required. The wrapped data crypto key.

965

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

966

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

967

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

968

# that the FFX mode natively supports. This happens before/after

969

# encryption/decryption.

970

# Each character listed must appear only once.

971

# Number of characters must be in the range [2, 95].

972

# This must be encoded as ASCII.

973

# The order of characters does not matter.

974

"commonAlphabet": "A String", # Common alphabets.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

975

},

976

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

977

# input. Outputs a base64 encoded representation of the encrypted output.

978

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

979

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

980

# This annotation will be applied to the surrogate by prefixing it with

981

# the name of the custom info type followed by the number of

982

# characters comprising the surrogate. The following scheme defines the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

983

# format: {info type name}({surrogate character count}):{surrogate}

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

984

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

985

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

986

# the surrogate is 'abc', the full replacement value

987

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

988

#

989

# This annotation identifies the surrogate when inspecting content using the

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

990

# custom info type 'Surrogate'. This facilitates reversal of the

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

991

# surrogate when it occurs in free text.

992

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

993

# Note: For record transformations where the entire cell in a table is being

994

# transformed, surrogates are not mandatory. Surrogates are used to denote

995

# the location of the token and are necessary for re-identification in free

996

# form text.

997

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

998

# In order for inspection to work properly, the name of this info type must

999

# not occur naturally anywhere in your data; otherwise, inspection may either

1000

#

1001

# - reverse a surrogate that does not correspond to an actual identifier

1002

# - be unable to parse the surrogate and result in an error

1003

#

1004

# Therefore, choose your custom info type name carefully after considering

1005

# what your data looks like. One way to select a name that has a high chance

1006

# of yielding reliable detection is to include one or more unicode characters

1007

# that are highly improbable to exist in your data.

1008

# For example, assuming your data is entered from a regular ASCII keyboard,

1009

# the symbol with the hex code point 29DD might be used like so:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1010

# ⧝MY_TOKEN_TYPE.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1011

"name": "A String", # Name of the information type. Either a name of your choosing when

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1012

# creating a CustomInfoType, or one of the names listed

1013

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

1014

# a built-in type. InfoType names should conform to the pattern

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1015

# `[a-zA-Z0-9_]{1,64}`.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1016

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1017

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

1018

# referential integrity such that the same identifier in two different

1019

# contexts will be given a distinct surrogate. The context is appended to

1020

# plaintext value being encrypted. On decryption the provided context is

1021

# validated against the value used during encryption. If a context was

1022

# provided during encryption, same context must be provided during decryption

1023

# as well.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1024

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1025

# If the context is not set, plaintext would be used as is for encryption.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1026

# If the context is set but:

1027

#

1028

# 1. there is no record present when transforming a given value or

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1029

# 2. the field is not present when transforming a given value,

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1030

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1031

# plaintext would be used as is for encryption.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1032

#

1033

# Note that case (1) is expected when an `InfoTypeTransformation` is

1034

# applied to both structured and non-structured `ContentItem`s.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1035

"name": "A String", # Name describing the field.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1036

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1037

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

1038

# a key encryption key (KEK) stored by KMS).

1039

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

1040

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

1041

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1042

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

1043

# leaking the key. Choose another type of key if possible.

1044

"key": "A String", # Required. A 128/192/256 bit key.

1045

},

1046

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

1047

# It will be discarded after the request finishes.

1048

"name": "A String", # Required. Name of the key.

1049

# This is an arbitrary string used to differentiate different keys.

1050

# A unique key is generated per name: two separate `TransientCryptoKey`

1051

# protos share the same generated key if their names are the same.

1052

# When the data crypto key is generated, this name is not used in any way

1053

# (repeating the api call will result in a different key being generated).

1054

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1055

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

1056

# The wrapped key must be a 128/192/256 bit key.

1057

# Authorization requires the following IAM permissions when sending a request

1058

# to perform a crypto transformation using a kms-wrapped crypto key:

1059

# dlp.kms.encrypt

1060

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1061

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1062

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1063

},

1064

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1065

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1066

# replacement values are dynamically provided by the user for custom behavior,

1067

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

1068

# This can be used on

1069

# data of type: number, long, string, timestamp.

1070

# If the bound `Value` type differs from the type of data being transformed, we

1071

# will first attempt converting the type of the data to be transformed to match

1072

# the type of the bound before comparing.

1073

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1074

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1075

{ # Bucket is represented as a range, along with replacement values.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1076

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

1077

# the default behavior will be to hyphenate the min-max range.

1078

# Note that for the purposes of inspection or transformation, the number

1079

# of bytes considered to comprise a 'Value' is based on its representation

1080

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1081

# 123456789, the number of bytes would be counted as 9, even though an

1082

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1083

"timestampValue": "A String", # timestamp

1084

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1085

# and time zone are either specified elsewhere or are not significant. The date

1086

# is relative to the Proleptic Gregorian Calendar. This can represent:

1087

#

1088

# * A full date, with non-zero year, month and day values

1089

# * A month and day value, with a zero year, e.g. an anniversary

1090

# * A year on its own, with zero month and day values

1091

# * A year and month value, with a zero day, e.g. a credit card expiration date

1092

#

1093

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1094

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1095

# a year.

1096

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1097

# month and day.

1098

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1099

# if specifying a year by itself or a year and month where the day is not

1100

# significant.

1101

},

1102

"stringValue": "A String", # string

1103

"integerValue": "A String", # integer

1104

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1105

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1106

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1107

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1108

# to allow the value "24:00:00" for scenarios like business closing time.

1109

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1110

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1111

# allow the value 60 if it allows leap-seconds.

1112

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1113

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1114

"booleanValue": True or False, # boolean

1115

"floatValue": 3.14, # float

1116

"dayOfWeekValue": "A String", # day of week

1117

},

1118

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

1119

# used.

1120

# Note that for the purposes of inspection or transformation, the number

1121

# of bytes considered to comprise a 'Value' is based on its representation

1122

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1123

# 123456789, the number of bytes would be counted as 9, even though an

1124

# int64 only holds up to 8 bytes of data.

1125

"timestampValue": "A String", # timestamp

1126

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1127

# and time zone are either specified elsewhere or are not significant. The date

1128

# is relative to the Proleptic Gregorian Calendar. This can represent:

1129

#

1130

# * A full date, with non-zero year, month and day values

1131

# * A month and day value, with a zero year, e.g. an anniversary

1132

# * A year on its own, with zero month and day values

1133

# * A year and month value, with a zero day, e.g. a credit card expiration date

1134

#

1135

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1136

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1137

# a year.

1138

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1139

# month and day.

1140

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1141

# if specifying a year by itself or a year and month where the day is not

1142

# significant.

1143

},

1144

"stringValue": "A String", # string

1145

"integerValue": "A String", # integer

1146

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1147

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1148

# types are google.type.Date and `google.protobuf.Timestamp`.

1149

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1150

# to allow the value "24:00:00" for scenarios like business closing time.

1151

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1152

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1153

# allow the value 60 if it allows leap-seconds.

1154

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1155

},

1156

"booleanValue": True or False, # boolean

1157

"floatValue": 3.14, # float

1158

"dayOfWeekValue": "A String", # day of week

1159

},

1160

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

1161

# Note that for the purposes of inspection or transformation, the number

1162

# of bytes considered to comprise a 'Value' is based on its representation

1163

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1164

# 123456789, the number of bytes would be counted as 9, even though an

1165

# int64 only holds up to 8 bytes of data.

1166

"timestampValue": "A String", # timestamp

1167

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1168

# and time zone are either specified elsewhere or are not significant. The date

1169

# is relative to the Proleptic Gregorian Calendar. This can represent:

1170

#

1171

# * A full date, with non-zero year, month and day values

1172

# * A month and day value, with a zero year, e.g. an anniversary

1173

# * A year on its own, with zero month and day values

1174

# * A year and month value, with a zero day, e.g. a credit card expiration date

1175

#

1176

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1177

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1178

# a year.

1179

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1180

# month and day.

1181

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1182

# if specifying a year by itself or a year and month where the day is not

1183

# significant.

1184

},

1185

"stringValue": "A String", # string

1186

"integerValue": "A String", # integer

1187

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1188

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1189

# types are google.type.Date and `google.protobuf.Timestamp`.

1190

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1191

# to allow the value "24:00:00" for scenarios like business closing time.

1192

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1193

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1194

# allow the value 60 if it allows leap-seconds.

1195

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1196

},

1197

"booleanValue": True or False, # boolean

1198

"floatValue": 3.14, # float

1199

"dayOfWeekValue": "A String", # day of week

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

},

},

],

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1204

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

1205

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

1206

# output would be 'My phone number is '.

1207

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1208

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

1209

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1210

# Note that for the purposes of inspection or transformation, the number

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1211

# of bytes considered to comprise a 'Value' is based on its representation

1212

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1213

# 123456789, the number of bytes would be counted as 9, even though an

1214

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1215

"timestampValue": "A String", # timestamp

1216

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1217

# and time zone are either specified elsewhere or are not significant. The date

1218

# is relative to the Proleptic Gregorian Calendar. This can represent:

1219

#

1220

# * A full date, with non-zero year, month and day values

1221

# * A month and day value, with a zero year, e.g. an anniversary

1222

# * A year on its own, with zero month and day values

1223

# * A year and month value, with a zero day, e.g. a credit card expiration date

1224

#

1225

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1226

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1227

# a year.

1228

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

1229

# month and day.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1230

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1231

# if specifying a year by itself or a year and month where the day is not

1232

# significant.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1233

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1234

"stringValue": "A String", # string

1235

"integerValue": "A String", # integer

1236

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1237

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1238

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1239

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1240

# to allow the value "24:00:00" for scenarios like business closing time.

1241

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1242

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1243

# allow the value 60 if it allows leap-seconds.

1244

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1245

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1246

"booleanValue": True or False, # boolean

1247

"floatValue": 3.14, # float

1248

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1249

},

1250

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1251

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

1252

# Bucketing transformation can provide all of this functionality,

1253

# but requires more configuration. This message is provided as a convenience to

1254

# the user for simple bucketing strategies.

1255

#

1256

# The transformed value will be a hyphenated string of

1257

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

1258

# all values that are within this bucket will be replaced with "10-20".

1259

#

1260

# This can be used on data of type: double, long.

1261

#

1262

# If the bound Value type differs from the type of data

1263

# being transformed, we will first attempt converting the type of the data to

1264

# be transformed to match the type of the bound before comparing.

1265

#

1266

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1267

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

1268

# grouped together into a single bucket; for example if `upper_bound` = 89,

1269

# then all values greater than 89 are replaced with the value "89+".

1270

# Note that for the purposes of inspection or transformation, the number

1271

# of bytes considered to comprise a 'Value' is based on its representation

1272

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1273

# 123456789, the number of bytes would be counted as 9, even though an

1274

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1275

"timestampValue": "A String", # timestamp

1276

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1277

# and time zone are either specified elsewhere or are not significant. The date

1278

# is relative to the Proleptic Gregorian Calendar. This can represent:

1279

#

1280

# * A full date, with non-zero year, month and day values

1281

# * A month and day value, with a zero year, e.g. an anniversary

1282

# * A year on its own, with zero month and day values

1283

# * A year and month value, with a zero day, e.g. a credit card expiration date

1284

#

1285

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1286

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1287

# a year.

1288

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1289

# month and day.

1290

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1291

# if specifying a year by itself or a year and month where the day is not

1292

# significant.

1293

},

1294

"stringValue": "A String", # string

1295

"integerValue": "A String", # integer

1296

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1297

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1298

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1299

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1300

# to allow the value "24:00:00" for scenarios like business closing time.

1301

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1302

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1303

# allow the value 60 if it allows leap-seconds.

1304

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1305

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1306

"booleanValue": True or False, # boolean

1307

"floatValue": 3.14, # float

1308

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1309

},

1310

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

1311

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

1312

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

1313

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1314

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

1315

# grouped together into a single bucket; for example if `lower_bound` = 10,

1316

# then all values less than 10 are replaced with the value "-10".

1317

# Note that for the purposes of inspection or transformation, the number

1318

# of bytes considered to comprise a 'Value' is based on its representation

1319

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1320

# 123456789, the number of bytes would be counted as 9, even though an

1321

# int64 only holds up to 8 bytes of data.

1322

"timestampValue": "A String", # timestamp

1323

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1324

# and time zone are either specified elsewhere or are not significant. The date

1325

# is relative to the Proleptic Gregorian Calendar. This can represent:

1326

#

1327

# * A full date, with non-zero year, month and day values

1328

# * A month and day value, with a zero year, e.g. an anniversary

1329

# * A year on its own, with zero month and day values

1330

# * A year and month value, with a zero day, e.g. a credit card expiration date

1331

#

1332

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1333

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1334

# a year.

1335

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1336

# month and day.

1337

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1338

# if specifying a year by itself or a year and month where the day is not

1339

# significant.

1340

},

1341

"stringValue": "A String", # string

1342

"integerValue": "A String", # integer

1343

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1344

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1345

# types are google.type.Date and `google.protobuf.Timestamp`.

1346

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1347

# to allow the value "24:00:00" for scenarios like business closing time.

1348

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1349

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1350

# allow the value 60 if it allows leap-seconds.

1351

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1352

},

1353

"booleanValue": True or False, # boolean

1354

"floatValue": 3.14, # float

1355

"dayOfWeekValue": "A String", # day of week

1356

},

1357

},

1358

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

1359

# fixed character. Masking can start from the beginning or end of the string.

1360

# This can be used on data of any type (numbers, longs, and so on) and when

1361

# de-identifying structured data we'll attempt to preserve the original data's

1362

# type. (This allows you to take a long like 123 and modify it to a string like

1363

# **3.

1364

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

1365

# characters. For example, if the input string is `555-555-5555` and you

1366

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

1367

# returns `***-**5-5555`.

1368

{ # Characters to skip when doing deidentification of a value. These will be left

1369

# alone and skipped.

1370

"charactersToSkip": "A String", # Characters to not transform when masking.

1371

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

1376

# masked. Skipped characters do not count towards this tally.

1377

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

1378

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

1379

# code or credit card number. This string must have a length of 1. If not

1380

# supplied, this value defaults to `*` for strings, and `0` for digits.

1381

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

1382

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

1383

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

1384

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

1385

# is `true`, then the string `12345` is masked as `12***`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1386

},

1387

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1388

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

1389

# this transformation to apply to all findings that correspond to

1390

# infoTypes that were requested in `InspectConfig`.

1391

{ # Type of information detected by the API.

1392

"name": "A String", # Name of the information type. Either a name of your choosing when

1393

# creating a CustomInfoType, or one of the names listed

1394

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

1395

# a built-in type. InfoType names should conform to the pattern

1396

# `[a-zA-Z0-9_]{1,64}`.

1397

},

1398

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

},

],

},

"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.

1403

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

1404

# portion of the value.

1405

"partToExtract": "A String", # The part of the time to keep.

1406

},

1407

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

1408

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

1409

# to learn more.

1410

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

1411

# If set, must also set cryptoKey. If set, shift will be consistent for the

1412

# given context.

1413

"name": "A String", # Name describing the field.

1414

},

1415

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

1416

# range (inclusive ends). Negative means shift to earlier in time. Must not

1417

# be more than 365250 days (1000 years) each direction.

1418

#

1419

# For example, 3 means shift date to at most 3 days into the future.

1420

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

1421

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

1422

# results in the same shift for the same context and crypto_key. If

1423

# set, must also set context. Can only be applied to table items.

1424

# a key encryption key (KEK) stored by KMS).

1425

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

1426

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

1427

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1428

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

1429

# leaking the key. Choose another type of key if possible.

1430

"key": "A String", # Required. A 128/192/256 bit key.

1431

},

1432

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

1433

# It will be discarded after the request finishes.

1434

"name": "A String", # Required. Name of the key.

1435

# This is an arbitrary string used to differentiate different keys.

1436

# A unique key is generated per name: two separate `TransientCryptoKey`

1437

# protos share the same generated key if their names are the same.

1438

# When the data crypto key is generated, this name is not used in any way

1439

# (repeating the api call will result in a different key being generated).

1440

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1441

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

1442

# The wrapped key must be a 128/192/256 bit key.

1443

# Authorization requires the following IAM permissions when sending a request

1444

# to perform a crypto transformation using a kms-wrapped crypto key:

1445

# dlp.kms.encrypt

1446

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1447

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1448

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1449

},

1450

},

1451

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

1452

},

1453

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

1454

# Uses SHA-256.

1455

# The key size must be either 32 or 64 bytes.

1456

# Outputs a base64 encoded representation of the hashed output

1457

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

1458

# Currently, only string and integer values can be hashed.

1459

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

1460

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

1461

# a key encryption key (KEK) stored by KMS).

1462

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

1463

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

1464

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1465

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

1466

# leaking the key. Choose another type of key if possible.

1467

"key": "A String", # Required. A 128/192/256 bit key.

1468

},

1469

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

1470

# It will be discarded after the request finishes.

1471

"name": "A String", # Required. Name of the key.

1472

# This is an arbitrary string used to differentiate different keys.

1473

# A unique key is generated per name: two separate `TransientCryptoKey`

1474

# protos share the same generated key if their names are the same.

1475

# When the data crypto key is generated, this name is not used in any way

1476

# (repeating the api call will result in a different key being generated).

1477

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1478

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

1479

# The wrapped key must be a 128/192/256 bit key.

1480

# Authorization requires the following IAM permissions when sending a request

1481

# to perform a crypto transformation using a kms-wrapped crypto key:

1482

# dlp.kms.encrypt

1483

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1484

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1485

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1486

},

1487

},

1488

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

1489

# (FPE) with the FFX mode of operation; however when used in the

1490

# `ReidentifyContent` API method, it serves the opposite function by reversing

1491

# the surrogate back into the original identifier. The identifier must be

1492

# encoded as ASCII. For a given crypto key and context, the same identifier

1493

# will be replaced with the same surrogate. Identifiers must be at least two

1494

# characters long. In the case that the identifier is the empty string, it will

1495

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

1496

# more.

1497

#

1498

# Note: We recommend using CryptoDeterministicConfig for all use cases which

1499

# do not require preserving the input alphabet space and size, plus warrant

1500

# referential integrity.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1501

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

1502

# This annotation will be applied to the surrogate by prefixing it with

1503

# the name of the custom infoType followed by the number of

1504

# characters comprising the surrogate. The following scheme defines the

1505

# format: info_type_name(surrogate_character_count):surrogate

1506

#

1507

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

1508

# the surrogate is 'abc', the full replacement value

1509

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

1510

#

1511

# This annotation identifies the surrogate when inspecting content using the

1512

# custom infoType

1513

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

1514

# This facilitates reversal of the surrogate when it occurs in free text.

1515

#

1516

# In order for inspection to work properly, the name of this infoType must

1517

# not occur naturally anywhere in your data; otherwise, inspection may

1518

# find a surrogate that does not correspond to an actual identifier.

1519

# Therefore, choose your custom infoType name carefully after considering

1520

# what your data looks like. One way to select a name that has a high chance

1521

# of yielding reliable detection is to include one or more unicode characters

1522

# that are highly improbable to exist in your data.

1523

# For example, assuming your data is entered from a regular ASCII keyboard,

1524

# the symbol with the hex code point 29DD might be used like so:

1525

# ⧝MY_TOKEN_TYPE

1526

"name": "A String", # Name of the information type. Either a name of your choosing when

1527

# creating a CustomInfoType, or one of the names listed

1528

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

1529

# a built-in type. InfoType names should conform to the pattern

1530

# `[a-zA-Z0-9_]{1,64}`.

1531

},

1532

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

1533

# identifier in two different contexts won't be given the same surrogate. If

1534

# the context is not set, a default tweak will be used.

1535

#

1536

# If the context is set but:

1537

#

1538

# 1. there is no record present when transforming a given value or

1539

# 1. the field is not present when transforming a given value,

1540

#

1541

# a default tweak will be used.

1542

#

1543

# Note that case (1) is expected when an `InfoTypeTransformation` is

1544

# applied to both structured and non-structured `ContentItem`s.

1545

# Currently, the referenced field may be of value type integer or string.

1546

#

1547

# The tweak is constructed as a sequence of bytes in big endian byte order

1548

# such that:

1549

#

1550

# - a 64 bit integer is encoded followed by a single byte of value 1

1551

# - a string is encoded in UTF-8 format followed by a single byte of value 2

1552

"name": "A String", # Name describing the field.

1553

},

1554

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

1555

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

1556

# a key encryption key (KEK) stored by KMS).

1557

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

1558

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

1559

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1560

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

1561

# leaking the key. Choose another type of key if possible.

1562

"key": "A String", # Required. A 128/192/256 bit key.

1563

},

1564

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

1565

# It will be discarded after the request finishes.

1566

"name": "A String", # Required. Name of the key.

1567

# This is an arbitrary string used to differentiate different keys.

1568

# A unique key is generated per name: two separate `TransientCryptoKey`

1569

# protos share the same generated key if their names are the same.

1570

# When the data crypto key is generated, this name is not used in any way

1571

# (repeating the api call will result in a different key being generated).

1572

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1573

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

1574

# The wrapped key must be a 128/192/256 bit key.

1575

# Authorization requires the following IAM permissions when sending a request

1576

# to perform a crypto transformation using a kms-wrapped crypto key:

1577

# dlp.kms.encrypt

1578

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1579

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1580

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1581

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1582

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

1583

# that the FFX mode natively supports. This happens before/after

1584

# encryption/decryption.

1585

# Each character listed must appear only once.

1586

# Number of characters must be in the range [2, 95].

1587

# This must be encoded as ASCII.

1588

# The order of characters does not matter.

1589

"commonAlphabet": "A String", # Common alphabets.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1590

},

1591

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

1592

# input. Outputs a base64 encoded representation of the encrypted output.

1593

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

1594

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

1595

# This annotation will be applied to the surrogate by prefixing it with

1596

# the name of the custom info type followed by the number of

1597

# characters comprising the surrogate. The following scheme defines the

1598

# format: {info type name}({surrogate character count}):{surrogate}

1599

#

1600

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

1601

# the surrogate is 'abc', the full replacement value

1602

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

1603

#

1604

# This annotation identifies the surrogate when inspecting content using the

1605

# custom info type 'Surrogate'. This facilitates reversal of the

1606

# surrogate when it occurs in free text.

1607

#

1608

# Note: For record transformations where the entire cell in a table is being

1609

# transformed, surrogates are not mandatory. Surrogates are used to denote

1610

# the location of the token and are necessary for re-identification in free

1611

# form text.

1612

#

1613

# In order for inspection to work properly, the name of this info type must

1614

# not occur naturally anywhere in your data; otherwise, inspection may either

1615

#

1616

# - reverse a surrogate that does not correspond to an actual identifier

1617

# - be unable to parse the surrogate and result in an error

1618

#

1619

# Therefore, choose your custom info type name carefully after considering

1620

# what your data looks like. One way to select a name that has a high chance

1621

# of yielding reliable detection is to include one or more unicode characters

1622

# that are highly improbable to exist in your data.

1623

# For example, assuming your data is entered from a regular ASCII keyboard,

1624

# the symbol with the hex code point 29DD might be used like so:

1625

# ⧝MY_TOKEN_TYPE.

1626

"name": "A String", # Name of the information type. Either a name of your choosing when

1627

# creating a CustomInfoType, or one of the names listed

1628

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

1629

# a built-in type. InfoType names should conform to the pattern

1630

# `[a-zA-Z0-9_]{1,64}`.

1631

},

1632

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

1633

# referential integrity such that the same identifier in two different

1634

# contexts will be given a distinct surrogate. The context is appended to

1635

# plaintext value being encrypted. On decryption the provided context is

1636

# validated against the value used during encryption. If a context was

1637

# provided during encryption, same context must be provided during decryption

1638

# as well.

1639

#

1640

# If the context is not set, plaintext would be used as is for encryption.

1641

# If the context is set but:

1642

#

1643

# 1. there is no record present when transforming a given value or

1644

# 2. the field is not present when transforming a given value,

1645

#

1646

# plaintext would be used as is for encryption.

1647

#

1648

# Note that case (1) is expected when an `InfoTypeTransformation` is

1649

# applied to both structured and non-structured `ContentItem`s.

1650

"name": "A String", # Name describing the field.

1651

},

1652

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

1653

# a key encryption key (KEK) stored by KMS).

1654

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

1655

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

1656

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1657

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

1658

# leaking the key. Choose another type of key if possible.

1659

"key": "A String", # Required. A 128/192/256 bit key.

1660

},

1661

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

1662

# It will be discarded after the request finishes.

1663

"name": "A String", # Required. Name of the key.

1664

# This is an arbitrary string used to differentiate different keys.

1665

# A unique key is generated per name: two separate `TransientCryptoKey`

1666

# protos share the same generated key if their names are the same.

1667

# When the data crypto key is generated, this name is not used in any way

1668

# (repeating the api call will result in a different key being generated).

1669

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1670

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

1671

# The wrapped key must be a 128/192/256 bit key.

1672

# Authorization requires the following IAM permissions when sending a request

1673

# to perform a crypto transformation using a kms-wrapped crypto key:

1674

# dlp.kms.encrypt

1675

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1676

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1677

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1678

},

1679

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1680

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

1681

# replacement values are dynamically provided by the user for custom behavior,

1682

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

1683

# This can be used on

1684

# data of type: number, long, string, timestamp.

1685

# If the bound `Value` type differs from the type of data being transformed, we

1686

# will first attempt converting the type of the data to be transformed to match

1687

# the type of the bound before comparing.

1688

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

1689

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

1690

{ # Bucket is represented as a range, along with replacement values.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1691

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

1692

# the default behavior will be to hyphenate the min-max range.

1693

# Note that for the purposes of inspection or transformation, the number

1694

# of bytes considered to comprise a 'Value' is based on its representation

1695

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1696

# 123456789, the number of bytes would be counted as 9, even though an

1697

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1698

"timestampValue": "A String", # timestamp

1699

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1700

# and time zone are either specified elsewhere or are not significant. The date

1701

# is relative to the Proleptic Gregorian Calendar. This can represent:

1702

#

1703

# * A full date, with non-zero year, month and day values

1704

# * A month and day value, with a zero year, e.g. an anniversary

1705

# * A year on its own, with zero month and day values

1706

# * A year and month value, with a zero day, e.g. a credit card expiration date

1707

#

1708

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1709

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1710

# a year.

1711

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1712

# month and day.

1713

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1714

# if specifying a year by itself or a year and month where the day is not

1715

# significant.

1716

},

1717

"stringValue": "A String", # string

1718

"integerValue": "A String", # integer

1719

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1720

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1721

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1722

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1723

# to allow the value "24:00:00" for scenarios like business closing time.

1724

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1725

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1726

# allow the value 60 if it allows leap-seconds.

1727

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1728

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1729

"booleanValue": True or False, # boolean

1730

"floatValue": 3.14, # float

1731

"dayOfWeekValue": "A String", # day of week

1732

},

1733

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

1734

# used.

1735

# Note that for the purposes of inspection or transformation, the number

1736

# of bytes considered to comprise a 'Value' is based on its representation

1737

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1738

# 123456789, the number of bytes would be counted as 9, even though an

1739

# int64 only holds up to 8 bytes of data.

1740

"timestampValue": "A String", # timestamp

1741

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1742

# and time zone are either specified elsewhere or are not significant. The date

1743

# is relative to the Proleptic Gregorian Calendar. This can represent:

1744

#

1745

# * A full date, with non-zero year, month and day values

1746

# * A month and day value, with a zero year, e.g. an anniversary

1747

# * A year on its own, with zero month and day values

1748

# * A year and month value, with a zero day, e.g. a credit card expiration date

1749

#

1750

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1751

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1752

# a year.

1753

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1754

# month and day.

1755

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1756

# if specifying a year by itself or a year and month where the day is not

1757

# significant.

1758

},

1759

"stringValue": "A String", # string

1760

"integerValue": "A String", # integer

1761

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1762

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1763

# types are google.type.Date and `google.protobuf.Timestamp`.

1764

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1765

# to allow the value "24:00:00" for scenarios like business closing time.

1766

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1767

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1768

# allow the value 60 if it allows leap-seconds.

1769

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1770

},

1771

"booleanValue": True or False, # boolean

1772

"floatValue": 3.14, # float

1773

"dayOfWeekValue": "A String", # day of week

1774

},

1775

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

1776

# Note that for the purposes of inspection or transformation, the number

1777

# of bytes considered to comprise a 'Value' is based on its representation

1778

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1779

# 123456789, the number of bytes would be counted as 9, even though an

1780

# int64 only holds up to 8 bytes of data.

1781

"timestampValue": "A String", # timestamp

1782

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1783

# and time zone are either specified elsewhere or are not significant. The date

1784

# is relative to the Proleptic Gregorian Calendar. This can represent:

1785

#

1786

# * A full date, with non-zero year, month and day values

1787

# * A month and day value, with a zero year, e.g. an anniversary

1788

# * A year on its own, with zero month and day values

1789

# * A year and month value, with a zero day, e.g. a credit card expiration date

1790

#

1791

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1792

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1793

# a year.

1794

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1795

# month and day.

1796

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1797

# if specifying a year by itself or a year and month where the day is not

1798

# significant.

1799

},

1800

"stringValue": "A String", # string

1801

"integerValue": "A String", # integer

1802

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1803

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1804

# types are google.type.Date and `google.protobuf.Timestamp`.

1805

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1806

# to allow the value "24:00:00" for scenarios like business closing time.

1807

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1808

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1809

# allow the value 60 if it allows leap-seconds.

1810

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1811

},

1812

"booleanValue": True or False, # boolean

1813

"floatValue": 3.14, # float

1814

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

1815

},

1816

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1817

],

1818

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1819

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

1820

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

1821

# output would be 'My phone number is '.

1822

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1823

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

1824

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

1825

# Note that for the purposes of inspection or transformation, the number

1826

# of bytes considered to comprise a 'Value' is based on its representation

1827

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1828

# 123456789, the number of bytes would be counted as 9, even though an

1829

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1830

"timestampValue": "A String", # timestamp

1831

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1832

# and time zone are either specified elsewhere or are not significant. The date

1833

# is relative to the Proleptic Gregorian Calendar. This can represent:

1834

#

1835

# * A full date, with non-zero year, month and day values

1836

# * A month and day value, with a zero year, e.g. an anniversary

1837

# * A year on its own, with zero month and day values

1838

# * A year and month value, with a zero day, e.g. a credit card expiration date

1839

#

1840

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1841

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1842

# a year.

1843

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1844

# month and day.

1845

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1846

# if specifying a year by itself or a year and month where the day is not

1847

# significant.

1848

},

1849

"stringValue": "A String", # string

1850

"integerValue": "A String", # integer

1851

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1852

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1853

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1854

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1855

# to allow the value "24:00:00" for scenarios like business closing time.

1856

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1857

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1858

# allow the value 60 if it allows leap-seconds.

1859

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1860

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1861

"booleanValue": True or False, # boolean

1862

"floatValue": 3.14, # float

1863

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1864

},

1865

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1866

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

1867

# Bucketing transformation can provide all of this functionality,

1868

# but requires more configuration. This message is provided as a convenience to

1869

# the user for simple bucketing strategies.

1870

#

1871

# The transformed value will be a hyphenated string of

1872

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

1873

# all values that are within this bucket will be replaced with "10-20".

1874

#

1875

# This can be used on data of type: double, long.

1876

#

1877

# If the bound Value type differs from the type of data

1878

# being transformed, we will first attempt converting the type of the data to

1879

# be transformed to match the type of the bound before comparing.

1880

#

1881

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1882

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

1883

# grouped together into a single bucket; for example if `upper_bound` = 89,

1884

# then all values greater than 89 are replaced with the value "89+".

1885

# Note that for the purposes of inspection or transformation, the number

1886

# of bytes considered to comprise a 'Value' is based on its representation

1887

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1888

# 123456789, the number of bytes would be counted as 9, even though an

1889

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1890

"timestampValue": "A String", # timestamp

1891

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1892

# and time zone are either specified elsewhere or are not significant. The date

1893

# is relative to the Proleptic Gregorian Calendar. This can represent:

1894

#

1895

# * A full date, with non-zero year, month and day values

1896

# * A month and day value, with a zero year, e.g. an anniversary

1897

# * A year on its own, with zero month and day values

1898

# * A year and month value, with a zero day, e.g. a credit card expiration date

1899

#

1900

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1901

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1902

# a year.

1903

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1904

# month and day.

1905

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1906

# if specifying a year by itself or a year and month where the day is not

1907

# significant.

1908

},

1909

"stringValue": "A String", # string

1910

"integerValue": "A String", # integer

1911

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1912

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1913

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1914

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1915

# to allow the value "24:00:00" for scenarios like business closing time.

1916

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1917

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1918

# allow the value 60 if it allows leap-seconds.

1919

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1920

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1921

"booleanValue": True or False, # boolean

1922

"floatValue": 3.14, # float

1923

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

1924

},

1925

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

1926

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

1927

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

1928

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

1929

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

1930

# grouped together into a single bucket; for example if `lower_bound` = 10,

1931

# then all values less than 10 are replaced with the value "-10".

1932

# Note that for the purposes of inspection or transformation, the number

1933

# of bytes considered to comprise a 'Value' is based on its representation

1934

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1935

# 123456789, the number of bytes would be counted as 9, even though an

1936

# int64 only holds up to 8 bytes of data.

1937

"timestampValue": "A String", # timestamp

1938

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1939

# and time zone are either specified elsewhere or are not significant. The date

1940

# is relative to the Proleptic Gregorian Calendar. This can represent:

1941

#

1942

# * A full date, with non-zero year, month and day values

1943

# * A month and day value, with a zero year, e.g. an anniversary

1944

# * A year on its own, with zero month and day values

1945

# * A year and month value, with a zero day, e.g. a credit card expiration date

1946

#

1947

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1948

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1949

# a year.

1950

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1951

# month and day.

1952

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1953

# if specifying a year by itself or a year and month where the day is not

1954

# significant.

1955

},

1956

"stringValue": "A String", # string

1957

"integerValue": "A String", # integer

1958

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1959

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1960

# types are google.type.Date and `google.protobuf.Timestamp`.

1961

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1962

# to allow the value "24:00:00" for scenarios like business closing time.

1963

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1964

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1965

# allow the value 60 if it allows leap-seconds.

1966

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1967

},

1968

"booleanValue": True or False, # boolean

1969

"floatValue": 3.14, # float

1970

"dayOfWeekValue": "A String", # day of week

1971

},

1972

},

1973

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

1974

# fixed character. Masking can start from the beginning or end of the string.

1975

# This can be used on data of any type (numbers, longs, and so on) and when

1976

# de-identifying structured data we'll attempt to preserve the original data's

1977

# type. (This allows you to take a long like 123 and modify it to a string like

1978

# **3.

1979

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

1980

# characters. For example, if the input string is `555-555-5555` and you

1981

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

1982

# returns `***-**5-5555`.

1983

{ # Characters to skip when doing deidentification of a value. These will be left

1984

# alone and skipped.

1985

"charactersToSkip": "A String", # Characters to not transform when masking.

1986

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

1991

# masked. Skipped characters do not count towards this tally.

1992

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

1993

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

1994

# code or credit card number. This string must have a length of 1. If not

1995

# supplied, this value defaults to `*` for strings, and `0` for digits.

1996

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

1997

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

1998

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

1999

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

2000

# is `true`, then the string `12345` is masked as `12***`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2001

},

2002

},

2003

"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the

2004

# given `RecordCondition`. The conditions are allowed to reference fields

2005

# that are not used in the actual transformation.

#

# Example Use Cases:

#

# - Apply a different bucket transformation to an age column if the zip code

2010

# column for the same record is within a specific range.

2011

# - Redact a field if the date of birth field is greater than 85.

2012

# a field.

2013

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

2014

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

2015

# only supported value is `AND`.

2016

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

2017

"conditions": [ # A collection of conditions.

2018

{ # The field type of `value` and `field` do not need to match to be

2019

# considered equal, but not all comparisons are possible.

2020

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

2021

# but all other comparisons are invalid with incompatible types.

2022

# A `value` of type:

2023

#

2024

# - `string` can be compared against all other types

2025

# - `boolean` can only be compared against other booleans

2026

# - `integer` can be compared against doubles or a string if the string value

2027

# can be parsed as an integer.

2028

# - `double` can be compared against integers or a string if the string can

2029

# be parsed as a double.

2030

# - `Timestamp` can be compared against strings in RFC 3339 date string

2031

# format.

2032

# - `TimeOfDay` can be compared against timestamps and strings in the format

2033

# of 'HH:mm:ss'.

2034

#

2035

# If we fail to compare do to type mismatch, a warning will be given and

2036

# the condition will evaluate to false.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2037

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

2038

# Note that for the purposes of inspection or transformation, the number

2039

# of bytes considered to comprise a 'Value' is based on its representation

2040

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2041

# 123456789, the number of bytes would be counted as 9, even though an

2042

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2043

"timestampValue": "A String", # timestamp

2044

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2045

# and time zone are either specified elsewhere or are not significant. The date

2046

# is relative to the Proleptic Gregorian Calendar. This can represent:

2047

#

2048

# * A full date, with non-zero year, month and day values

2049

# * A month and day value, with a zero year, e.g. an anniversary

2050

# * A year on its own, with zero month and day values

2051

# * A year and month value, with a zero day, e.g. a credit card expiration date

2052

#

2053

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2054

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2055

# a year.

2056

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2057

# month and day.

2058

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2059

# if specifying a year by itself or a year and month where the day is not

2060

# significant.

2061

},

2062

"stringValue": "A String", # string

2063

"integerValue": "A String", # integer

2064

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2065

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2066

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2067

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2068

# to allow the value "24:00:00" for scenarios like business closing time.

2069

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2070

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2071

# allow the value 60 if it allows leap-seconds.

2072

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2073

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2074

"booleanValue": True or False, # boolean

2075

"floatValue": 3.14, # float

2076

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2077

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2078

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

2079

"name": "A String", # Name describing the field.

2080

},

2081

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2082

},

2083

],

2084

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2085

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2086

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2087

},

2088

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2089

"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that

2090

# match any suppression rule are omitted from the output.

2091

{ # Configuration to suppress records whose suppression conditions evaluate to

2092

# true.

2093

"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being

2094

# evaluated to be suppressed from the transformed content.

2095

# a field.

2096

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

2097

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

2098

# only supported value is `AND`.

2099

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

2100

"conditions": [ # A collection of conditions.

2101

{ # The field type of `value` and `field` do not need to match to be

2102

# considered equal, but not all comparisons are possible.

2103

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

2104

# but all other comparisons are invalid with incompatible types.

2105

# A `value` of type:

2106

#

2107

# - `string` can be compared against all other types

2108

# - `boolean` can only be compared against other booleans

2109

# - `integer` can be compared against doubles or a string if the string value

2110

# can be parsed as an integer.

2111

# - `double` can be compared against integers or a string if the string can

2112

# be parsed as a double.

2113

# - `Timestamp` can be compared against strings in RFC 3339 date string

2114

# format.

2115

# - `TimeOfDay` can be compared against timestamps and strings in the format

2116

# of 'HH:mm:ss'.

2117

#

2118

# If we fail to compare do to type mismatch, a warning will be given and

2119

# the condition will evaluate to false.

2120

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

2121

# Note that for the purposes of inspection or transformation, the number

2122

# of bytes considered to comprise a 'Value' is based on its representation

2123

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2124

# 123456789, the number of bytes would be counted as 9, even though an

2125

# int64 only holds up to 8 bytes of data.

2126

"timestampValue": "A String", # timestamp

2127

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2128

# and time zone are either specified elsewhere or are not significant. The date

2129

# is relative to the Proleptic Gregorian Calendar. This can represent:

2130

#

2131

# * A full date, with non-zero year, month and day values

2132

# * A month and day value, with a zero year, e.g. an anniversary

2133

# * A year on its own, with zero month and day values

2134

# * A year and month value, with a zero day, e.g. a credit card expiration date

2135

#

2136

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2137

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2138

# a year.

2139

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2140

# month and day.

2141

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2142

# if specifying a year by itself or a year and month where the day is not

2143

# significant.

2144

},

2145

"stringValue": "A String", # string

2146

"integerValue": "A String", # integer

2147

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2148

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2149

# types are google.type.Date and `google.protobuf.Timestamp`.

2150

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2151

# to allow the value "24:00:00" for scenarios like business closing time.

2152

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2153

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2154

# allow the value 60 if it allows leap-seconds.

2155

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2156

},

2157

"booleanValue": True or False, # boolean

2158

"floatValue": 3.14, # float

2159

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2160

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2161

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

2162

"name": "A String", # Name describing the field.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2163

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2164

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2165

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2166

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2167

},

2168

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2169

},

2170

},

2171

],

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2172

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2173

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2174

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2175

"locationId": "A String", # The geographic location to store the deidentification template. Reserved

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2176

# for future extensions.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2177

}

2178

2179

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

2186

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2187

{ # DeidentifyTemplates contains instructions on how to de-identify content.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2188

# See https://cloud.google.com/dlp/docs/concepts-templates to learn more.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2189

"name": "A String", # Output only. The template name.

2190

#

2191

# The template will have one of the following formats:

2192

# `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR

2193

# `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`

2194

"description": "A String", # Short description (max 256 chars).

2195

"displayName": "A String", # Display name (max 256 chars).

2196

"createTime": "A String", # Output only. The creation timestamp of an inspectTemplate.

2197

"updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate.

2198

"deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2199

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text

2200

# transformation everywhere.

2201

# apply various `PrimitiveTransformation`s to each finding, where the

2202

# transformation is applied to only values that were identified as a specific

2203

# info_type.

2204

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

2205

# for a given infoType.

2206

{ # A transformation to apply to text that is identified as a specific

2207

# info_type.

2208

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

2209

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

2210

# portion of the value.

2211

"partToExtract": "A String", # The part of the time to keep.

2212

},

2213

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

2214

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

2215

# to learn more.

2216

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

2217

# If set, must also set cryptoKey. If set, shift will be consistent for the

2218

# given context.

2219

"name": "A String", # Name describing the field.

2220

},

2221

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

2222

# range (inclusive ends). Negative means shift to earlier in time. Must not

2223

# be more than 365250 days (1000 years) each direction.

2224

#

2225

# For example, 3 means shift date to at most 3 days into the future.

2226

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

2227

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

2228

# results in the same shift for the same context and crypto_key. If

2229

# set, must also set context. Can only be applied to table items.

2230

# a key encryption key (KEK) stored by KMS).

2231

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

2232

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

2233

# unwrap the data crypto key.

2234

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

2235

# leaking the key. Choose another type of key if possible.

2236

"key": "A String", # Required. A 128/192/256 bit key.

2237

},

2238

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

2239

# It will be discarded after the request finishes.

2240

"name": "A String", # Required. Name of the key.

2241

# This is an arbitrary string used to differentiate different keys.

2242

# A unique key is generated per name: two separate `TransientCryptoKey`

2243

# protos share the same generated key if their names are the same.

2244

# When the data crypto key is generated, this name is not used in any way

2245

# (repeating the api call will result in a different key being generated).

2246

},

2247

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

2248

# The wrapped key must be a 128/192/256 bit key.

2249

# Authorization requires the following IAM permissions when sending a request

2250

# to perform a crypto transformation using a kms-wrapped crypto key:

2251

# dlp.kms.encrypt

2252

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2253

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

2258

},

2259

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

2260

# Uses SHA-256.

2261

# The key size must be either 32 or 64 bytes.

2262

# Outputs a base64 encoded representation of the hashed output

2263

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

2264

# Currently, only string and integer values can be hashed.

2265

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

2266

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

2267

# a key encryption key (KEK) stored by KMS).

2268

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

2269

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

2270

# unwrap the data crypto key.

2271

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

2272

# leaking the key. Choose another type of key if possible.

2273

"key": "A String", # Required. A 128/192/256 bit key.

2274

},

2275

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

2276

# It will be discarded after the request finishes.

2277

"name": "A String", # Required. Name of the key.

2278

# This is an arbitrary string used to differentiate different keys.

2279

# A unique key is generated per name: two separate `TransientCryptoKey`

2280

# protos share the same generated key if their names are the same.

2281

# When the data crypto key is generated, this name is not used in any way

2282

# (repeating the api call will result in a different key being generated).

2283

},

2284

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

2285

# The wrapped key must be a 128/192/256 bit key.

2286

# Authorization requires the following IAM permissions when sending a request

2287

# to perform a crypto transformation using a kms-wrapped crypto key:

2288

# dlp.kms.encrypt

2289

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2290

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

2295

# (FPE) with the FFX mode of operation; however when used in the

2296

# `ReidentifyContent` API method, it serves the opposite function by reversing

2297

# the surrogate back into the original identifier. The identifier must be

2298

# encoded as ASCII. For a given crypto key and context, the same identifier

2299

# will be replaced with the same surrogate. Identifiers must be at least two

2300

# characters long. In the case that the identifier is the empty string, it will

2301

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

2302

# more.

2303

#

2304

# Note: We recommend using CryptoDeterministicConfig for all use cases which

2305

# do not require preserving the input alphabet space and size, plus warrant

2306

# referential integrity.

2307

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

2308

# This annotation will be applied to the surrogate by prefixing it with

2309

# the name of the custom infoType followed by the number of

2310

# characters comprising the surrogate. The following scheme defines the

2311

# format: info_type_name(surrogate_character_count):surrogate

2312

#

2313

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

2314

# the surrogate is 'abc', the full replacement value

2315

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

2316

#

2317

# This annotation identifies the surrogate when inspecting content using the

2318

# custom infoType

2319

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

2320

# This facilitates reversal of the surrogate when it occurs in free text.

2321

#

2322

# In order for inspection to work properly, the name of this infoType must

2323

# not occur naturally anywhere in your data; otherwise, inspection may

2324

# find a surrogate that does not correspond to an actual identifier.

2325

# Therefore, choose your custom infoType name carefully after considering

2326

# what your data looks like. One way to select a name that has a high chance

2327

# of yielding reliable detection is to include one or more unicode characters

2328

# that are highly improbable to exist in your data.

2329

# For example, assuming your data is entered from a regular ASCII keyboard,

2330

# the symbol with the hex code point 29DD might be used like so:

2331

# ⧝MY_TOKEN_TYPE

2332

"name": "A String", # Name of the information type. Either a name of your choosing when

2333

# creating a CustomInfoType, or one of the names listed

2334

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

2335

# a built-in type. InfoType names should conform to the pattern

2336

# `[a-zA-Z0-9_]{1,64}`.

2337

},

2338

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

2339

# identifier in two different contexts won't be given the same surrogate. If

2340

# the context is not set, a default tweak will be used.

2341

#

2342

# If the context is set but:

2343

#

2344

# 1. there is no record present when transforming a given value or

2345

# 1. the field is not present when transforming a given value,

2346

#

2347

# a default tweak will be used.

2348

#

2349

# Note that case (1) is expected when an `InfoTypeTransformation` is

2350

# applied to both structured and non-structured `ContentItem`s.

2351

# Currently, the referenced field may be of value type integer or string.

2352

#

2353

# The tweak is constructed as a sequence of bytes in big endian byte order

2354

# such that:

2355

#

2356

# - a 64 bit integer is encoded followed by a single byte of value 1

2357

# - a string is encoded in UTF-8 format followed by a single byte of value 2

2358

"name": "A String", # Name describing the field.

2359

},

2360

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

2361

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

2362

# a key encryption key (KEK) stored by KMS).

2363

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

2364

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

2365

# unwrap the data crypto key.

2366

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

2367

# leaking the key. Choose another type of key if possible.

2368

"key": "A String", # Required. A 128/192/256 bit key.

2369

},

2370

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

2371

# It will be discarded after the request finishes.

2372

"name": "A String", # Required. Name of the key.

2373

# This is an arbitrary string used to differentiate different keys.

2374

# A unique key is generated per name: two separate `TransientCryptoKey`

2375

# protos share the same generated key if their names are the same.

2376

# When the data crypto key is generated, this name is not used in any way

2377

# (repeating the api call will result in a different key being generated).

2378

},

2379

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

2380

# The wrapped key must be a 128/192/256 bit key.

2381

# Authorization requires the following IAM permissions when sending a request

2382

# to perform a crypto transformation using a kms-wrapped crypto key:

2383

# dlp.kms.encrypt

2384

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2385

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2386

},

2387

},

2388

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

2389

# that the FFX mode natively supports. This happens before/after

2390

# encryption/decryption.

2391

# Each character listed must appear only once.

2392

# Number of characters must be in the range [2, 95].

2393

# This must be encoded as ASCII.

2394

# The order of characters does not matter.

2395

"commonAlphabet": "A String", # Common alphabets.

2396

},

2397

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

2398

# input. Outputs a base64 encoded representation of the encrypted output.

2399

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

2400

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

2401

# This annotation will be applied to the surrogate by prefixing it with

2402

# the name of the custom info type followed by the number of

2403

# characters comprising the surrogate. The following scheme defines the

2404

# format: {info type name}({surrogate character count}):{surrogate}

2405

#

2406

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

2407

# the surrogate is 'abc', the full replacement value

2408

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

2409

#

2410

# This annotation identifies the surrogate when inspecting content using the

2411

# custom info type 'Surrogate'. This facilitates reversal of the

2412

# surrogate when it occurs in free text.

2413

#

2414

# Note: For record transformations where the entire cell in a table is being

2415

# transformed, surrogates are not mandatory. Surrogates are used to denote

2416

# the location of the token and are necessary for re-identification in free

2417

# form text.

2418

#

2419

# In order for inspection to work properly, the name of this info type must

2420

# not occur naturally anywhere in your data; otherwise, inspection may either

2421

#

2422

# - reverse a surrogate that does not correspond to an actual identifier

2423

# - be unable to parse the surrogate and result in an error

2424

#

2425

# Therefore, choose your custom info type name carefully after considering

2426

# what your data looks like. One way to select a name that has a high chance

2427

# of yielding reliable detection is to include one or more unicode characters

2428

# that are highly improbable to exist in your data.

2429

# For example, assuming your data is entered from a regular ASCII keyboard,

2430

# the symbol with the hex code point 29DD might be used like so:

2431

# ⧝MY_TOKEN_TYPE.

2432

"name": "A String", # Name of the information type. Either a name of your choosing when

2433

# creating a CustomInfoType, or one of the names listed

2434

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

2435

# a built-in type. InfoType names should conform to the pattern

2436

# `[a-zA-Z0-9_]{1,64}`.

2437

},

2438

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

2439

# referential integrity such that the same identifier in two different

2440

# contexts will be given a distinct surrogate. The context is appended to

2441

# plaintext value being encrypted. On decryption the provided context is

2442

# validated against the value used during encryption. If a context was

2443

# provided during encryption, same context must be provided during decryption

2444

# as well.

2445

#

2446

# If the context is not set, plaintext would be used as is for encryption.

2447

# If the context is set but:

2448

#

2449

# 1. there is no record present when transforming a given value or

2450

# 2. the field is not present when transforming a given value,

2451

#

2452

# plaintext would be used as is for encryption.

2453

#

2454

# Note that case (1) is expected when an `InfoTypeTransformation` is

2455

# applied to both structured and non-structured `ContentItem`s.

2456

"name": "A String", # Name describing the field.

2457

},

2458

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

2459

# a key encryption key (KEK) stored by KMS).

2460

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

2461

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

2462

# unwrap the data crypto key.

2463

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

2464

# leaking the key. Choose another type of key if possible.

2465

"key": "A String", # Required. A 128/192/256 bit key.

2466

},

2467

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

2468

# It will be discarded after the request finishes.

2469

"name": "A String", # Required. Name of the key.

2470

# This is an arbitrary string used to differentiate different keys.

2471

# A unique key is generated per name: two separate `TransientCryptoKey`

2472

# protos share the same generated key if their names are the same.

2473

# When the data crypto key is generated, this name is not used in any way

2474

# (repeating the api call will result in a different key being generated).

2475

},

2476

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

2477

# The wrapped key must be a 128/192/256 bit key.

2478

# Authorization requires the following IAM permissions when sending a request

2479

# to perform a crypto transformation using a kms-wrapped crypto key:

2480

# dlp.kms.encrypt

2481

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2482

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

2487

# replacement values are dynamically provided by the user for custom behavior,

2488

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

2489

# This can be used on

2490

# data of type: number, long, string, timestamp.

2491

# If the bound `Value` type differs from the type of data being transformed, we

2492

# will first attempt converting the type of the data to be transformed to match

2493

# the type of the bound before comparing.

2494

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

2495

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

2496

{ # Bucket is represented as a range, along with replacement values.

2497

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

2498

# the default behavior will be to hyphenate the min-max range.

2499

# Note that for the purposes of inspection or transformation, the number

2500

# of bytes considered to comprise a 'Value' is based on its representation

2501

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2502

# 123456789, the number of bytes would be counted as 9, even though an

2503

# int64 only holds up to 8 bytes of data.

2504

"timestampValue": "A String", # timestamp

2505

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2506

# and time zone are either specified elsewhere or are not significant. The date

2507

# is relative to the Proleptic Gregorian Calendar. This can represent:

2508

#

2509

# * A full date, with non-zero year, month and day values

2510

# * A month and day value, with a zero year, e.g. an anniversary

2511

# * A year on its own, with zero month and day values

2512

# * A year and month value, with a zero day, e.g. a credit card expiration date

2513

#

2514

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2515

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2516

# a year.

2517

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2518

# month and day.

2519

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2520

# if specifying a year by itself or a year and month where the day is not

2521

# significant.

2522

},

2523

"stringValue": "A String", # string

2524

"integerValue": "A String", # integer

2525

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2526

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2527

# types are google.type.Date and `google.protobuf.Timestamp`.

2528

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2529

# to allow the value "24:00:00" for scenarios like business closing time.

2530

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2531

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2532

# allow the value 60 if it allows leap-seconds.

2533

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2534

},

2535

"booleanValue": True or False, # boolean

2536

"floatValue": 3.14, # float

2537

"dayOfWeekValue": "A String", # day of week

2538

},

2539

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

2540

# used.

2541

# Note that for the purposes of inspection or transformation, the number

2542

# of bytes considered to comprise a 'Value' is based on its representation

2543

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2544

# 123456789, the number of bytes would be counted as 9, even though an

2545

# int64 only holds up to 8 bytes of data.

2546

"timestampValue": "A String", # timestamp

2547

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2548

# and time zone are either specified elsewhere or are not significant. The date

2549

# is relative to the Proleptic Gregorian Calendar. This can represent:

2550

#

2551

# * A full date, with non-zero year, month and day values

2552

# * A month and day value, with a zero year, e.g. an anniversary

2553

# * A year on its own, with zero month and day values

2554

# * A year and month value, with a zero day, e.g. a credit card expiration date

2555

#

2556

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2557

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2558

# a year.

2559

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2560

# month and day.

2561

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2562

# if specifying a year by itself or a year and month where the day is not

2563

# significant.

2564

},

2565

"stringValue": "A String", # string

2566

"integerValue": "A String", # integer

2567

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2568

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2569

# types are google.type.Date and `google.protobuf.Timestamp`.

2570

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2571

# to allow the value "24:00:00" for scenarios like business closing time.

2572

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2573

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2574

# allow the value 60 if it allows leap-seconds.

2575

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2576

},

2577

"booleanValue": True or False, # boolean

2578

"floatValue": 3.14, # float

2579

"dayOfWeekValue": "A String", # day of week

2580

},

2581

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

2582

# Note that for the purposes of inspection or transformation, the number

2583

# of bytes considered to comprise a 'Value' is based on its representation

2584

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2585

# 123456789, the number of bytes would be counted as 9, even though an

2586

# int64 only holds up to 8 bytes of data.

2587

"timestampValue": "A String", # timestamp

2588

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2589

# and time zone are either specified elsewhere or are not significant. The date

2590

# is relative to the Proleptic Gregorian Calendar. This can represent:

2591

#

2592

# * A full date, with non-zero year, month and day values

2593

# * A month and day value, with a zero year, e.g. an anniversary

2594

# * A year on its own, with zero month and day values

2595

# * A year and month value, with a zero day, e.g. a credit card expiration date

2596

#

2597

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2598

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2599

# a year.

2600

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2601

# month and day.

2602

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2603

# if specifying a year by itself or a year and month where the day is not

2604

# significant.

2605

},

2606

"stringValue": "A String", # string

2607

"integerValue": "A String", # integer

2608

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2609

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2610

# types are google.type.Date and `google.protobuf.Timestamp`.

2611

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2612

# to allow the value "24:00:00" for scenarios like business closing time.

2613

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2614

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2615

# allow the value 60 if it allows leap-seconds.

2616

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2617

},

2618

"booleanValue": True or False, # boolean

2619

"floatValue": 3.14, # float

2620

"dayOfWeekValue": "A String", # day of week

},

},

],

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

2626

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

2627

# output would be 'My phone number is '.

2628

},

2629

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

2630

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

2631

# Note that for the purposes of inspection or transformation, the number

2632

# of bytes considered to comprise a 'Value' is based on its representation

2633

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2634

# 123456789, the number of bytes would be counted as 9, even though an

2635

# int64 only holds up to 8 bytes of data.

2636

"timestampValue": "A String", # timestamp

2637

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2638

# and time zone are either specified elsewhere or are not significant. The date

2639

# is relative to the Proleptic Gregorian Calendar. This can represent:

2640

#

2641

# * A full date, with non-zero year, month and day values

2642

# * A month and day value, with a zero year, e.g. an anniversary

2643

# * A year on its own, with zero month and day values

2644

# * A year and month value, with a zero day, e.g. a credit card expiration date

2645

#

2646

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2647

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2648

# a year.

2649

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2650

# month and day.

2651

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2652

# if specifying a year by itself or a year and month where the day is not

2653

# significant.

2654

},

2655

"stringValue": "A String", # string

2656

"integerValue": "A String", # integer

2657

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2658

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2659

# types are google.type.Date and `google.protobuf.Timestamp`.

2660

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2661

# to allow the value "24:00:00" for scenarios like business closing time.

2662

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2663

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2664

# allow the value 60 if it allows leap-seconds.

2665

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2666

},

2667

"booleanValue": True or False, # boolean

2668

"floatValue": 3.14, # float

2669

"dayOfWeekValue": "A String", # day of week

2670

},

2671

},

2672

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

2673

# Bucketing transformation can provide all of this functionality,

2674

# but requires more configuration. This message is provided as a convenience to

2675

# the user for simple bucketing strategies.

2676

#

2677

# The transformed value will be a hyphenated string of

2678

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

2679

# all values that are within this bucket will be replaced with "10-20".

2680

#

2681

# This can be used on data of type: double, long.

2682

#

2683

# If the bound Value type differs from the type of data

2684

# being transformed, we will first attempt converting the type of the data to

2685

# be transformed to match the type of the bound before comparing.

2686

#

2687

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

2688

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

2689

# grouped together into a single bucket; for example if `upper_bound` = 89,

2690

# then all values greater than 89 are replaced with the value "89+".

2691

# Note that for the purposes of inspection or transformation, the number

2692

# of bytes considered to comprise a 'Value' is based on its representation

2693

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2694

# 123456789, the number of bytes would be counted as 9, even though an

2695

# int64 only holds up to 8 bytes of data.

2696

"timestampValue": "A String", # timestamp

2697

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2698

# and time zone are either specified elsewhere or are not significant. The date

2699

# is relative to the Proleptic Gregorian Calendar. This can represent:

2700

#

2701

# * A full date, with non-zero year, month and day values

2702

# * A month and day value, with a zero year, e.g. an anniversary

2703

# * A year on its own, with zero month and day values

2704

# * A year and month value, with a zero day, e.g. a credit card expiration date

2705

#

2706

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2707

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2708

# a year.

2709

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2710

# month and day.

2711

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2712

# if specifying a year by itself or a year and month where the day is not

2713

# significant.

2714

},

2715

"stringValue": "A String", # string

2716

"integerValue": "A String", # integer

2717

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2718

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2719

# types are google.type.Date and `google.protobuf.Timestamp`.

2720

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2721

# to allow the value "24:00:00" for scenarios like business closing time.

2722

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2723

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2724

# allow the value 60 if it allows leap-seconds.

2725

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2726

},

2727

"booleanValue": True or False, # boolean

2728

"floatValue": 3.14, # float

2729

"dayOfWeekValue": "A String", # day of week

2730

},

2731

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

2732

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

2733

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

2734

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

2735

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

2736

# grouped together into a single bucket; for example if `lower_bound` = 10,

2737

# then all values less than 10 are replaced with the value "-10".

2738

# Note that for the purposes of inspection or transformation, the number

2739

# of bytes considered to comprise a 'Value' is based on its representation

2740

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2741

# 123456789, the number of bytes would be counted as 9, even though an

2742

# int64 only holds up to 8 bytes of data.

2743

"timestampValue": "A String", # timestamp

2744

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2745

# and time zone are either specified elsewhere or are not significant. The date

2746

# is relative to the Proleptic Gregorian Calendar. This can represent:

2747

#

2748

# * A full date, with non-zero year, month and day values

2749

# * A month and day value, with a zero year, e.g. an anniversary

2750

# * A year on its own, with zero month and day values

2751

# * A year and month value, with a zero day, e.g. a credit card expiration date

2752

#

2753

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2754

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2755

# a year.

2756

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2757

# month and day.

2758

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2759

# if specifying a year by itself or a year and month where the day is not

2760

# significant.

2761

},

2762

"stringValue": "A String", # string

2763

"integerValue": "A String", # integer

2764

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2765

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2766

# types are google.type.Date and `google.protobuf.Timestamp`.

2767

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2768

# to allow the value "24:00:00" for scenarios like business closing time.

2769

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2770

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2771

# allow the value 60 if it allows leap-seconds.

2772

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2773

},

2774

"booleanValue": True or False, # boolean

2775

"floatValue": 3.14, # float

2776

"dayOfWeekValue": "A String", # day of week

2777

},

2778

},

2779

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

2780

# fixed character. Masking can start from the beginning or end of the string.

2781

# This can be used on data of any type (numbers, longs, and so on) and when

2782

# de-identifying structured data we'll attempt to preserve the original data's

2783

# type. (This allows you to take a long like 123 and modify it to a string like

2784

# **3.

2785

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

2786

# characters. For example, if the input string is `555-555-5555` and you

2787

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

2788

# returns `***-**5-5555`.

2789

{ # Characters to skip when doing deidentification of a value. These will be left

2790

# alone and skipped.

2791

"charactersToSkip": "A String", # Characters to not transform when masking.

2792

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

2797

# masked. Skipped characters do not count towards this tally.

2798

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

2799

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

2800

# code or credit card number. This string must have a length of 1. If not

2801

# supplied, this value defaults to `*` for strings, and `0` for digits.

2802

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

2803

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

2804

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

2805

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

2806

# is `true`, then the string `12345` is masked as `12***`.

2807

},

2808

},

2809

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

2810

# this transformation to apply to all findings that correspond to

2811

# infoTypes that were requested in `InspectConfig`.

2812

{ # Type of information detected by the API.

2813

"name": "A String", # Name of the information type. Either a name of your choosing when

2814

# creating a CustomInfoType, or one of the names listed

2815

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

2816

# a built-in type. InfoType names should conform to the pattern

2817

# `[a-zA-Z0-9_]{1,64}`.

},

],

},

],

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2823

"transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default

2824

# mode is `TransformationErrorHandling.ThrowError`.

2825

# transformation error occurs when the requested transformation is incompatible

2826

# with the data. For example, trying to de-identify an IP address using a

2827

# `DateShift` transformation would result in a transformation error, since date

2828

# info cannot be extracted from an IP address.

2829

# Information about any incompatible transformations, and how they were

2830

# handled, is returned in the response as part of the

2831

# `TransformationOverviews`.

2832

"throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error

2833

},

2834

"leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors

2835

# cause an error. For example, if a `DateShift` transformation were applied

2836

# an an IP address, this mode would leave the IP address unchanged in the

2837

# response.

2838

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2839

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2840

"recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2841

# specific locations within structured datasets, such as transforming

2842

# a column within a table.

2843

# table.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2844

"fieldTransformations": [ # Transform the record by applying various field transformations.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2845

{ # The transformation to apply to the field.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2846

"fields": [ # Required. Input field(s) to apply the transformation to.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2847

{ # General identifier of a data field in a storage service.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2848

"name": "A String", # Name describing the field.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2849

},

2850

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2851

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2852

# transform content that matches an `InfoType`.

2853

# apply various `PrimitiveTransformation`s to each finding, where the

2854

# transformation is applied to only values that were identified as a specific

2855

# info_type.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2856

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

2857

# for a given infoType.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2858

{ # A transformation to apply to text that is identified as a specific

2859

# info_type.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2860

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

2861

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

2862

# portion of the value.

2863

"partToExtract": "A String", # The part of the time to keep.

2864

},

2865

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

2866

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

2867

# to learn more.

2868

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

2869

# If set, must also set cryptoKey. If set, shift will be consistent for the

2870

# given context.

2871

"name": "A String", # Name describing the field.

2872

},

2873

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

2874

# range (inclusive ends). Negative means shift to earlier in time. Must not

2875

# be more than 365250 days (1000 years) each direction.

2876

#

2877

# For example, 3 means shift date to at most 3 days into the future.

2878

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

2879

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

2880

# results in the same shift for the same context and crypto_key. If

2881

# set, must also set context. Can only be applied to table items.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2882

# a key encryption key (KEK) stored by KMS).

2883

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

2884

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

2885

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2886

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2887

# leaking the key. Choose another type of key if possible.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2888

"key": "A String", # Required. A 128/192/256 bit key.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2889

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2890

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2891

# It will be discarded after the request finishes.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2892

"name": "A String", # Required. Name of the key.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2893

# This is an arbitrary string used to differentiate different keys.

2894

# A unique key is generated per name: two separate `TransientCryptoKey`

2895

# protos share the same generated key if their names are the same.

2896

# When the data crypto key is generated, this name is not used in any way

2897

# (repeating the api call will result in a different key being generated).

2898

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2899

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

2900

# The wrapped key must be a 128/192/256 bit key.

2901

# Authorization requires the following IAM permissions when sending a request

2902

# to perform a crypto transformation using a kms-wrapped crypto key:

2903

# dlp.kms.encrypt

2904

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2905

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2906

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2907

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2908

},

2909

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

2910

},

2911

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

2912

# Uses SHA-256.

2913

# The key size must be either 32 or 64 bytes.

2914

# Outputs a base64 encoded representation of the hashed output

2915

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

2916

# Currently, only string and integer values can be hashed.

2917

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

2918

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

2919

# a key encryption key (KEK) stored by KMS).

2920

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

2921

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

2922

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2923

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

2924

# leaking the key. Choose another type of key if possible.

2925

"key": "A String", # Required. A 128/192/256 bit key.

2926

},

2927

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

2928

# It will be discarded after the request finishes.

2929

"name": "A String", # Required. Name of the key.

2930

# This is an arbitrary string used to differentiate different keys.

2931

# A unique key is generated per name: two separate `TransientCryptoKey`

2932

# protos share the same generated key if their names are the same.

2933

# When the data crypto key is generated, this name is not used in any way

2934

# (repeating the api call will result in a different key being generated).

2935

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

2936

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

2937

# The wrapped key must be a 128/192/256 bit key.

2938

# Authorization requires the following IAM permissions when sending a request

2939

# to perform a crypto transformation using a kms-wrapped crypto key:

2940

# dlp.kms.encrypt

2941

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2942

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2943

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2944

},

2945

},

2946

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

2947

# (FPE) with the FFX mode of operation; however when used in the

2948

# `ReidentifyContent` API method, it serves the opposite function by reversing

2949

# the surrogate back into the original identifier. The identifier must be

2950

# encoded as ASCII. For a given crypto key and context, the same identifier

2951

# will be replaced with the same surrogate. Identifiers must be at least two

2952

# characters long. In the case that the identifier is the empty string, it will

2953

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

2954

# more.

2955

#

2956

# Note: We recommend using CryptoDeterministicConfig for all use cases which

2957

# do not require preserving the input alphabet space and size, plus warrant

2958

# referential integrity.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2959

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

2960

# This annotation will be applied to the surrogate by prefixing it with

2961

# the name of the custom infoType followed by the number of

2962

# characters comprising the surrogate. The following scheme defines the

2963

# format: info_type_name(surrogate_character_count):surrogate

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2964

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2965

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

2966

# the surrogate is 'abc', the full replacement value

2967

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

2968

#

2969

# This annotation identifies the surrogate when inspecting content using the

2970

# custom infoType

2971

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

2972

# This facilitates reversal of the surrogate when it occurs in free text.

2973

#

2974

# In order for inspection to work properly, the name of this infoType must

2975

# not occur naturally anywhere in your data; otherwise, inspection may

2976

# find a surrogate that does not correspond to an actual identifier.

2977

# Therefore, choose your custom infoType name carefully after considering

2978

# what your data looks like. One way to select a name that has a high chance

2979

# of yielding reliable detection is to include one or more unicode characters

2980

# that are highly improbable to exist in your data.

2981

# For example, assuming your data is entered from a regular ASCII keyboard,

2982

# the symbol with the hex code point 29DD might be used like so:

2983

# ⧝MY_TOKEN_TYPE

2984

"name": "A String", # Name of the information type. Either a name of your choosing when

2985

# creating a CustomInfoType, or one of the names listed

2986

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

2987

# a built-in type. InfoType names should conform to the pattern

2988

# `[a-zA-Z0-9_]{1,64}`.

2989

},

2990

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

2991

# identifier in two different contexts won't be given the same surrogate. If

2992

# the context is not set, a default tweak will be used.

2993

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2994

# If the context is set but:

2995

#

2996

# 1. there is no record present when transforming a given value or

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2997

# 1. the field is not present when transforming a given value,

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

2998

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

2999

# a default tweak will be used.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3000

#

3001

# Note that case (1) is expected when an `InfoTypeTransformation` is

3002

# applied to both structured and non-structured `ContentItem`s.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3003

# Currently, the referenced field may be of value type integer or string.

3004

#

3005

# The tweak is constructed as a sequence of bytes in big endian byte order

3006

# such that:

3007

#

3008

# - a 64 bit integer is encoded followed by a single byte of value 1

3009

# - a string is encoded in UTF-8 format followed by a single byte of value 2

3010

"name": "A String", # Name describing the field.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3011

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3012

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

3013

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

3014

# a key encryption key (KEK) stored by KMS).

3015

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

3016

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

3017

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3018

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

3019

# leaking the key. Choose another type of key if possible.

3020

"key": "A String", # Required. A 128/192/256 bit key.

3021

},

3022

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

3023

# It will be discarded after the request finishes.

3024

"name": "A String", # Required. Name of the key.

3025

# This is an arbitrary string used to differentiate different keys.

3026

# A unique key is generated per name: two separate `TransientCryptoKey`

3027

# protos share the same generated key if their names are the same.

3028

# When the data crypto key is generated, this name is not used in any way

3029

# (repeating the api call will result in a different key being generated).

3030

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3031

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

3032

# The wrapped key must be a 128/192/256 bit key.

3033

# Authorization requires the following IAM permissions when sending a request

3034

# to perform a crypto transformation using a kms-wrapped crypto key:

3035

# dlp.kms.encrypt

3036

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3037

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3038

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3039

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3040

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

3041

# that the FFX mode natively supports. This happens before/after

3042

# encryption/decryption.

3043

# Each character listed must appear only once.

3044

# Number of characters must be in the range [2, 95].

3045

# This must be encoded as ASCII.

3046

# The order of characters does not matter.

3047

"commonAlphabet": "A String", # Common alphabets.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3048

},

3049

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

3050

# input. Outputs a base64 encoded representation of the encrypted output.

3051

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

3052

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3053

# This annotation will be applied to the surrogate by prefixing it with

3054

# the name of the custom info type followed by the number of

3055

# characters comprising the surrogate. The following scheme defines the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3056

# format: {info type name}({surrogate character count}):{surrogate}

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3057

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3058

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

3059

# the surrogate is 'abc', the full replacement value

3060

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3061

#

3062

# This annotation identifies the surrogate when inspecting content using the

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3063

# custom info type 'Surrogate'. This facilitates reversal of the

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3064

# surrogate when it occurs in free text.

3065

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3066

# Note: For record transformations where the entire cell in a table is being

3067

# transformed, surrogates are not mandatory. Surrogates are used to denote

3068

# the location of the token and are necessary for re-identification in free

3069

# form text.

3070

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3071

# In order for inspection to work properly, the name of this info type must

3072

# not occur naturally anywhere in your data; otherwise, inspection may either

3073

#

3074

# - reverse a surrogate that does not correspond to an actual identifier

3075

# - be unable to parse the surrogate and result in an error

3076

#

3077

# Therefore, choose your custom info type name carefully after considering

3078

# what your data looks like. One way to select a name that has a high chance

3079

# of yielding reliable detection is to include one or more unicode characters

3080

# that are highly improbable to exist in your data.

3081

# For example, assuming your data is entered from a regular ASCII keyboard,

3082

# the symbol with the hex code point 29DD might be used like so:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3083

# ⧝MY_TOKEN_TYPE.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3084

"name": "A String", # Name of the information type. Either a name of your choosing when

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3085

# creating a CustomInfoType, or one of the names listed

3086

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

3087

# a built-in type. InfoType names should conform to the pattern

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3088

# `[a-zA-Z0-9_]{1,64}`.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3089

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3090

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

3091

# referential integrity such that the same identifier in two different

3092

# contexts will be given a distinct surrogate. The context is appended to

3093

# plaintext value being encrypted. On decryption the provided context is

3094

# validated against the value used during encryption. If a context was

3095

# provided during encryption, same context must be provided during decryption

3096

# as well.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3097

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3098

# If the context is not set, plaintext would be used as is for encryption.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3099

# If the context is set but:

3100

#

3101

# 1. there is no record present when transforming a given value or

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3102

# 2. the field is not present when transforming a given value,

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3103

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3104

# plaintext would be used as is for encryption.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3105

#

3106

# Note that case (1) is expected when an `InfoTypeTransformation` is

3107

# applied to both structured and non-structured `ContentItem`s.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3108

"name": "A String", # Name describing the field.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3109

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3110

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

3111

# a key encryption key (KEK) stored by KMS).

3112

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

3113

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

3114

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3115

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

3116

# leaking the key. Choose another type of key if possible.

3117

"key": "A String", # Required. A 128/192/256 bit key.

3118

},

3119

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

3120

# It will be discarded after the request finishes.

3121

"name": "A String", # Required. Name of the key.

3122

# This is an arbitrary string used to differentiate different keys.

3123

# A unique key is generated per name: two separate `TransientCryptoKey`

3124

# protos share the same generated key if their names are the same.

3125

# When the data crypto key is generated, this name is not used in any way

3126

# (repeating the api call will result in a different key being generated).

3127

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3128

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

3129

# The wrapped key must be a 128/192/256 bit key.

3130

# Authorization requires the following IAM permissions when sending a request

3131

# to perform a crypto transformation using a kms-wrapped crypto key:

3132

# dlp.kms.encrypt

3133

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3134

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3135

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3136

},

3137

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3138

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3139

# replacement values are dynamically provided by the user for custom behavior,

3140

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

3141

# This can be used on

3142

# data of type: number, long, string, timestamp.

3143

# If the bound `Value` type differs from the type of data being transformed, we

3144

# will first attempt converting the type of the data to be transformed to match

3145

# the type of the bound before comparing.

3146

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3147

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3148

{ # Bucket is represented as a range, along with replacement values.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3149

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

3150

# the default behavior will be to hyphenate the min-max range.

3151

# Note that for the purposes of inspection or transformation, the number

3152

# of bytes considered to comprise a 'Value' is based on its representation

3153

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3154

# 123456789, the number of bytes would be counted as 9, even though an

3155

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3156

"timestampValue": "A String", # timestamp

3157

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3158

# and time zone are either specified elsewhere or are not significant. The date

3159

# is relative to the Proleptic Gregorian Calendar. This can represent:

3160

#

3161

# * A full date, with non-zero year, month and day values

3162

# * A month and day value, with a zero year, e.g. an anniversary

3163

# * A year on its own, with zero month and day values

3164

# * A year and month value, with a zero day, e.g. a credit card expiration date

3165

#

3166

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3167

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3168

# a year.

3169

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3170

# month and day.

3171

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3172

# if specifying a year by itself or a year and month where the day is not

3173

# significant.

3174

},

3175

"stringValue": "A String", # string

3176

"integerValue": "A String", # integer

3177

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3178

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3179

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3180

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3181

# to allow the value "24:00:00" for scenarios like business closing time.

3182

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3183

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3184

# allow the value 60 if it allows leap-seconds.

3185

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3186

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3187

"booleanValue": True or False, # boolean

3188

"floatValue": 3.14, # float

3189

"dayOfWeekValue": "A String", # day of week

3190

},

3191

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

3192

# used.

3193

# Note that for the purposes of inspection or transformation, the number

3194

# of bytes considered to comprise a 'Value' is based on its representation

3195

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3196

# 123456789, the number of bytes would be counted as 9, even though an

3197

# int64 only holds up to 8 bytes of data.

3198

"timestampValue": "A String", # timestamp

3199

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3200

# and time zone are either specified elsewhere or are not significant. The date

3201

# is relative to the Proleptic Gregorian Calendar. This can represent:

3202

#

3203

# * A full date, with non-zero year, month and day values

3204

# * A month and day value, with a zero year, e.g. an anniversary

3205

# * A year on its own, with zero month and day values

3206

# * A year and month value, with a zero day, e.g. a credit card expiration date

3207

#

3208

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3209

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3210

# a year.

3211

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3212

# month and day.

3213

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3214

# if specifying a year by itself or a year and month where the day is not

3215

# significant.

3216

},

3217

"stringValue": "A String", # string

3218

"integerValue": "A String", # integer

3219

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3220

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3221

# types are google.type.Date and `google.protobuf.Timestamp`.

3222

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3223

# to allow the value "24:00:00" for scenarios like business closing time.

3224

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3225

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3226

# allow the value 60 if it allows leap-seconds.

3227

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3228

},

3229

"booleanValue": True or False, # boolean

3230

"floatValue": 3.14, # float

3231

"dayOfWeekValue": "A String", # day of week

3232

},

3233

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

3234

# Note that for the purposes of inspection or transformation, the number

3235

# of bytes considered to comprise a 'Value' is based on its representation

3236

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3237

# 123456789, the number of bytes would be counted as 9, even though an

3238

# int64 only holds up to 8 bytes of data.

3239

"timestampValue": "A String", # timestamp

3240

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3241

# and time zone are either specified elsewhere or are not significant. The date

3242

# is relative to the Proleptic Gregorian Calendar. This can represent:

3243

#

3244

# * A full date, with non-zero year, month and day values

3245

# * A month and day value, with a zero year, e.g. an anniversary

3246

# * A year on its own, with zero month and day values

3247

# * A year and month value, with a zero day, e.g. a credit card expiration date

3248

#

3249

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3250

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3251

# a year.

3252

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3253

# month and day.

3254

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3255

# if specifying a year by itself or a year and month where the day is not

3256

# significant.

3257

},

3258

"stringValue": "A String", # string

3259

"integerValue": "A String", # integer

3260

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3261

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3262

# types are google.type.Date and `google.protobuf.Timestamp`.

3263

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3264

# to allow the value "24:00:00" for scenarios like business closing time.

3265

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3266

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3267

# allow the value 60 if it allows leap-seconds.

3268

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3269

},

3270

"booleanValue": True or False, # boolean

3271

"floatValue": 3.14, # float

3272

"dayOfWeekValue": "A String", # day of week

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

},

},

],

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3277

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

3278

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

3279

# output would be 'My phone number is '.

3280

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3281

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

3282

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3283

# Note that for the purposes of inspection or transformation, the number

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3284

# of bytes considered to comprise a 'Value' is based on its representation

3285

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3286

# 123456789, the number of bytes would be counted as 9, even though an

3287

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3288

"timestampValue": "A String", # timestamp

3289

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3290

# and time zone are either specified elsewhere or are not significant. The date

3291

# is relative to the Proleptic Gregorian Calendar. This can represent:

3292

#

3293

# * A full date, with non-zero year, month and day values

3294

# * A month and day value, with a zero year, e.g. an anniversary

3295

# * A year on its own, with zero month and day values

3296

# * A year and month value, with a zero day, e.g. a credit card expiration date

3297

#

3298

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3299

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3300

# a year.

3301

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

3302

# month and day.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3303

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3304

# if specifying a year by itself or a year and month where the day is not

3305

# significant.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3306

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3307

"stringValue": "A String", # string

3308

"integerValue": "A String", # integer

3309

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3310

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3311

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3312

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3313

# to allow the value "24:00:00" for scenarios like business closing time.

3314

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3315

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3316

# allow the value 60 if it allows leap-seconds.

3317

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3318

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3319

"booleanValue": True or False, # boolean

3320

"floatValue": 3.14, # float

3321

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3322

},

3323

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3324

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

3325

# Bucketing transformation can provide all of this functionality,

3326

# but requires more configuration. This message is provided as a convenience to

3327

# the user for simple bucketing strategies.

3328

#

3329

# The transformed value will be a hyphenated string of

3330

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

3331

# all values that are within this bucket will be replaced with "10-20".

3332

#

3333

# This can be used on data of type: double, long.

3334

#

3335

# If the bound Value type differs from the type of data

3336

# being transformed, we will first attempt converting the type of the data to

3337

# be transformed to match the type of the bound before comparing.

3338

#

3339

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3340

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

3341

# grouped together into a single bucket; for example if `upper_bound` = 89,

3342

# then all values greater than 89 are replaced with the value "89+".

3343

# Note that for the purposes of inspection or transformation, the number

3344

# of bytes considered to comprise a 'Value' is based on its representation

3345

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3346

# 123456789, the number of bytes would be counted as 9, even though an

3347

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3348

"timestampValue": "A String", # timestamp

3349

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3350

# and time zone are either specified elsewhere or are not significant. The date

3351

# is relative to the Proleptic Gregorian Calendar. This can represent:

3352

#

3353

# * A full date, with non-zero year, month and day values

3354

# * A month and day value, with a zero year, e.g. an anniversary

3355

# * A year on its own, with zero month and day values

3356

# * A year and month value, with a zero day, e.g. a credit card expiration date

3357

#

3358

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3359

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3360

# a year.

3361

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3362

# month and day.

3363

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3364

# if specifying a year by itself or a year and month where the day is not

3365

# significant.

3366

},

3367

"stringValue": "A String", # string

3368

"integerValue": "A String", # integer

3369

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3370

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3371

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3372

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3373

# to allow the value "24:00:00" for scenarios like business closing time.

3374

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3375

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3376

# allow the value 60 if it allows leap-seconds.

3377

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3378

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3379

"booleanValue": True or False, # boolean

3380

"floatValue": 3.14, # float

3381

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3382

},

3383

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

3384

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

3385

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

3386

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3387

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

3388

# grouped together into a single bucket; for example if `lower_bound` = 10,

3389

# then all values less than 10 are replaced with the value "-10".

3390

# Note that for the purposes of inspection or transformation, the number

3391

# of bytes considered to comprise a 'Value' is based on its representation

3392

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3393

# 123456789, the number of bytes would be counted as 9, even though an

3394

# int64 only holds up to 8 bytes of data.

3395

"timestampValue": "A String", # timestamp

3396

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3397

# and time zone are either specified elsewhere or are not significant. The date

3398

# is relative to the Proleptic Gregorian Calendar. This can represent:

3399

#

3400

# * A full date, with non-zero year, month and day values

3401

# * A month and day value, with a zero year, e.g. an anniversary

3402

# * A year on its own, with zero month and day values

3403

# * A year and month value, with a zero day, e.g. a credit card expiration date

3404

#

3405

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3406

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3407

# a year.

3408

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3409

# month and day.

3410

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3411

# if specifying a year by itself or a year and month where the day is not

3412

# significant.

3413

},

3414

"stringValue": "A String", # string

3415

"integerValue": "A String", # integer

3416

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3417

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3418

# types are google.type.Date and `google.protobuf.Timestamp`.

3419

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3420

# to allow the value "24:00:00" for scenarios like business closing time.

3421

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3422

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3423

# allow the value 60 if it allows leap-seconds.

3424

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3425

},

3426

"booleanValue": True or False, # boolean

3427

"floatValue": 3.14, # float

3428

"dayOfWeekValue": "A String", # day of week

3429

},

3430

},

3431

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

3432

# fixed character. Masking can start from the beginning or end of the string.

3433

# This can be used on data of any type (numbers, longs, and so on) and when

3434

# de-identifying structured data we'll attempt to preserve the original data's

3435

# type. (This allows you to take a long like 123 and modify it to a string like

3436

# **3.

3437

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

3438

# characters. For example, if the input string is `555-555-5555` and you

3439

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

3440

# returns `***-**5-5555`.

3441

{ # Characters to skip when doing deidentification of a value. These will be left

3442

# alone and skipped.

3443

"charactersToSkip": "A String", # Characters to not transform when masking.

3444

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

3449

# masked. Skipped characters do not count towards this tally.

3450

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

3451

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

3452

# code or credit card number. This string must have a length of 1. If not

3453

# supplied, this value defaults to `*` for strings, and `0` for digits.

3454

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

3455

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

3456

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

3457

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

3458

# is `true`, then the string `12345` is masked as `12***`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3459

},

3460

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3461

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

3462

# this transformation to apply to all findings that correspond to

3463

# infoTypes that were requested in `InspectConfig`.

3464

{ # Type of information detected by the API.

3465

"name": "A String", # Name of the information type. Either a name of your choosing when

3466

# creating a CustomInfoType, or one of the names listed

3467

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

3468

# a built-in type. InfoType names should conform to the pattern

3469

# `[a-zA-Z0-9_]{1,64}`.

3470

},

3471

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

},

],

},

"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.

3476

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

3477

# portion of the value.

3478

"partToExtract": "A String", # The part of the time to keep.

3479

},

3480

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

3481

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

3482

# to learn more.

3483

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

3484

# If set, must also set cryptoKey. If set, shift will be consistent for the

3485

# given context.

3486

"name": "A String", # Name describing the field.

3487

},

3488

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

3489

# range (inclusive ends). Negative means shift to earlier in time. Must not

3490

# be more than 365250 days (1000 years) each direction.

3491

#

3492

# For example, 3 means shift date to at most 3 days into the future.

3493

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

3494

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

3495

# results in the same shift for the same context and crypto_key. If

3496

# set, must also set context. Can only be applied to table items.

3497

# a key encryption key (KEK) stored by KMS).

3498

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

3499

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

3500

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3501

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

3502

# leaking the key. Choose another type of key if possible.

3503

"key": "A String", # Required. A 128/192/256 bit key.

3504

},

3505

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

3506

# It will be discarded after the request finishes.

3507

"name": "A String", # Required. Name of the key.

3508

# This is an arbitrary string used to differentiate different keys.

3509

# A unique key is generated per name: two separate `TransientCryptoKey`

3510

# protos share the same generated key if their names are the same.

3511

# When the data crypto key is generated, this name is not used in any way

3512

# (repeating the api call will result in a different key being generated).

3513

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3514

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

3515

# The wrapped key must be a 128/192/256 bit key.

3516

# Authorization requires the following IAM permissions when sending a request

3517

# to perform a crypto transformation using a kms-wrapped crypto key:

3518

# dlp.kms.encrypt

3519

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3520

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3521

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3522

},

3523

},

3524

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

3525

},

3526

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

3527

# Uses SHA-256.

3528

# The key size must be either 32 or 64 bytes.

3529

# Outputs a base64 encoded representation of the hashed output

3530

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

3531

# Currently, only string and integer values can be hashed.

3532

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

3533

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

3534

# a key encryption key (KEK) stored by KMS).

3535

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

3536

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

3537

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3538

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

3539

# leaking the key. Choose another type of key if possible.

3540

"key": "A String", # Required. A 128/192/256 bit key.

3541

},

3542

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

3543

# It will be discarded after the request finishes.

3544

"name": "A String", # Required. Name of the key.

3545

# This is an arbitrary string used to differentiate different keys.

3546

# A unique key is generated per name: two separate `TransientCryptoKey`

3547

# protos share the same generated key if their names are the same.

3548

# When the data crypto key is generated, this name is not used in any way

3549

# (repeating the api call will result in a different key being generated).

3550

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3551

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

3552

# The wrapped key must be a 128/192/256 bit key.

3553

# Authorization requires the following IAM permissions when sending a request

3554

# to perform a crypto transformation using a kms-wrapped crypto key:

3555

# dlp.kms.encrypt

3556

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3557

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3558

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3559

},

3560

},

3561

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

3562

# (FPE) with the FFX mode of operation; however when used in the

3563

# `ReidentifyContent` API method, it serves the opposite function by reversing

3564

# the surrogate back into the original identifier. The identifier must be

3565

# encoded as ASCII. For a given crypto key and context, the same identifier

3566

# will be replaced with the same surrogate. Identifiers must be at least two

3567

# characters long. In the case that the identifier is the empty string, it will

3568

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

3569

# more.

3570

#

3571

# Note: We recommend using CryptoDeterministicConfig for all use cases which

3572

# do not require preserving the input alphabet space and size, plus warrant

3573

# referential integrity.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3574

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

3575

# This annotation will be applied to the surrogate by prefixing it with

3576

# the name of the custom infoType followed by the number of

3577

# characters comprising the surrogate. The following scheme defines the

3578

# format: info_type_name(surrogate_character_count):surrogate

3579

#

3580

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

3581

# the surrogate is 'abc', the full replacement value

3582

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

3583

#

3584

# This annotation identifies the surrogate when inspecting content using the

3585

# custom infoType

3586

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

3587

# This facilitates reversal of the surrogate when it occurs in free text.

3588

#

3589

# In order for inspection to work properly, the name of this infoType must

3590

# not occur naturally anywhere in your data; otherwise, inspection may

3591

# find a surrogate that does not correspond to an actual identifier.

3592

# Therefore, choose your custom infoType name carefully after considering

3593

# what your data looks like. One way to select a name that has a high chance

3594

# of yielding reliable detection is to include one or more unicode characters

3595

# that are highly improbable to exist in your data.

3596

# For example, assuming your data is entered from a regular ASCII keyboard,

3597

# the symbol with the hex code point 29DD might be used like so:

3598

# ⧝MY_TOKEN_TYPE

3599

"name": "A String", # Name of the information type. Either a name of your choosing when

3600

# creating a CustomInfoType, or one of the names listed

3601

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

3602

# a built-in type. InfoType names should conform to the pattern

3603

# `[a-zA-Z0-9_]{1,64}`.

3604

},

3605

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

3606

# identifier in two different contexts won't be given the same surrogate. If

3607

# the context is not set, a default tweak will be used.

3608

#

3609

# If the context is set but:

3610

#

3611

# 1. there is no record present when transforming a given value or

3612

# 1. the field is not present when transforming a given value,

3613

#

3614

# a default tweak will be used.

3615

#

3616

# Note that case (1) is expected when an `InfoTypeTransformation` is

3617

# applied to both structured and non-structured `ContentItem`s.

3618

# Currently, the referenced field may be of value type integer or string.

3619

#

3620

# The tweak is constructed as a sequence of bytes in big endian byte order

3621

# such that:

3622

#

3623

# - a 64 bit integer is encoded followed by a single byte of value 1

3624

# - a string is encoded in UTF-8 format followed by a single byte of value 2

3625

"name": "A String", # Name describing the field.

3626

},

3627

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

3628

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

3629

# a key encryption key (KEK) stored by KMS).

3630

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

3631

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

3632

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3633

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

3634

# leaking the key. Choose another type of key if possible.

3635

"key": "A String", # Required. A 128/192/256 bit key.

3636

},

3637

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

3638

# It will be discarded after the request finishes.

3639

"name": "A String", # Required. Name of the key.

3640

# This is an arbitrary string used to differentiate different keys.

3641

# A unique key is generated per name: two separate `TransientCryptoKey`

3642

# protos share the same generated key if their names are the same.

3643

# When the data crypto key is generated, this name is not used in any way

3644

# (repeating the api call will result in a different key being generated).

3645

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3646

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

3647

# The wrapped key must be a 128/192/256 bit key.

3648

# Authorization requires the following IAM permissions when sending a request

3649

# to perform a crypto transformation using a kms-wrapped crypto key:

3650

# dlp.kms.encrypt

3651

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3652

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3653

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3654

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3655

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

3656

# that the FFX mode natively supports. This happens before/after

3657

# encryption/decryption.

3658

# Each character listed must appear only once.

3659

# Number of characters must be in the range [2, 95].

3660

# This must be encoded as ASCII.

3661

# The order of characters does not matter.

3662

"commonAlphabet": "A String", # Common alphabets.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3663

},

3664

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

3665

# input. Outputs a base64 encoded representation of the encrypted output.

3666

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

3667

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

3668

# This annotation will be applied to the surrogate by prefixing it with

3669

# the name of the custom info type followed by the number of

3670

# characters comprising the surrogate. The following scheme defines the

3671

# format: {info type name}({surrogate character count}):{surrogate}

3672

#

3673

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

3674

# the surrogate is 'abc', the full replacement value

3675

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

3676

#

3677

# This annotation identifies the surrogate when inspecting content using the

3678

# custom info type 'Surrogate'. This facilitates reversal of the

3679

# surrogate when it occurs in free text.

3680

#

3681

# Note: For record transformations where the entire cell in a table is being

3682

# transformed, surrogates are not mandatory. Surrogates are used to denote

3683

# the location of the token and are necessary for re-identification in free

3684

# form text.

3685

#

3686

# In order for inspection to work properly, the name of this info type must

3687

# not occur naturally anywhere in your data; otherwise, inspection may either

3688

#

3689

# - reverse a surrogate that does not correspond to an actual identifier

3690

# - be unable to parse the surrogate and result in an error

3691

#

3692

# Therefore, choose your custom info type name carefully after considering

3693

# what your data looks like. One way to select a name that has a high chance

3694

# of yielding reliable detection is to include one or more unicode characters

3695

# that are highly improbable to exist in your data.

3696

# For example, assuming your data is entered from a regular ASCII keyboard,

3697

# the symbol with the hex code point 29DD might be used like so:

3698

# ⧝MY_TOKEN_TYPE.

3699

"name": "A String", # Name of the information type. Either a name of your choosing when

3700

# creating a CustomInfoType, or one of the names listed

3701

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

3702

# a built-in type. InfoType names should conform to the pattern

3703

# `[a-zA-Z0-9_]{1,64}`.

3704

},

3705

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

3706

# referential integrity such that the same identifier in two different

3707

# contexts will be given a distinct surrogate. The context is appended to

3708

# plaintext value being encrypted. On decryption the provided context is

3709

# validated against the value used during encryption. If a context was

3710

# provided during encryption, same context must be provided during decryption

3711

# as well.

3712

#

3713

# If the context is not set, plaintext would be used as is for encryption.

3714

# If the context is set but:

3715

#

3716

# 1. there is no record present when transforming a given value or

3717

# 2. the field is not present when transforming a given value,

3718

#

3719

# plaintext would be used as is for encryption.

3720

#

3721

# Note that case (1) is expected when an `InfoTypeTransformation` is

3722

# applied to both structured and non-structured `ContentItem`s.

3723

"name": "A String", # Name describing the field.

3724

},

3725

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

3726

# a key encryption key (KEK) stored by KMS).

3727

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

3728

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

3729

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3730

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

3731

# leaking the key. Choose another type of key if possible.

3732

"key": "A String", # Required. A 128/192/256 bit key.

3733

},

3734

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

3735

# It will be discarded after the request finishes.

3736

"name": "A String", # Required. Name of the key.

3737

# This is an arbitrary string used to differentiate different keys.

3738

# A unique key is generated per name: two separate `TransientCryptoKey`

3739

# protos share the same generated key if their names are the same.

3740

# When the data crypto key is generated, this name is not used in any way

3741

# (repeating the api call will result in a different key being generated).

3742

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3743

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

3744

# The wrapped key must be a 128/192/256 bit key.

3745

# Authorization requires the following IAM permissions when sending a request

3746

# to perform a crypto transformation using a kms-wrapped crypto key:

3747

# dlp.kms.encrypt

3748

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3749

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3750

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3751

},

3752

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3753

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

3754

# replacement values are dynamically provided by the user for custom behavior,

3755

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

3756

# This can be used on

3757

# data of type: number, long, string, timestamp.

3758

# If the bound `Value` type differs from the type of data being transformed, we

3759

# will first attempt converting the type of the data to be transformed to match

3760

# the type of the bound before comparing.

3761

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

3762

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

3763

{ # Bucket is represented as a range, along with replacement values.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3764

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

3765

# the default behavior will be to hyphenate the min-max range.

3766

# Note that for the purposes of inspection or transformation, the number

3767

# of bytes considered to comprise a 'Value' is based on its representation

3768

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3769

# 123456789, the number of bytes would be counted as 9, even though an

3770

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3771

"timestampValue": "A String", # timestamp

3772

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3773

# and time zone are either specified elsewhere or are not significant. The date

3774

# is relative to the Proleptic Gregorian Calendar. This can represent:

3775

#

3776

# * A full date, with non-zero year, month and day values

3777

# * A month and day value, with a zero year, e.g. an anniversary

3778

# * A year on its own, with zero month and day values

3779

# * A year and month value, with a zero day, e.g. a credit card expiration date

3780

#

3781

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3782

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3783

# a year.

3784

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3785

# month and day.

3786

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3787

# if specifying a year by itself or a year and month where the day is not

3788

# significant.

3789

},

3790

"stringValue": "A String", # string

3791

"integerValue": "A String", # integer

3792

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3793

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3794

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3795

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3796

# to allow the value "24:00:00" for scenarios like business closing time.

3797

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3798

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3799

# allow the value 60 if it allows leap-seconds.

3800

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3801

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3802

"booleanValue": True or False, # boolean

3803

"floatValue": 3.14, # float

3804

"dayOfWeekValue": "A String", # day of week

3805

},

3806

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

3807

# used.

3808

# Note that for the purposes of inspection or transformation, the number

3809

# of bytes considered to comprise a 'Value' is based on its representation

3810

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3811

# 123456789, the number of bytes would be counted as 9, even though an

3812

# int64 only holds up to 8 bytes of data.

3813

"timestampValue": "A String", # timestamp

3814

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3815

# and time zone are either specified elsewhere or are not significant. The date

3816

# is relative to the Proleptic Gregorian Calendar. This can represent:

3817

#

3818

# * A full date, with non-zero year, month and day values

3819

# * A month and day value, with a zero year, e.g. an anniversary

3820

# * A year on its own, with zero month and day values

3821

# * A year and month value, with a zero day, e.g. a credit card expiration date

3822

#

3823

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3824

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3825

# a year.

3826

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3827

# month and day.

3828

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3829

# if specifying a year by itself or a year and month where the day is not

3830

# significant.

3831

},

3832

"stringValue": "A String", # string

3833

"integerValue": "A String", # integer

3834

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3835

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3836

# types are google.type.Date and `google.protobuf.Timestamp`.

3837

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3838

# to allow the value "24:00:00" for scenarios like business closing time.

3839

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3840

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3841

# allow the value 60 if it allows leap-seconds.

3842

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3843

},

3844

"booleanValue": True or False, # boolean

3845

"floatValue": 3.14, # float

3846

"dayOfWeekValue": "A String", # day of week

3847

},

3848

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

3849

# Note that for the purposes of inspection or transformation, the number

3850

# of bytes considered to comprise a 'Value' is based on its representation

3851

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3852

# 123456789, the number of bytes would be counted as 9, even though an

3853

# int64 only holds up to 8 bytes of data.

3854

"timestampValue": "A String", # timestamp

3855

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3856

# and time zone are either specified elsewhere or are not significant. The date

3857

# is relative to the Proleptic Gregorian Calendar. This can represent:

3858

#

3859

# * A full date, with non-zero year, month and day values

3860

# * A month and day value, with a zero year, e.g. an anniversary

3861

# * A year on its own, with zero month and day values

3862

# * A year and month value, with a zero day, e.g. a credit card expiration date

3863

#

3864

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3865

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3866

# a year.

3867

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3868

# month and day.

3869

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3870

# if specifying a year by itself or a year and month where the day is not

3871

# significant.

3872

},

3873

"stringValue": "A String", # string

3874

"integerValue": "A String", # integer

3875

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3876

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3877

# types are google.type.Date and `google.protobuf.Timestamp`.

3878

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3879

# to allow the value "24:00:00" for scenarios like business closing time.

3880

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3881

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3882

# allow the value 60 if it allows leap-seconds.

3883

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3884

},

3885

"booleanValue": True or False, # boolean

3886

"floatValue": 3.14, # float

3887

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

3888

},

3889

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3890

],

3891

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3892

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

3893

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

3894

# output would be 'My phone number is '.

3895

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3896

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

3897

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

3898

# Note that for the purposes of inspection or transformation, the number

3899

# of bytes considered to comprise a 'Value' is based on its representation

3900

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3901

# 123456789, the number of bytes would be counted as 9, even though an

3902

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3903

"timestampValue": "A String", # timestamp

3904

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3905

# and time zone are either specified elsewhere or are not significant. The date

3906

# is relative to the Proleptic Gregorian Calendar. This can represent:

3907

#

3908

# * A full date, with non-zero year, month and day values

3909

# * A month and day value, with a zero year, e.g. an anniversary

3910

# * A year on its own, with zero month and day values

3911

# * A year and month value, with a zero day, e.g. a credit card expiration date

3912

#

3913

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3914

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3915

# a year.

3916

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3917

# month and day.

3918

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3919

# if specifying a year by itself or a year and month where the day is not

3920

# significant.

3921

},

3922

"stringValue": "A String", # string

3923

"integerValue": "A String", # integer

3924

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3925

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3926

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3927

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3928

# to allow the value "24:00:00" for scenarios like business closing time.

3929

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3930

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3931

# allow the value 60 if it allows leap-seconds.

3932

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3933

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3934

"booleanValue": True or False, # boolean

3935

"floatValue": 3.14, # float

3936

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3937

},

3938

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3939

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

3940

# Bucketing transformation can provide all of this functionality,

3941

# but requires more configuration. This message is provided as a convenience to

3942

# the user for simple bucketing strategies.

3943

#

3944

# The transformed value will be a hyphenated string of

3945

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

3946

# all values that are within this bucket will be replaced with "10-20".

3947

#

3948

# This can be used on data of type: double, long.

3949

#

3950

# If the bound Value type differs from the type of data

3951

# being transformed, we will first attempt converting the type of the data to

3952

# be transformed to match the type of the bound before comparing.

3953

#

3954

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3955

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

3956

# grouped together into a single bucket; for example if `upper_bound` = 89,

3957

# then all values greater than 89 are replaced with the value "89+".

3958

# Note that for the purposes of inspection or transformation, the number

3959

# of bytes considered to comprise a 'Value' is based on its representation

3960

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3961

# 123456789, the number of bytes would be counted as 9, even though an

3962

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3963

"timestampValue": "A String", # timestamp

3964

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3965

# and time zone are either specified elsewhere or are not significant. The date

3966

# is relative to the Proleptic Gregorian Calendar. This can represent:

3967

#

3968

# * A full date, with non-zero year, month and day values

3969

# * A month and day value, with a zero year, e.g. an anniversary

3970

# * A year on its own, with zero month and day values

3971

# * A year and month value, with a zero day, e.g. a credit card expiration date

3972

#

3973

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3974

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3975

# a year.

3976

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3977

# month and day.

3978

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3979

# if specifying a year by itself or a year and month where the day is not

3980

# significant.

3981

},

3982

"stringValue": "A String", # string

3983

"integerValue": "A String", # integer

3984

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3985

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3986

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3987

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3988

# to allow the value "24:00:00" for scenarios like business closing time.

3989

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3990

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3991

# allow the value 60 if it allows leap-seconds.

3992

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3993

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

3994

"booleanValue": True or False, # boolean

3995

"floatValue": 3.14, # float

3996

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

3997

},

3998

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

3999

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

4000

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

4001

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

4002

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

4003

# grouped together into a single bucket; for example if `lower_bound` = 10,

4004

# then all values less than 10 are replaced with the value "-10".

4005

# Note that for the purposes of inspection or transformation, the number

4006

# of bytes considered to comprise a 'Value' is based on its representation

4007

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4008

# 123456789, the number of bytes would be counted as 9, even though an

4009

# int64 only holds up to 8 bytes of data.

4010

"timestampValue": "A String", # timestamp

4011

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4012

# and time zone are either specified elsewhere or are not significant. The date

4013

# is relative to the Proleptic Gregorian Calendar. This can represent:

4014

#

4015

# * A full date, with non-zero year, month and day values

4016

# * A month and day value, with a zero year, e.g. an anniversary

4017

# * A year on its own, with zero month and day values

4018

# * A year and month value, with a zero day, e.g. a credit card expiration date

4019

#

4020

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4021

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4022

# a year.

4023

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4024

# month and day.

4025

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4026

# if specifying a year by itself or a year and month where the day is not

4027

# significant.

4028

},

4029

"stringValue": "A String", # string

4030

"integerValue": "A String", # integer

4031

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4032

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4033

# types are google.type.Date and `google.protobuf.Timestamp`.

4034

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4035

# to allow the value "24:00:00" for scenarios like business closing time.

4036

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

4037

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4038

# allow the value 60 if it allows leap-seconds.

4039

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4040

},

4041

"booleanValue": True or False, # boolean

4042

"floatValue": 3.14, # float

4043

"dayOfWeekValue": "A String", # day of week

4044

},

4045

},

4046

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

4047

# fixed character. Masking can start from the beginning or end of the string.

4048

# This can be used on data of any type (numbers, longs, and so on) and when

4049

# de-identifying structured data we'll attempt to preserve the original data's

4050

# type. (This allows you to take a long like 123 and modify it to a string like

4051

# **3.

4052

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

4053

# characters. For example, if the input string is `555-555-5555` and you

4054

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

4055

# returns `***-**5-5555`.

4056

{ # Characters to skip when doing deidentification of a value. These will be left

4057

# alone and skipped.

4058

"charactersToSkip": "A String", # Characters to not transform when masking.

4059

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

4064

# masked. Skipped characters do not count towards this tally.

4065

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

4066

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

4067

# code or credit card number. This string must have a length of 1. If not

4068

# supplied, this value defaults to `*` for strings, and `0` for digits.

4069

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

4070

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

4071

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

4072

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

4073

# is `true`, then the string `12345` is masked as `12***`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4074

},

4075

},

4076

"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the

4077

# given `RecordCondition`. The conditions are allowed to reference fields

4078

# that are not used in the actual transformation.

#

# Example Use Cases:

#

# - Apply a different bucket transformation to an age column if the zip code

4083

# column for the same record is within a specific range.

4084

# - Redact a field if the date of birth field is greater than 85.

4085

# a field.

4086

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

4087

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

4088

# only supported value is `AND`.

4089

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

4090

"conditions": [ # A collection of conditions.

4091

{ # The field type of `value` and `field` do not need to match to be

4092

# considered equal, but not all comparisons are possible.

4093

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

4094

# but all other comparisons are invalid with incompatible types.

4095

# A `value` of type:

4096

#

4097

# - `string` can be compared against all other types

4098

# - `boolean` can only be compared against other booleans

4099

# - `integer` can be compared against doubles or a string if the string value

4100

# can be parsed as an integer.

4101

# - `double` can be compared against integers or a string if the string can

4102

# be parsed as a double.

4103

# - `Timestamp` can be compared against strings in RFC 3339 date string

4104

# format.

4105

# - `TimeOfDay` can be compared against timestamps and strings in the format

4106

# of 'HH:mm:ss'.

4107

#

4108

# If we fail to compare do to type mismatch, a warning will be given and

4109

# the condition will evaluate to false.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4110

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

4111

# Note that for the purposes of inspection or transformation, the number

4112

# of bytes considered to comprise a 'Value' is based on its representation

4113

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4114

# 123456789, the number of bytes would be counted as 9, even though an

4115

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4116

"timestampValue": "A String", # timestamp

4117

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4118

# and time zone are either specified elsewhere or are not significant. The date

4119

# is relative to the Proleptic Gregorian Calendar. This can represent:

4120

#

4121

# * A full date, with non-zero year, month and day values

4122

# * A month and day value, with a zero year, e.g. an anniversary

4123

# * A year on its own, with zero month and day values

4124

# * A year and month value, with a zero day, e.g. a credit card expiration date

4125

#

4126

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4127

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4128

# a year.

4129

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4130

# month and day.

4131

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4132

# if specifying a year by itself or a year and month where the day is not

4133

# significant.

4134

},

4135

"stringValue": "A String", # string

4136

"integerValue": "A String", # integer

4137

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4138

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4139

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4140

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4141

# to allow the value "24:00:00" for scenarios like business closing time.

4142

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

4143

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4144

# allow the value 60 if it allows leap-seconds.

4145

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4146

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

4147

"booleanValue": True or False, # boolean

4148

"floatValue": 3.14, # float

4149

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4150

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

4151

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

4152

"name": "A String", # Name describing the field.

4153

},

4154

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4155

},

4156

],

4157

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4158

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4159

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4160

},

4161

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

4162

"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that

4163

# match any suppression rule are omitted from the output.

4164

{ # Configuration to suppress records whose suppression conditions evaluate to

4165

# true.

4166

"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being

4167

# evaluated to be suppressed from the transformed content.

4168

# a field.

4169

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

4170

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

4171

# only supported value is `AND`.

4172

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

4173

"conditions": [ # A collection of conditions.

4174

{ # The field type of `value` and `field` do not need to match to be

4175

# considered equal, but not all comparisons are possible.

4176

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

4177

# but all other comparisons are invalid with incompatible types.

4178

# A `value` of type:

4179

#

4180

# - `string` can be compared against all other types

4181

# - `boolean` can only be compared against other booleans

4182

# - `integer` can be compared against doubles or a string if the string value

4183

# can be parsed as an integer.

4184

# - `double` can be compared against integers or a string if the string can

4185

# be parsed as a double.

4186

# - `Timestamp` can be compared against strings in RFC 3339 date string

4187

# format.

4188

# - `TimeOfDay` can be compared against timestamps and strings in the format

4189

# of 'HH:mm:ss'.

4190

#

4191

# If we fail to compare do to type mismatch, a warning will be given and

4192

# the condition will evaluate to false.

4193

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

4194

# Note that for the purposes of inspection or transformation, the number

4195

# of bytes considered to comprise a 'Value' is based on its representation

4196

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4197

# 123456789, the number of bytes would be counted as 9, even though an

4198

# int64 only holds up to 8 bytes of data.

4199

"timestampValue": "A String", # timestamp

4200

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4201

# and time zone are either specified elsewhere or are not significant. The date

4202

# is relative to the Proleptic Gregorian Calendar. This can represent:

4203

#

4204

# * A full date, with non-zero year, month and day values

4205

# * A month and day value, with a zero year, e.g. an anniversary

4206

# * A year on its own, with zero month and day values

4207

# * A year and month value, with a zero day, e.g. a credit card expiration date

4208

#

4209

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4210

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4211

# a year.

4212

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4213

# month and day.

4214

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4215

# if specifying a year by itself or a year and month where the day is not

4216

# significant.

4217

},

4218

"stringValue": "A String", # string

4219

"integerValue": "A String", # integer

4220

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4221

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4222

# types are google.type.Date and `google.protobuf.Timestamp`.

4223

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4224

# to allow the value "24:00:00" for scenarios like business closing time.

4225

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

4226

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4227

# allow the value 60 if it allows leap-seconds.

4228

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4229

},

4230

"booleanValue": True or False, # boolean

4231

"floatValue": 3.14, # float

4232

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4233

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

4234

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

4235

"name": "A String", # Name describing the field.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4236

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

4237

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4238

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

4239

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4240

},

4241

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4242

},

4243

},

4244

],

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4245

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4246

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

<code class="details" id="delete">delete(name, x__xgafv=None)</code>

4252

<pre>Deletes a DeidentifyTemplate.

4253

See https://cloud.google.com/dlp/docs/creating-templates-deid to learn

4254

more.

4255

4256

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4257

name: string, Required. Resource name of the organization and deidentify template to be deleted,

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4258

for example `organizations/433245324/deidentifyTemplates/432452342` or

4259

projects/project-id/deidentifyTemplates/432452342. (required)

4260

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

4267

4268

{ # A generic empty message that you can re-use to avoid defining duplicated

4269

# empty messages in your APIs. A typical example is to use it as the request

4270

# or the response type of an API method. For instance:

4271

#

4272

# service Foo {

4273

# rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);

4274

# }

4275

#

4276

# The JSON representation for `Empty` is empty JSON object `{}`.

}</pre>

</div>

<code class="details" id="get">get(name, x__xgafv=None)</code>

4282

<pre>Gets a DeidentifyTemplate.

4283

See https://cloud.google.com/dlp/docs/creating-templates-deid to learn

4284

more.

4285

4286

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4287

name: string, Required. Resource name of the organization and deidentify template to be read, for

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4288

example `organizations/433245324/deidentifyTemplates/432452342` or

4289

projects/project-id/deidentifyTemplates/432452342. (required)

4290

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

4297

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4298

{ # DeidentifyTemplates contains instructions on how to de-identify content.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4299

# See https://cloud.google.com/dlp/docs/concepts-templates to learn more.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4300

"name": "A String", # Output only. The template name.

4301

#

4302

# The template will have one of the following formats:

4303

# `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR

4304

# `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`

4305

"description": "A String", # Short description (max 256 chars).

4306

"displayName": "A String", # Display name (max 256 chars).

4307

"createTime": "A String", # Output only. The creation timestamp of an inspectTemplate.

4308

"updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate.

4309

"deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

4310

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text

4311

# transformation everywhere.

4312

# apply various `PrimitiveTransformation`s to each finding, where the

4313

# transformation is applied to only values that were identified as a specific

4314

# info_type.

4315

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

4316

# for a given infoType.

4317

{ # A transformation to apply to text that is identified as a specific

4318

# info_type.

4319

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

4320

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

4321

# portion of the value.

4322

"partToExtract": "A String", # The part of the time to keep.

4323

},

4324

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

4325

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

4326

# to learn more.

4327

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

4328

# If set, must also set cryptoKey. If set, shift will be consistent for the

4329

# given context.

4330

"name": "A String", # Name describing the field.

4331

},

4332

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

4333

# range (inclusive ends). Negative means shift to earlier in time. Must not

4334

# be more than 365250 days (1000 years) each direction.

4335

#

4336

# For example, 3 means shift date to at most 3 days into the future.

4337

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

4338

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

4339

# results in the same shift for the same context and crypto_key. If

4340

# set, must also set context. Can only be applied to table items.

4341

# a key encryption key (KEK) stored by KMS).

4342

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

4343

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

4344

# unwrap the data crypto key.

4345

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

4346

# leaking the key. Choose another type of key if possible.

4347

"key": "A String", # Required. A 128/192/256 bit key.

4348

},

4349

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

4350

# It will be discarded after the request finishes.

4351

"name": "A String", # Required. Name of the key.

4352

# This is an arbitrary string used to differentiate different keys.

4353

# A unique key is generated per name: two separate `TransientCryptoKey`

4354

# protos share the same generated key if their names are the same.

4355

# When the data crypto key is generated, this name is not used in any way

4356

# (repeating the api call will result in a different key being generated).

4357

},

4358

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

4359

# The wrapped key must be a 128/192/256 bit key.

4360

# Authorization requires the following IAM permissions when sending a request

4361

# to perform a crypto transformation using a kms-wrapped crypto key:

4362

# dlp.kms.encrypt

4363

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

4364

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

4369

},

4370

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

4371

# Uses SHA-256.

4372

# The key size must be either 32 or 64 bytes.

4373

# Outputs a base64 encoded representation of the hashed output

4374

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

4375

# Currently, only string and integer values can be hashed.

4376

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

4377

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

4378

# a key encryption key (KEK) stored by KMS).

4379

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

4380

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

4381

# unwrap the data crypto key.

4382

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

4383

# leaking the key. Choose another type of key if possible.

4384

"key": "A String", # Required. A 128/192/256 bit key.

4385

},

4386

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

4387

# It will be discarded after the request finishes.

4388

"name": "A String", # Required. Name of the key.

4389

# This is an arbitrary string used to differentiate different keys.

4390

# A unique key is generated per name: two separate `TransientCryptoKey`

4391

# protos share the same generated key if their names are the same.

4392

# When the data crypto key is generated, this name is not used in any way

4393

# (repeating the api call will result in a different key being generated).

4394

},

4395

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

4396

# The wrapped key must be a 128/192/256 bit key.

4397

# Authorization requires the following IAM permissions when sending a request

4398

# to perform a crypto transformation using a kms-wrapped crypto key:

4399

# dlp.kms.encrypt

4400

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

4401

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

4406

# (FPE) with the FFX mode of operation; however when used in the

4407

# `ReidentifyContent` API method, it serves the opposite function by reversing

4408

# the surrogate back into the original identifier. The identifier must be

4409

# encoded as ASCII. For a given crypto key and context, the same identifier

4410

# will be replaced with the same surrogate. Identifiers must be at least two

4411

# characters long. In the case that the identifier is the empty string, it will

4412

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

4413

# more.

4414

#

4415

# Note: We recommend using CryptoDeterministicConfig for all use cases which

4416

# do not require preserving the input alphabet space and size, plus warrant

4417

# referential integrity.

4418

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

4419

# This annotation will be applied to the surrogate by prefixing it with

4420

# the name of the custom infoType followed by the number of

4421

# characters comprising the surrogate. The following scheme defines the

4422

# format: info_type_name(surrogate_character_count):surrogate

4423

#

4424

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

4425

# the surrogate is 'abc', the full replacement value

4426

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

4427

#

4428

# This annotation identifies the surrogate when inspecting content using the

4429

# custom infoType

4430

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

4431

# This facilitates reversal of the surrogate when it occurs in free text.

4432

#

4433

# In order for inspection to work properly, the name of this infoType must

4434

# not occur naturally anywhere in your data; otherwise, inspection may

4435

# find a surrogate that does not correspond to an actual identifier.

4436

# Therefore, choose your custom infoType name carefully after considering

4437

# what your data looks like. One way to select a name that has a high chance

4438

# of yielding reliable detection is to include one or more unicode characters

4439

# that are highly improbable to exist in your data.

4440

# For example, assuming your data is entered from a regular ASCII keyboard,

4441

# the symbol with the hex code point 29DD might be used like so:

4442

# ⧝MY_TOKEN_TYPE

4443

"name": "A String", # Name of the information type. Either a name of your choosing when

4444

# creating a CustomInfoType, or one of the names listed

4445

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

4446

# a built-in type. InfoType names should conform to the pattern

4447

# `[a-zA-Z0-9_]{1,64}`.

4448

},

4449

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

4450

# identifier in two different contexts won't be given the same surrogate. If

4451

# the context is not set, a default tweak will be used.

4452

#

4453

# If the context is set but:

4454

#

4455

# 1. there is no record present when transforming a given value or

4456

# 1. the field is not present when transforming a given value,

4457

#

4458

# a default tweak will be used.

4459

#

4460

# Note that case (1) is expected when an `InfoTypeTransformation` is

4461

# applied to both structured and non-structured `ContentItem`s.

4462

# Currently, the referenced field may be of value type integer or string.

4463

#

4464

# The tweak is constructed as a sequence of bytes in big endian byte order

4465

# such that:

4466

#

4467

# - a 64 bit integer is encoded followed by a single byte of value 1

4468

# - a string is encoded in UTF-8 format followed by a single byte of value 2

4469

"name": "A String", # Name describing the field.

4470

},

4471

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

4472

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

4473

# a key encryption key (KEK) stored by KMS).

4474

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

4475

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

4476

# unwrap the data crypto key.

4477

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

4478

# leaking the key. Choose another type of key if possible.

4479

"key": "A String", # Required. A 128/192/256 bit key.

4480

},

4481

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

4482

# It will be discarded after the request finishes.

4483

"name": "A String", # Required. Name of the key.

4484

# This is an arbitrary string used to differentiate different keys.

4485

# A unique key is generated per name: two separate `TransientCryptoKey`

4486

# protos share the same generated key if their names are the same.

4487

# When the data crypto key is generated, this name is not used in any way

4488

# (repeating the api call will result in a different key being generated).

4489

},

4490

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

4491

# The wrapped key must be a 128/192/256 bit key.

4492

# Authorization requires the following IAM permissions when sending a request

4493

# to perform a crypto transformation using a kms-wrapped crypto key:

4494

# dlp.kms.encrypt

4495

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

4496

"wrappedKey": "A String", # Required. The wrapped data crypto key.

4497

},

4498

},

4499

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

4500

# that the FFX mode natively supports. This happens before/after

4501

# encryption/decryption.

4502

# Each character listed must appear only once.

4503

# Number of characters must be in the range [2, 95].

4504

# This must be encoded as ASCII.

4505

# The order of characters does not matter.

4506

"commonAlphabet": "A String", # Common alphabets.

4507

},

4508

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

4509

# input. Outputs a base64 encoded representation of the encrypted output.

4510

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

4511

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

4512

# This annotation will be applied to the surrogate by prefixing it with

4513

# the name of the custom info type followed by the number of

4514

# characters comprising the surrogate. The following scheme defines the

4515

# format: {info type name}({surrogate character count}):{surrogate}

4516

#

4517

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

4518

# the surrogate is 'abc', the full replacement value

4519

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

4520

#

4521

# This annotation identifies the surrogate when inspecting content using the

4522

# custom info type 'Surrogate'. This facilitates reversal of the

4523

# surrogate when it occurs in free text.

4524

#

4525

# Note: For record transformations where the entire cell in a table is being

4526

# transformed, surrogates are not mandatory. Surrogates are used to denote

4527

# the location of the token and are necessary for re-identification in free

4528

# form text.

4529

#

4530

# In order for inspection to work properly, the name of this info type must

4531

# not occur naturally anywhere in your data; otherwise, inspection may either

4532

#

4533

# - reverse a surrogate that does not correspond to an actual identifier

4534

# - be unable to parse the surrogate and result in an error

4535

#

4536

# Therefore, choose your custom info type name carefully after considering

4537

# what your data looks like. One way to select a name that has a high chance

4538

# of yielding reliable detection is to include one or more unicode characters

4539

# that are highly improbable to exist in your data.

4540

# For example, assuming your data is entered from a regular ASCII keyboard,

4541

# the symbol with the hex code point 29DD might be used like so:

4542

# ⧝MY_TOKEN_TYPE.

4543

"name": "A String", # Name of the information type. Either a name of your choosing when

4544

# creating a CustomInfoType, or one of the names listed

4545

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

4546

# a built-in type. InfoType names should conform to the pattern

4547

# `[a-zA-Z0-9_]{1,64}`.

4548

},

4549

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

4550

# referential integrity such that the same identifier in two different

4551

# contexts will be given a distinct surrogate. The context is appended to

4552

# plaintext value being encrypted. On decryption the provided context is

4553

# validated against the value used during encryption. If a context was

4554

# provided during encryption, same context must be provided during decryption

4555

# as well.

4556

#

4557

# If the context is not set, plaintext would be used as is for encryption.

4558

# If the context is set but:

4559

#

4560

# 1. there is no record present when transforming a given value or

4561

# 2. the field is not present when transforming a given value,

4562

#

4563

# plaintext would be used as is for encryption.

4564

#

4565

# Note that case (1) is expected when an `InfoTypeTransformation` is

4566

# applied to both structured and non-structured `ContentItem`s.

4567

"name": "A String", # Name describing the field.

4568

},

4569

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

4570

# a key encryption key (KEK) stored by KMS).

4571

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

4572

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

4573

# unwrap the data crypto key.

4574

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

4575

# leaking the key. Choose another type of key if possible.

4576

"key": "A String", # Required. A 128/192/256 bit key.

4577

},

4578

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

4579

# It will be discarded after the request finishes.

4580

"name": "A String", # Required. Name of the key.

4581

# This is an arbitrary string used to differentiate different keys.

4582

# A unique key is generated per name: two separate `TransientCryptoKey`

4583

# protos share the same generated key if their names are the same.

4584

# When the data crypto key is generated, this name is not used in any way

4585

# (repeating the api call will result in a different key being generated).

4586

},

4587

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

4588

# The wrapped key must be a 128/192/256 bit key.

4589

# Authorization requires the following IAM permissions when sending a request

4590

# to perform a crypto transformation using a kms-wrapped crypto key:

4591

# dlp.kms.encrypt

4592

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

4593

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

4598

# replacement values are dynamically provided by the user for custom behavior,

4599

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

4600

# This can be used on

4601

# data of type: number, long, string, timestamp.

4602

# If the bound `Value` type differs from the type of data being transformed, we

4603

# will first attempt converting the type of the data to be transformed to match

4604

# the type of the bound before comparing.

4605

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

4606

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

4607

{ # Bucket is represented as a range, along with replacement values.

4608

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

4609

# the default behavior will be to hyphenate the min-max range.

4610

# Note that for the purposes of inspection or transformation, the number

4611

# of bytes considered to comprise a 'Value' is based on its representation

4612

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4613

# 123456789, the number of bytes would be counted as 9, even though an

4614

# int64 only holds up to 8 bytes of data.

4615

"timestampValue": "A String", # timestamp

4616

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4617

# and time zone are either specified elsewhere or are not significant. The date

4618

# is relative to the Proleptic Gregorian Calendar. This can represent:

4619

#

4620

# * A full date, with non-zero year, month and day values

4621

# * A month and day value, with a zero year, e.g. an anniversary

4622

# * A year on its own, with zero month and day values

4623

# * A year and month value, with a zero day, e.g. a credit card expiration date

4624

#

4625

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4626

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4627

# a year.

4628

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4629

# month and day.

4630

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4631

# if specifying a year by itself or a year and month where the day is not

4632

# significant.

4633

},

4634

"stringValue": "A String", # string

4635

"integerValue": "A String", # integer

4636

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4637

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4638

# types are google.type.Date and `google.protobuf.Timestamp`.

4639

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4640

# to allow the value "24:00:00" for scenarios like business closing time.

4641

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

4642

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4643

# allow the value 60 if it allows leap-seconds.

4644

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4645

},

4646

"booleanValue": True or False, # boolean

4647

"floatValue": 3.14, # float

4648

"dayOfWeekValue": "A String", # day of week

4649

},

4650

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

4651

# used.

4652

# Note that for the purposes of inspection or transformation, the number

4653

# of bytes considered to comprise a 'Value' is based on its representation

4654

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4655

# 123456789, the number of bytes would be counted as 9, even though an

4656

# int64 only holds up to 8 bytes of data.

4657

"timestampValue": "A String", # timestamp

4658

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4659

# and time zone are either specified elsewhere or are not significant. The date

4660

# is relative to the Proleptic Gregorian Calendar. This can represent:

4661

#

4662

# * A full date, with non-zero year, month and day values

4663

# * A month and day value, with a zero year, e.g. an anniversary

4664

# * A year on its own, with zero month and day values

4665

# * A year and month value, with a zero day, e.g. a credit card expiration date

4666

#

4667

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4668

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4669

# a year.

4670

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4671

# month and day.

4672

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4673

# if specifying a year by itself or a year and month where the day is not

4674

# significant.

4675

},

4676

"stringValue": "A String", # string

4677

"integerValue": "A String", # integer

4678

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4679

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4680

# types are google.type.Date and `google.protobuf.Timestamp`.

4681

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4682

# to allow the value "24:00:00" for scenarios like business closing time.

4683

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

4684

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4685

# allow the value 60 if it allows leap-seconds.

4686

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4687

},

4688

"booleanValue": True or False, # boolean

4689

"floatValue": 3.14, # float

4690

"dayOfWeekValue": "A String", # day of week

4691

},

4692

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

4693

# Note that for the purposes of inspection or transformation, the number

4694

# of bytes considered to comprise a 'Value' is based on its representation

4695

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4696

# 123456789, the number of bytes would be counted as 9, even though an

4697

# int64 only holds up to 8 bytes of data.

4698

"timestampValue": "A String", # timestamp

4699

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4700

# and time zone are either specified elsewhere or are not significant. The date

4701

# is relative to the Proleptic Gregorian Calendar. This can represent:

4702

#

4703

# * A full date, with non-zero year, month and day values

4704

# * A month and day value, with a zero year, e.g. an anniversary

4705

# * A year on its own, with zero month and day values

4706

# * A year and month value, with a zero day, e.g. a credit card expiration date

4707

#

4708

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4709

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4710

# a year.

4711

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4712

# month and day.

4713

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4714

# if specifying a year by itself or a year and month where the day is not

4715

# significant.

4716

},

4717

"stringValue": "A String", # string

4718

"integerValue": "A String", # integer

4719

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4720

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4721

# types are google.type.Date and `google.protobuf.Timestamp`.

4722

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4723

# to allow the value "24:00:00" for scenarios like business closing time.

4724

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

4725

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4726

# allow the value 60 if it allows leap-seconds.

4727

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4728

},

4729

"booleanValue": True or False, # boolean

4730

"floatValue": 3.14, # float

4731

"dayOfWeekValue": "A String", # day of week

},

},

],

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

4737

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

4738

# output would be 'My phone number is '.

4739

},

4740

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

4741

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

4742

# Note that for the purposes of inspection or transformation, the number

4743

# of bytes considered to comprise a 'Value' is based on its representation

4744

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4745

# 123456789, the number of bytes would be counted as 9, even though an

4746

# int64 only holds up to 8 bytes of data.

4747

"timestampValue": "A String", # timestamp

4748

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4749

# and time zone are either specified elsewhere or are not significant. The date

4750

# is relative to the Proleptic Gregorian Calendar. This can represent:

4751

#

4752

# * A full date, with non-zero year, month and day values

4753

# * A month and day value, with a zero year, e.g. an anniversary

4754

# * A year on its own, with zero month and day values

4755

# * A year and month value, with a zero day, e.g. a credit card expiration date

4756

#

4757

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4758

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4759

# a year.

4760

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4761

# month and day.

4762

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4763

# if specifying a year by itself or a year and month where the day is not

4764

# significant.

4765

},

4766

"stringValue": "A String", # string

4767

"integerValue": "A String", # integer

4768

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4769

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4770

# types are google.type.Date and `google.protobuf.Timestamp`.

4771

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4772

# to allow the value "24:00:00" for scenarios like business closing time.

4773

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

4774

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4775

# allow the value 60 if it allows leap-seconds.

4776

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4777

},

4778

"booleanValue": True or False, # boolean

4779

"floatValue": 3.14, # float

4780

"dayOfWeekValue": "A String", # day of week

4781

},

4782

},

4783

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

4784

# Bucketing transformation can provide all of this functionality,

4785

# but requires more configuration. This message is provided as a convenience to

4786

# the user for simple bucketing strategies.

4787

#

4788

# The transformed value will be a hyphenated string of

4789

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

4790

# all values that are within this bucket will be replaced with "10-20".

4791

#

4792

# This can be used on data of type: double, long.

4793

#

4794

# If the bound Value type differs from the type of data

4795

# being transformed, we will first attempt converting the type of the data to

4796

# be transformed to match the type of the bound before comparing.

4797

#

4798

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

4799

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

4800

# grouped together into a single bucket; for example if `upper_bound` = 89,

4801

# then all values greater than 89 are replaced with the value "89+".

4802

# Note that for the purposes of inspection or transformation, the number

4803

# of bytes considered to comprise a 'Value' is based on its representation

4804

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4805

# 123456789, the number of bytes would be counted as 9, even though an

4806

# int64 only holds up to 8 bytes of data.

4807

"timestampValue": "A String", # timestamp

4808

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4809

# and time zone are either specified elsewhere or are not significant. The date

4810

# is relative to the Proleptic Gregorian Calendar. This can represent:

4811

#

4812

# * A full date, with non-zero year, month and day values

4813

# * A month and day value, with a zero year, e.g. an anniversary

4814

# * A year on its own, with zero month and day values

4815

# * A year and month value, with a zero day, e.g. a credit card expiration date

4816

#

4817

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4818

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4819

# a year.

4820

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4821

# month and day.

4822

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4823

# if specifying a year by itself or a year and month where the day is not

4824

# significant.

4825

},

4826

"stringValue": "A String", # string

4827

"integerValue": "A String", # integer

4828

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4829

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4830

# types are google.type.Date and `google.protobuf.Timestamp`.

4831

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4832

# to allow the value "24:00:00" for scenarios like business closing time.

4833

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

4834

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4835

# allow the value 60 if it allows leap-seconds.

4836

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4837

},

4838

"booleanValue": True or False, # boolean

4839

"floatValue": 3.14, # float

4840

"dayOfWeekValue": "A String", # day of week

4841

},

4842

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

4843

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

4844

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

4845

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

4846

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

4847

# grouped together into a single bucket; for example if `lower_bound` = 10,

4848

# then all values less than 10 are replaced with the value "-10".

4849

# Note that for the purposes of inspection or transformation, the number

4850

# of bytes considered to comprise a 'Value' is based on its representation

4851

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4852

# 123456789, the number of bytes would be counted as 9, even though an

4853

# int64 only holds up to 8 bytes of data.

4854

"timestampValue": "A String", # timestamp

4855

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4856

# and time zone are either specified elsewhere or are not significant. The date

4857

# is relative to the Proleptic Gregorian Calendar. This can represent:

4858

#

4859

# * A full date, with non-zero year, month and day values

4860

# * A month and day value, with a zero year, e.g. an anniversary

4861

# * A year on its own, with zero month and day values

4862

# * A year and month value, with a zero day, e.g. a credit card expiration date

4863

#

4864

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4865

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4866

# a year.

4867

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4868

# month and day.

4869

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4870

# if specifying a year by itself or a year and month where the day is not

4871

# significant.

4872

},

4873

"stringValue": "A String", # string

4874

"integerValue": "A String", # integer

4875

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4876

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4877

# types are google.type.Date and `google.protobuf.Timestamp`.

4878

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4879

# to allow the value "24:00:00" for scenarios like business closing time.

4880

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

4881

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4882

# allow the value 60 if it allows leap-seconds.

4883

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4884

},

4885

"booleanValue": True or False, # boolean

4886

"floatValue": 3.14, # float

4887

"dayOfWeekValue": "A String", # day of week

4888

},

4889

},

4890

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

4891

# fixed character. Masking can start from the beginning or end of the string.

4892

# This can be used on data of any type (numbers, longs, and so on) and when

4893

# de-identifying structured data we'll attempt to preserve the original data's

4894

# type. (This allows you to take a long like 123 and modify it to a string like

4895

# **3.

4896

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

4897

# characters. For example, if the input string is `555-555-5555` and you

4898

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

4899

# returns `***-**5-5555`.

4900

{ # Characters to skip when doing deidentification of a value. These will be left

4901

# alone and skipped.

4902

"charactersToSkip": "A String", # Characters to not transform when masking.

4903

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

4908

# masked. Skipped characters do not count towards this tally.

4909

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

4910

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

4911

# code or credit card number. This string must have a length of 1. If not

4912

# supplied, this value defaults to `*` for strings, and `0` for digits.

4913

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

4914

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

4915

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

4916

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

4917

# is `true`, then the string `12345` is masked as `12***`.

4918

},

4919

},

4920

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

4921

# this transformation to apply to all findings that correspond to

4922

# infoTypes that were requested in `InspectConfig`.

4923

{ # Type of information detected by the API.

4924

"name": "A String", # Name of the information type. Either a name of your choosing when

4925

# creating a CustomInfoType, or one of the names listed

4926

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

4927

# a built-in type. InfoType names should conform to the pattern

4928

# `[a-zA-Z0-9_]{1,64}`.

},

],

},

],

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4934

"transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default

4935

# mode is `TransformationErrorHandling.ThrowError`.

4936

# transformation error occurs when the requested transformation is incompatible

4937

# with the data. For example, trying to de-identify an IP address using a

4938

# `DateShift` transformation would result in a transformation error, since date

4939

# info cannot be extracted from an IP address.

4940

# Information about any incompatible transformations, and how they were

4941

# handled, is returned in the response as part of the

4942

# `TransformationOverviews`.

4943

"throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error

4944

},

4945

"leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors

4946

# cause an error. For example, if a `DateShift` transformation were applied

4947

# an an IP address, this mode would leave the IP address unchanged in the

4948

# response.

4949

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4950

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4951

"recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4952

# specific locations within structured datasets, such as transforming

4953

# a column within a table.

4954

# table.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4955

"fieldTransformations": [ # Transform the record by applying various field transformations.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4956

{ # The transformation to apply to the field.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4957

"fields": [ # Required. Input field(s) to apply the transformation to.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4958

{ # General identifier of a data field in a storage service.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4959

"name": "A String", # Name describing the field.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4960

},

4961

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4962

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4963

# transform content that matches an `InfoType`.

4964

# apply various `PrimitiveTransformation`s to each finding, where the

4965

# transformation is applied to only values that were identified as a specific

4966

# info_type.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4967

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

4968

# for a given infoType.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4969

{ # A transformation to apply to text that is identified as a specific

4970

# info_type.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4971

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

4972

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

4973

# portion of the value.

4974

"partToExtract": "A String", # The part of the time to keep.

4975

},

4976

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

4977

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

4978

# to learn more.

4979

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

4980

# If set, must also set cryptoKey. If set, shift will be consistent for the

4981

# given context.

4982

"name": "A String", # Name describing the field.

4983

},

4984

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

4985

# range (inclusive ends). Negative means shift to earlier in time. Must not

4986

# be more than 365250 days (1000 years) each direction.

4987

#

4988

# For example, 3 means shift date to at most 3 days into the future.

4989

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

4990

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

4991

# results in the same shift for the same context and crypto_key. If

4992

# set, must also set context. Can only be applied to table items.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4993

# a key encryption key (KEK) stored by KMS).

4994

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

4995

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

4996

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4997

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

4998

# leaking the key. Choose another type of key if possible.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

4999

"key": "A String", # Required. A 128/192/256 bit key.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5000

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5001

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5002

# It will be discarded after the request finishes.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5003

"name": "A String", # Required. Name of the key.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5004

# This is an arbitrary string used to differentiate different keys.

5005

# A unique key is generated per name: two separate `TransientCryptoKey`

5006

# protos share the same generated key if their names are the same.

5007

# When the data crypto key is generated, this name is not used in any way

5008

# (repeating the api call will result in a different key being generated).

5009

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

5010

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

5011

# The wrapped key must be a 128/192/256 bit key.

5012

# Authorization requires the following IAM permissions when sending a request

5013

# to perform a crypto transformation using a kms-wrapped crypto key:

5014

# dlp.kms.encrypt

5015

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

5016

"wrappedKey": "A String", # Required. The wrapped data crypto key.

5017

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5018

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5019

},

5020

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

5021

},

5022

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

5023

# Uses SHA-256.

5024

# The key size must be either 32 or 64 bytes.

5025

# Outputs a base64 encoded representation of the hashed output

5026

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

5027

# Currently, only string and integer values can be hashed.

5028

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

5029

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

5030

# a key encryption key (KEK) stored by KMS).

5031

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

5032

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

5033

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5034

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

5035

# leaking the key. Choose another type of key if possible.

5036

"key": "A String", # Required. A 128/192/256 bit key.

5037

},

5038

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

5039

# It will be discarded after the request finishes.

5040

"name": "A String", # Required. Name of the key.

5041

# This is an arbitrary string used to differentiate different keys.

5042

# A unique key is generated per name: two separate `TransientCryptoKey`

5043

# protos share the same generated key if their names are the same.

5044

# When the data crypto key is generated, this name is not used in any way

5045

# (repeating the api call will result in a different key being generated).

5046

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

5047

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

5048

# The wrapped key must be a 128/192/256 bit key.

5049

# Authorization requires the following IAM permissions when sending a request

5050

# to perform a crypto transformation using a kms-wrapped crypto key:

5051

# dlp.kms.encrypt

5052

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

5053

"wrappedKey": "A String", # Required. The wrapped data crypto key.

5054

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5055

},

5056

},

5057

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

5058

# (FPE) with the FFX mode of operation; however when used in the

5059

# `ReidentifyContent` API method, it serves the opposite function by reversing

5060

# the surrogate back into the original identifier. The identifier must be

5061

# encoded as ASCII. For a given crypto key and context, the same identifier

5062

# will be replaced with the same surrogate. Identifiers must be at least two

5063

# characters long. In the case that the identifier is the empty string, it will

5064

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

5065

# more.

5066

#

5067

# Note: We recommend using CryptoDeterministicConfig for all use cases which

5068

# do not require preserving the input alphabet space and size, plus warrant

5069

# referential integrity.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5070

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

5071

# This annotation will be applied to the surrogate by prefixing it with

5072

# the name of the custom infoType followed by the number of

5073

# characters comprising the surrogate. The following scheme defines the

5074

# format: info_type_name(surrogate_character_count):surrogate

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5075

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5076

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

5077

# the surrogate is 'abc', the full replacement value

5078

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

5079

#

5080

# This annotation identifies the surrogate when inspecting content using the

5081

# custom infoType

5082

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

5083

# This facilitates reversal of the surrogate when it occurs in free text.

5084

#

5085

# In order for inspection to work properly, the name of this infoType must

5086

# not occur naturally anywhere in your data; otherwise, inspection may

5087

# find a surrogate that does not correspond to an actual identifier.

5088

# Therefore, choose your custom infoType name carefully after considering

5089

# what your data looks like. One way to select a name that has a high chance

5090

# of yielding reliable detection is to include one or more unicode characters

5091

# that are highly improbable to exist in your data.

5092

# For example, assuming your data is entered from a regular ASCII keyboard,

5093

# the symbol with the hex code point 29DD might be used like so:

5094

# ⧝MY_TOKEN_TYPE

5095

"name": "A String", # Name of the information type. Either a name of your choosing when

5096

# creating a CustomInfoType, or one of the names listed

5097

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

5098

# a built-in type. InfoType names should conform to the pattern

5099

# `[a-zA-Z0-9_]{1,64}`.

5100

},

5101

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

5102

# identifier in two different contexts won't be given the same surrogate. If

5103

# the context is not set, a default tweak will be used.

5104

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5105

# If the context is set but:

5106

#

5107

# 1. there is no record present when transforming a given value or

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5108

# 1. the field is not present when transforming a given value,

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5109

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5110

# a default tweak will be used.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5111

#

5112

# Note that case (1) is expected when an `InfoTypeTransformation` is

5113

# applied to both structured and non-structured `ContentItem`s.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5114

# Currently, the referenced field may be of value type integer or string.

5115

#

5116

# The tweak is constructed as a sequence of bytes in big endian byte order

5117

# such that:

5118

#

5119

# - a 64 bit integer is encoded followed by a single byte of value 1

5120

# - a string is encoded in UTF-8 format followed by a single byte of value 2

5121

"name": "A String", # Name describing the field.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5122

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5123

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

5124

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

5125

# a key encryption key (KEK) stored by KMS).

5126

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

5127

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

5128

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5129

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

5130

# leaking the key. Choose another type of key if possible.

5131

"key": "A String", # Required. A 128/192/256 bit key.

5132

},

5133

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

5134

# It will be discarded after the request finishes.

5135

"name": "A String", # Required. Name of the key.

5136

# This is an arbitrary string used to differentiate different keys.

5137

# A unique key is generated per name: two separate `TransientCryptoKey`

5138

# protos share the same generated key if their names are the same.

5139

# When the data crypto key is generated, this name is not used in any way

5140

# (repeating the api call will result in a different key being generated).

5141

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

5142

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

5143

# The wrapped key must be a 128/192/256 bit key.

5144

# Authorization requires the following IAM permissions when sending a request

5145

# to perform a crypto transformation using a kms-wrapped crypto key:

5146

# dlp.kms.encrypt

5147

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

5148

"wrappedKey": "A String", # Required. The wrapped data crypto key.

5149

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5150

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

5151

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

5152

# that the FFX mode natively supports. This happens before/after

5153

# encryption/decryption.

5154

# Each character listed must appear only once.

5155

# Number of characters must be in the range [2, 95].

5156

# This must be encoded as ASCII.

5157

# The order of characters does not matter.

5158

"commonAlphabet": "A String", # Common alphabets.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5159

},

5160

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

5161

# input. Outputs a base64 encoded representation of the encrypted output.

5162

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

5163

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5164

# This annotation will be applied to the surrogate by prefixing it with

5165

# the name of the custom info type followed by the number of

5166

# characters comprising the surrogate. The following scheme defines the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5167

# format: {info type name}({surrogate character count}):{surrogate}

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5168

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5169

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

5170

# the surrogate is 'abc', the full replacement value

5171

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5172

#

5173

# This annotation identifies the surrogate when inspecting content using the

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5174

# custom info type 'Surrogate'. This facilitates reversal of the

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5175

# surrogate when it occurs in free text.

5176

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5177

# Note: For record transformations where the entire cell in a table is being

5178

# transformed, surrogates are not mandatory. Surrogates are used to denote

5179

# the location of the token and are necessary for re-identification in free

5180

# form text.

5181

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5182

# In order for inspection to work properly, the name of this info type must

5183

# not occur naturally anywhere in your data; otherwise, inspection may either

5184

#

5185

# - reverse a surrogate that does not correspond to an actual identifier

5186

# - be unable to parse the surrogate and result in an error

5187

#

5188

# Therefore, choose your custom info type name carefully after considering

5189

# what your data looks like. One way to select a name that has a high chance

5190

# of yielding reliable detection is to include one or more unicode characters

5191

# that are highly improbable to exist in your data.

5192

# For example, assuming your data is entered from a regular ASCII keyboard,

5193

# the symbol with the hex code point 29DD might be used like so:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5194

# ⧝MY_TOKEN_TYPE.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5195

"name": "A String", # Name of the information type. Either a name of your choosing when

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5196

# creating a CustomInfoType, or one of the names listed

5197

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

5198

# a built-in type. InfoType names should conform to the pattern

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5199

# `[a-zA-Z0-9_]{1,64}`.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5200

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5201

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

5202

# referential integrity such that the same identifier in two different

5203

# contexts will be given a distinct surrogate. The context is appended to

5204

# plaintext value being encrypted. On decryption the provided context is

5205

# validated against the value used during encryption. If a context was

5206

# provided during encryption, same context must be provided during decryption

5207

# as well.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5208

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5209

# If the context is not set, plaintext would be used as is for encryption.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5210

# If the context is set but:

5211

#

5212

# 1. there is no record present when transforming a given value or

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5213

# 2. the field is not present when transforming a given value,

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5214

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5215

# plaintext would be used as is for encryption.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5216

#

5217

# Note that case (1) is expected when an `InfoTypeTransformation` is

5218

# applied to both structured and non-structured `ContentItem`s.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5219

"name": "A String", # Name describing the field.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5220

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5221

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

5222

# a key encryption key (KEK) stored by KMS).

5223

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

5224

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

5225

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5226

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

5227

# leaking the key. Choose another type of key if possible.

5228

"key": "A String", # Required. A 128/192/256 bit key.

5229

},

5230

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

5231

# It will be discarded after the request finishes.

5232

"name": "A String", # Required. Name of the key.

5233

# This is an arbitrary string used to differentiate different keys.

5234

# A unique key is generated per name: two separate `TransientCryptoKey`

5235

# protos share the same generated key if their names are the same.

5236

# When the data crypto key is generated, this name is not used in any way

5237

# (repeating the api call will result in a different key being generated).

5238

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

5239

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

5240

# The wrapped key must be a 128/192/256 bit key.

5241

# Authorization requires the following IAM permissions when sending a request

5242

# to perform a crypto transformation using a kms-wrapped crypto key:

5243

# dlp.kms.encrypt

5244

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

5245

"wrappedKey": "A String", # Required. The wrapped data crypto key.

5246

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5247

},

5248

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5249

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5250

# replacement values are dynamically provided by the user for custom behavior,

5251

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

5252

# This can be used on

5253

# data of type: number, long, string, timestamp.

5254

# If the bound `Value` type differs from the type of data being transformed, we

5255

# will first attempt converting the type of the data to be transformed to match

5256

# the type of the bound before comparing.

5257

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5258

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5259

{ # Bucket is represented as a range, along with replacement values.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5260

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

5261

# the default behavior will be to hyphenate the min-max range.

5262

# Note that for the purposes of inspection or transformation, the number

5263

# of bytes considered to comprise a 'Value' is based on its representation

5264

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

5265

# 123456789, the number of bytes would be counted as 9, even though an

5266

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5267

"timestampValue": "A String", # timestamp

5268

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

5269

# and time zone are either specified elsewhere or are not significant. The date

5270

# is relative to the Proleptic Gregorian Calendar. This can represent:

5271

#

5272

# * A full date, with non-zero year, month and day values

5273

# * A month and day value, with a zero year, e.g. an anniversary

5274

# * A year on its own, with zero month and day values

5275

# * A year and month value, with a zero day, e.g. a credit card expiration date

5276

#

5277

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

5278

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

5279

# a year.

5280

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

5281

# month and day.

5282

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

5283

# if specifying a year by itself or a year and month where the day is not

5284

# significant.

5285

},

5286

"stringValue": "A String", # string

5287

"integerValue": "A String", # integer

5288

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

5289

# or are specified elsewhere. An API may choose to allow leap seconds. Related

5290

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5291

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

5292

# to allow the value "24:00:00" for scenarios like business closing time.

5293

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

5294

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

5295

# allow the value 60 if it allows leap-seconds.

5296

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5297

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

5298

"booleanValue": True or False, # boolean

5299

"floatValue": 3.14, # float

5300

"dayOfWeekValue": "A String", # day of week

5301

},

5302

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

5303

# used.

5304

# Note that for the purposes of inspection or transformation, the number

5305

# of bytes considered to comprise a 'Value' is based on its representation

5306

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

5307

# 123456789, the number of bytes would be counted as 9, even though an

5308

# int64 only holds up to 8 bytes of data.

5309

"timestampValue": "A String", # timestamp

5310

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

5311

# and time zone are either specified elsewhere or are not significant. The date

5312

# is relative to the Proleptic Gregorian Calendar. This can represent:

5313

#

5314

# * A full date, with non-zero year, month and day values

5315

# * A month and day value, with a zero year, e.g. an anniversary

5316

# * A year on its own, with zero month and day values

5317

# * A year and month value, with a zero day, e.g. a credit card expiration date

5318

#

5319

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

5320

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

5321

# a year.

5322

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

5323

# month and day.

5324

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

5325

# if specifying a year by itself or a year and month where the day is not

5326

# significant.

5327

},

5328

"stringValue": "A String", # string

5329

"integerValue": "A String", # integer

5330

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

5331

# or are specified elsewhere. An API may choose to allow leap seconds. Related

5332

# types are google.type.Date and `google.protobuf.Timestamp`.

5333

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

5334

# to allow the value "24:00:00" for scenarios like business closing time.

5335

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

5336

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

5337

# allow the value 60 if it allows leap-seconds.

5338

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

5339

},

5340

"booleanValue": True or False, # boolean

5341

"floatValue": 3.14, # float

5342

"dayOfWeekValue": "A String", # day of week

5343

},

5344

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

5345

# Note that for the purposes of inspection or transformation, the number

5346

# of bytes considered to comprise a 'Value' is based on its representation

5347

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

5348

# 123456789, the number of bytes would be counted as 9, even though an

5349

# int64 only holds up to 8 bytes of data.

5350

"timestampValue": "A String", # timestamp

5351

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

5352

# and time zone are either specified elsewhere or are not significant. The date

5353

# is relative to the Proleptic Gregorian Calendar. This can represent:

5354

#

5355

# * A full date, with non-zero year, month and day values

5356

# * A month and day value, with a zero year, e.g. an anniversary

5357

# * A year on its own, with zero month and day values

5358

# * A year and month value, with a zero day, e.g. a credit card expiration date

5359

#

5360

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

5361

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

5362

# a year.

5363

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

5364

# month and day.

5365

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

5366

# if specifying a year by itself or a year and month where the day is not

5367

# significant.

5368

},

5369

"stringValue": "A String", # string

5370

"integerValue": "A String", # integer

5371

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

5372

# or are specified elsewhere. An API may choose to allow leap seconds. Related

5373

# types are google.type.Date and `google.protobuf.Timestamp`.

5374

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

5375

# to allow the value "24:00:00" for scenarios like business closing time.

5376

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

5377

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

5378

# allow the value 60 if it allows leap-seconds.

5379

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

5380

},

5381

"booleanValue": True or False, # boolean

5382

"floatValue": 3.14, # float

5383

"dayOfWeekValue": "A String", # day of week

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

},

},

],

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

5388

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

5389

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

5390

# output would be 'My phone number is '.

5391

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5392

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

5393

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5394

# Note that for the purposes of inspection or transformation, the number

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5395

# of bytes considered to comprise a 'Value' is based on its representation

5396

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5397

# 123456789, the number of bytes would be counted as 9, even though an

5398

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5399

"timestampValue": "A String", # timestamp

5400

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5401

# and time zone are either specified elsewhere or are not significant. The date

5402

# is relative to the Proleptic Gregorian Calendar. This can represent:

5403

#

5404

# * A full date, with non-zero year, month and day values

5405

# * A month and day value, with a zero year, e.g. an anniversary

5406

# * A year on its own, with zero month and day values

5407

# * A year and month value, with a zero day, e.g. a credit card expiration date

5408

#

5409

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5410

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

5411

# a year.

5412

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

5413

# month and day.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5414

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5415

# if specifying a year by itself or a year and month where the day is not

5416

# significant.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5417

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5418

"stringValue": "A String", # string

5419

"integerValue": "A String", # integer

5420

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

5421

# or are specified elsewhere. An API may choose to allow leap seconds. Related

5422

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5423

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

5424

# to allow the value "24:00:00" for scenarios like business closing time.

5425

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

5426

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

5427

# allow the value 60 if it allows leap-seconds.

5428

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5429

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

5430

"booleanValue": True or False, # boolean

5431

"floatValue": 3.14, # float

5432

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5433

},

5434

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5435

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

5436

# Bucketing transformation can provide all of this functionality,

5437

# but requires more configuration. This message is provided as a convenience to

5438

# the user for simple bucketing strategies.

5439

#

5440

# The transformed value will be a hyphenated string of

5441

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

5442

# all values that are within this bucket will be replaced with "10-20".

5443

#

5444

# This can be used on data of type: double, long.

5445

#

5446

# If the bound Value type differs from the type of data

5447

# being transformed, we will first attempt converting the type of the data to

5448

# be transformed to match the type of the bound before comparing.

5449

#

5450

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5451

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

5452

# grouped together into a single bucket; for example if `upper_bound` = 89,

5453

# then all values greater than 89 are replaced with the value "89+".

5454

# Note that for the purposes of inspection or transformation, the number

5455

# of bytes considered to comprise a 'Value' is based on its representation

5456

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

5457

# 123456789, the number of bytes would be counted as 9, even though an

5458

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5459

"timestampValue": "A String", # timestamp

5460

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

5461

# and time zone are either specified elsewhere or are not significant. The date

5462

# is relative to the Proleptic Gregorian Calendar. This can represent:

5463

#

5464

# * A full date, with non-zero year, month and day values

5465

# * A month and day value, with a zero year, e.g. an anniversary

5466

# * A year on its own, with zero month and day values

5467

# * A year and month value, with a zero day, e.g. a credit card expiration date

5468

#

5469

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

5470

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

5471

# a year.

5472

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

5473

# month and day.

5474

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

5475

# if specifying a year by itself or a year and month where the day is not

5476

# significant.

5477

},

5478

"stringValue": "A String", # string

5479

"integerValue": "A String", # integer

5480

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

5481

# or are specified elsewhere. An API may choose to allow leap seconds. Related

5482

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5483

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

5484

# to allow the value "24:00:00" for scenarios like business closing time.

5485

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

5486

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

5487

# allow the value 60 if it allows leap-seconds.

5488

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5489

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

5490

"booleanValue": True or False, # boolean

5491

"floatValue": 3.14, # float

5492

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5493

},

5494

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

5495

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

5496

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

5497

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

5498

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

5499

# grouped together into a single bucket; for example if `lower_bound` = 10,

5500

# then all values less than 10 are replaced with the value "-10".

5501

# Note that for the purposes of inspection or transformation, the number

5502

# of bytes considered to comprise a 'Value' is based on its representation

5503

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

5504

# 123456789, the number of bytes would be counted as 9, even though an

5505

# int64 only holds up to 8 bytes of data.

5506

"timestampValue": "A String", # timestamp

5507

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

5508

# and time zone are either specified elsewhere or are not significant. The date

5509

# is relative to the Proleptic Gregorian Calendar. This can represent:

5510

#

5511

# * A full date, with non-zero year, month and day values

5512

# * A month and day value, with a zero year, e.g. an anniversary

5513

# * A year on its own, with zero month and day values

5514

# * A year and month value, with a zero day, e.g. a credit card expiration date

5515

#

5516

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

5517

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

5518

# a year.

5519

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

5520

# month and day.

5521

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

5522

# if specifying a year by itself or a year and month where the day is not

5523

# significant.

5524

},

5525

"stringValue": "A String", # string

5526

"integerValue": "A String", # integer

5527

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

5528

# or are specified elsewhere. An API may choose to allow leap seconds. Related

5529

# types are google.type.Date and `google.protobuf.Timestamp`.

5530

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

5531

# to allow the value "24:00:00" for scenarios like business closing time.

5532

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

5533

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

5534

# allow the value 60 if it allows leap-seconds.

5535

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

5536

},

5537

"booleanValue": True or False, # boolean

5538

"floatValue": 3.14, # float

5539

"dayOfWeekValue": "A String", # day of week

5540

},

5541

},

5542

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

5543

# fixed character. Masking can start from the beginning or end of the string.

5544

# This can be used on data of any type (numbers, longs, and so on) and when

5545

# de-identifying structured data we'll attempt to preserve the original data's

5546

# type. (This allows you to take a long like 123 and modify it to a string like

5547

# **3.

5548

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

5549

# characters. For example, if the input string is `555-555-5555` and you

5550

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

5551

# returns `***-**5-5555`.

5552

{ # Characters to skip when doing deidentification of a value. These will be left

5553

# alone and skipped.

5554

"charactersToSkip": "A String", # Characters to not transform when masking.

5555

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

5560

# masked. Skipped characters do not count towards this tally.

5561

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

5562

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

5563

# code or credit card number. This string must have a length of 1. If not

5564

# supplied, this value defaults to `*` for strings, and `0` for digits.

5565

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

5566

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

5567

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

5568

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

5569

# is `true`, then the string `12345` is masked as `12***`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5570

},

5571

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

5572

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

5573

# this transformation to apply to all findings that correspond to

5574

# infoTypes that were requested in `InspectConfig`.

5575

{ # Type of information detected by the API.

5576

"name": "A String", # Name of the information type. Either a name of your choosing when

5577

# creating a CustomInfoType, or one of the names listed

5578

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

5579

# a built-in type. InfoType names should conform to the pattern

5580

# `[a-zA-Z0-9_]{1,64}`.

5581

},

5582

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

},

],

},

"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.

5587

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

5588

# portion of the value.

5589

"partToExtract": "A String", # The part of the time to keep.

5590

},

5591

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

5592

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

5593

# to learn more.

5594

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

5595

# If set, must also set cryptoKey. If set, shift will be consistent for the

5596

# given context.

5597

"name": "A String", # Name describing the field.

5598

},

5599

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

5600

# range (inclusive ends). Negative means shift to earlier in time. Must not

5601

# be more than 365250 days (1000 years) each direction.

5602

#

5603

# For example, 3 means shift date to at most 3 days into the future.

5604

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

5605

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

5606

# results in the same shift for the same context and crypto_key. If

5607

# set, must also set context. Can only be applied to table items.

5608

# a key encryption key (KEK) stored by KMS).

5609

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

5610

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

5611

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5612

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

5613

# leaking the key. Choose another type of key if possible.

5614

"key": "A String", # Required. A 128/192/256 bit key.

5615

},

5616

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

5617

# It will be discarded after the request finishes.

5618

"name": "A String", # Required. Name of the key.

5619

# This is an arbitrary string used to differentiate different keys.

5620

# A unique key is generated per name: two separate `TransientCryptoKey`

5621

# protos share the same generated key if their names are the same.

5622

# When the data crypto key is generated, this name is not used in any way

5623

# (repeating the api call will result in a different key being generated).

5624

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

5625

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

5626

# The wrapped key must be a 128/192/256 bit key.

5627

# Authorization requires the following IAM permissions when sending a request

5628

# to perform a crypto transformation using a kms-wrapped crypto key:

5629

# dlp.kms.encrypt

5630

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

5631

"wrappedKey": "A String", # Required. The wrapped data crypto key.

5632

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5633

},

5634

},

5635

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

5636

},

5637

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

5638

# Uses SHA-256.

5639

# The key size must be either 32 or 64 bytes.

5640

# Outputs a base64 encoded representation of the hashed output

5641

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

5642

# Currently, only string and integer values can be hashed.

5643

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

5644

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

5645

# a key encryption key (KEK) stored by KMS).

5646

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

5647

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

5648

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5649

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

5650

# leaking the key. Choose another type of key if possible.

5651

"key": "A String", # Required. A 128/192/256 bit key.

5652

},

5653

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

5654

# It will be discarded after the request finishes.

5655

"name": "A String", # Required. Name of the key.

5656

# This is an arbitrary string used to differentiate different keys.

5657

# A unique key is generated per name: two separate `TransientCryptoKey`

5658

# protos share the same generated key if their names are the same.

5659

# When the data crypto key is generated, this name is not used in any way

5660

# (repeating the api call will result in a different key being generated).

5661

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

5662

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

5663

# The wrapped key must be a 128/192/256 bit key.

5664

# Authorization requires the following IAM permissions when sending a request

5665

# to perform a crypto transformation using a kms-wrapped crypto key:

5666

# dlp.kms.encrypt

5667

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

5668

"wrappedKey": "A String", # Required. The wrapped data crypto key.

5669

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5670

},

5671

},

5672

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

5673

# (FPE) with the FFX mode of operation; however when used in the

5674

# `ReidentifyContent` API method, it serves the opposite function by reversing

5675

# the surrogate back into the original identifier. The identifier must be

5676

# encoded as ASCII. For a given crypto key and context, the same identifier

5677

# will be replaced with the same surrogate. Identifiers must be at least two

5678

# characters long. In the case that the identifier is the empty string, it will

5679

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

5680

# more.

5681

#

5682

# Note: We recommend using CryptoDeterministicConfig for all use cases which

5683

# do not require preserving the input alphabet space and size, plus warrant

5684

# referential integrity.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5685

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

5686

# This annotation will be applied to the surrogate by prefixing it with

5687

# the name of the custom infoType followed by the number of

5688

# characters comprising the surrogate. The following scheme defines the

5689

# format: info_type_name(surrogate_character_count):surrogate

5690

#

5691

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

5692

# the surrogate is 'abc', the full replacement value

5693

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

5694

#

5695

# This annotation identifies the surrogate when inspecting content using the

5696

# custom infoType

5697

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

5698

# This facilitates reversal of the surrogate when it occurs in free text.

5699

#

5700

# In order for inspection to work properly, the name of this infoType must

5701

# not occur naturally anywhere in your data; otherwise, inspection may

5702

# find a surrogate that does not correspond to an actual identifier.

5703

# Therefore, choose your custom infoType name carefully after considering

5704

# what your data looks like. One way to select a name that has a high chance

5705

# of yielding reliable detection is to include one or more unicode characters

5706

# that are highly improbable to exist in your data.

5707

# For example, assuming your data is entered from a regular ASCII keyboard,

5708

# the symbol with the hex code point 29DD might be used like so:

5709

# ⧝MY_TOKEN_TYPE

5710

"name": "A String", # Name of the information type. Either a name of your choosing when

5711

# creating a CustomInfoType, or one of the names listed

5712

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

5713

# a built-in type. InfoType names should conform to the pattern

5714

# `[a-zA-Z0-9_]{1,64}`.

5715

},

5716

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

5717

# identifier in two different contexts won't be given the same surrogate. If

5718

# the context is not set, a default tweak will be used.

5719

#

5720

# If the context is set but:

5721

#

5722

# 1. there is no record present when transforming a given value or

5723

# 1. the field is not present when transforming a given value,

5724

#

5725

# a default tweak will be used.

5726

#

5727

# Note that case (1) is expected when an `InfoTypeTransformation` is

5728

# applied to both structured and non-structured `ContentItem`s.

5729

# Currently, the referenced field may be of value type integer or string.

5730

#

5731

# The tweak is constructed as a sequence of bytes in big endian byte order

5732

# such that:

5733

#

5734

# - a 64 bit integer is encoded followed by a single byte of value 1

5735

# - a string is encoded in UTF-8 format followed by a single byte of value 2

5736

"name": "A String", # Name describing the field.

5737

},

5738

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

5739

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

5740

# a key encryption key (KEK) stored by KMS).

5741

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

5742

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

5743

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5744

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

5745

# leaking the key. Choose another type of key if possible.

5746

"key": "A String", # Required. A 128/192/256 bit key.

5747

},

5748

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

5749

# It will be discarded after the request finishes.

5750

"name": "A String", # Required. Name of the key.

5751

# This is an arbitrary string used to differentiate different keys.

5752

# A unique key is generated per name: two separate `TransientCryptoKey`

5753

# protos share the same generated key if their names are the same.

5754

# When the data crypto key is generated, this name is not used in any way

5755

# (repeating the api call will result in a different key being generated).

5756

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

5757

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

5758

# The wrapped key must be a 128/192/256 bit key.

5759

# Authorization requires the following IAM permissions when sending a request

5760

# to perform a crypto transformation using a kms-wrapped crypto key:

5761

# dlp.kms.encrypt

5762

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

5763

"wrappedKey": "A String", # Required. The wrapped data crypto key.

5764

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5765

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

5766

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

5767

# that the FFX mode natively supports. This happens before/after

5768

# encryption/decryption.

5769

# Each character listed must appear only once.

5770

# Number of characters must be in the range [2, 95].

5771

# This must be encoded as ASCII.

5772

# The order of characters does not matter.

5773

"commonAlphabet": "A String", # Common alphabets.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5774

},

5775

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

5776

# input. Outputs a base64 encoded representation of the encrypted output.

5777

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

5778

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

5779

# This annotation will be applied to the surrogate by prefixing it with

5780

# the name of the custom info type followed by the number of

5781

# characters comprising the surrogate. The following scheme defines the

5782

# format: {info type name}({surrogate character count}):{surrogate}

5783

#

5784

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

5785

# the surrogate is 'abc', the full replacement value

5786

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

5787

#

5788

# This annotation identifies the surrogate when inspecting content using the

5789

# custom info type 'Surrogate'. This facilitates reversal of the

5790

# surrogate when it occurs in free text.

5791

#

5792

# Note: For record transformations where the entire cell in a table is being

5793

# transformed, surrogates are not mandatory. Surrogates are used to denote

5794

# the location of the token and are necessary for re-identification in free

5795

# form text.

5796

#

5797

# In order for inspection to work properly, the name of this info type must

5798

# not occur naturally anywhere in your data; otherwise, inspection may either

5799

#

5800

# - reverse a surrogate that does not correspond to an actual identifier

5801

# - be unable to parse the surrogate and result in an error

5802

#

5803

# Therefore, choose your custom info type name carefully after considering

5804

# what your data looks like. One way to select a name that has a high chance

5805

# of yielding reliable detection is to include one or more unicode characters

5806

# that are highly improbable to exist in your data.

5807

# For example, assuming your data is entered from a regular ASCII keyboard,

5808

# the symbol with the hex code point 29DD might be used like so:

5809

# ⧝MY_TOKEN_TYPE.

5810

"name": "A String", # Name of the information type. Either a name of your choosing when

5811

# creating a CustomInfoType, or one of the names listed

5812

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

5813

# a built-in type. InfoType names should conform to the pattern

5814

# `[a-zA-Z0-9_]{1,64}`.

5815

},

5816

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

5817

# referential integrity such that the same identifier in two different

5818

# contexts will be given a distinct surrogate. The context is appended to

5819

# plaintext value being encrypted. On decryption the provided context is

5820

# validated against the value used during encryption. If a context was

5821

# provided during encryption, same context must be provided during decryption

5822

# as well.

5823

#

5824

# If the context is not set, plaintext would be used as is for encryption.

5825

# If the context is set but:

5826

#

5827

# 1. there is no record present when transforming a given value or

5828

# 2. the field is not present when transforming a given value,

5829

#

5830

# plaintext would be used as is for encryption.

5831

#

5832

# Note that case (1) is expected when an `InfoTypeTransformation` is

5833

# applied to both structured and non-structured `ContentItem`s.

5834

"name": "A String", # Name describing the field.

5835

},

5836

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

5837

# a key encryption key (KEK) stored by KMS).

5838

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

5839

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

5840

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5841

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

5842

# leaking the key. Choose another type of key if possible.

5843

"key": "A String", # Required. A 128/192/256 bit key.

5844

},

5845

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

5846

# It will be discarded after the request finishes.

5847

"name": "A String", # Required. Name of the key.

5848

# This is an arbitrary string used to differentiate different keys.

5849

# A unique key is generated per name: two separate `TransientCryptoKey`

5850

# protos share the same generated key if their names are the same.

5851

# When the data crypto key is generated, this name is not used in any way

5852

# (repeating the api call will result in a different key being generated).

5853

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

5854

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

5855

# The wrapped key must be a 128/192/256 bit key.

5856

# Authorization requires the following IAM permissions when sending a request

5857

# to perform a crypto transformation using a kms-wrapped crypto key:

5858

# dlp.kms.encrypt

5859

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

5860

"wrappedKey": "A String", # Required. The wrapped data crypto key.

5861

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5862

},

5863

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5864

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

5865

# replacement values are dynamically provided by the user for custom behavior,

5866

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

5867

# This can be used on

5868

# data of type: number, long, string, timestamp.

5869

# If the bound `Value` type differs from the type of data being transformed, we

5870

# will first attempt converting the type of the data to be transformed to match

5871

# the type of the bound before comparing.

5872

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

5873

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

5874

{ # Bucket is represented as a range, along with replacement values.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5875

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

5876

# the default behavior will be to hyphenate the min-max range.

5877

# Note that for the purposes of inspection or transformation, the number

5878

# of bytes considered to comprise a 'Value' is based on its representation

5879

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

5880

# 123456789, the number of bytes would be counted as 9, even though an

5881

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5882

"timestampValue": "A String", # timestamp

5883

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

5884

# and time zone are either specified elsewhere or are not significant. The date

5885

# is relative to the Proleptic Gregorian Calendar. This can represent:

5886

#

5887

# * A full date, with non-zero year, month and day values

5888

# * A month and day value, with a zero year, e.g. an anniversary

5889

# * A year on its own, with zero month and day values

5890

# * A year and month value, with a zero day, e.g. a credit card expiration date

5891

#

5892

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

5893

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

5894

# a year.

5895

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

5896

# month and day.

5897

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

5898

# if specifying a year by itself or a year and month where the day is not

5899

# significant.

5900

},

5901

"stringValue": "A String", # string

5902

"integerValue": "A String", # integer

5903

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

5904

# or are specified elsewhere. An API may choose to allow leap seconds. Related

5905

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

5906

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

5907

# to allow the value "24:00:00" for scenarios like business closing time.

5908

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

5909

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

5910

# allow the value 60 if it allows leap-seconds.

5911

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5912

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

5913

"booleanValue": True or False, # boolean

5914

"floatValue": 3.14, # float

5915

"dayOfWeekValue": "A String", # day of week

5916

},

5917

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

5918

# used.

5919

# Note that for the purposes of inspection or transformation, the number

5920

# of bytes considered to comprise a 'Value' is based on its representation

5921

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

5922

# 123456789, the number of bytes would be counted as 9, even though an

5923

# int64 only holds up to 8 bytes of data.

5924

"timestampValue": "A String", # timestamp

5925

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

5926

# and time zone are either specified elsewhere or are not significant. The date

5927

# is relative to the Proleptic Gregorian Calendar. This can represent:

5928

#

5929

# * A full date, with non-zero year, month and day values

5930

# * A month and day value, with a zero year, e.g. an anniversary

5931

# * A year on its own, with zero month and day values

5932

# * A year and month value, with a zero day, e.g. a credit card expiration date

5933

#

5934

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

5935

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

5936

# a year.

5937

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

5938

# month and day.

5939

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

5940

# if specifying a year by itself or a year and month where the day is not

5941

# significant.

5942

},

5943

"stringValue": "A String", # string

5944

"integerValue": "A String", # integer

5945

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

5946

# or are specified elsewhere. An API may choose to allow leap seconds. Related

5947

# types are google.type.Date and `google.protobuf.Timestamp`.

5948

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

5949

# to allow the value "24:00:00" for scenarios like business closing time.

5950

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

5951

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

5952

# allow the value 60 if it allows leap-seconds.

5953

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

5954

},

5955

"booleanValue": True or False, # boolean

5956

"floatValue": 3.14, # float

5957

"dayOfWeekValue": "A String", # day of week

5958

},

5959

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

5960

# Note that for the purposes of inspection or transformation, the number

5961

# of bytes considered to comprise a 'Value' is based on its representation

5962

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

5963

# 123456789, the number of bytes would be counted as 9, even though an

5964

# int64 only holds up to 8 bytes of data.

5965

"timestampValue": "A String", # timestamp

5966

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

5967

# and time zone are either specified elsewhere or are not significant. The date

5968

# is relative to the Proleptic Gregorian Calendar. This can represent:

5969

#

5970

# * A full date, with non-zero year, month and day values

5971

# * A month and day value, with a zero year, e.g. an anniversary

5972

# * A year on its own, with zero month and day values

5973

# * A year and month value, with a zero day, e.g. a credit card expiration date

5974

#

5975

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

5976

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

5977

# a year.

5978

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

5979

# month and day.

5980

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

5981

# if specifying a year by itself or a year and month where the day is not

5982

# significant.

5983

},

5984

"stringValue": "A String", # string

5985

"integerValue": "A String", # integer

5986

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

5987

# or are specified elsewhere. An API may choose to allow leap seconds. Related

5988

# types are google.type.Date and `google.protobuf.Timestamp`.

5989

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

5990

# to allow the value "24:00:00" for scenarios like business closing time.

5991

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

5992

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

5993

# allow the value 60 if it allows leap-seconds.

5994

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

5995

},

5996

"booleanValue": True or False, # boolean

5997

"floatValue": 3.14, # float

5998

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

5999

},

6000

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6001

],

6002

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

6003

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

6004

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

6005

# output would be 'My phone number is '.

6006

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6007

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

6008

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

6009

# Note that for the purposes of inspection or transformation, the number

6010

# of bytes considered to comprise a 'Value' is based on its representation

6011

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6012

# 123456789, the number of bytes would be counted as 9, even though an

6013

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6014

"timestampValue": "A String", # timestamp

6015

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6016

# and time zone are either specified elsewhere or are not significant. The date

6017

# is relative to the Proleptic Gregorian Calendar. This can represent:

6018

#

6019

# * A full date, with non-zero year, month and day values

6020

# * A month and day value, with a zero year, e.g. an anniversary

6021

# * A year on its own, with zero month and day values

6022

# * A year and month value, with a zero day, e.g. a credit card expiration date

6023

#

6024

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6025

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6026

# a year.

6027

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6028

# month and day.

6029

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6030

# if specifying a year by itself or a year and month where the day is not

6031

# significant.

6032

},

6033

"stringValue": "A String", # string

6034

"integerValue": "A String", # integer

6035

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6036

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6037

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6038

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6039

# to allow the value "24:00:00" for scenarios like business closing time.

6040

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

6041

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6042

# allow the value 60 if it allows leap-seconds.

6043

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6044

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

6045

"booleanValue": True or False, # boolean

6046

"floatValue": 3.14, # float

6047

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6048

},

6049

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6050

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

6051

# Bucketing transformation can provide all of this functionality,

6052

# but requires more configuration. This message is provided as a convenience to

6053

# the user for simple bucketing strategies.

6054

#

6055

# The transformed value will be a hyphenated string of

6056

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

6057

# all values that are within this bucket will be replaced with "10-20".

6058

#

6059

# This can be used on data of type: double, long.

6060

#

6061

# If the bound Value type differs from the type of data

6062

# being transformed, we will first attempt converting the type of the data to

6063

# be transformed to match the type of the bound before comparing.

6064

#

6065

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6066

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

6067

# grouped together into a single bucket; for example if `upper_bound` = 89,

6068

# then all values greater than 89 are replaced with the value "89+".

6069

# Note that for the purposes of inspection or transformation, the number

6070

# of bytes considered to comprise a 'Value' is based on its representation

6071

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6072

# 123456789, the number of bytes would be counted as 9, even though an

6073

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6074

"timestampValue": "A String", # timestamp

6075

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6076

# and time zone are either specified elsewhere or are not significant. The date

6077

# is relative to the Proleptic Gregorian Calendar. This can represent:

6078

#

6079

# * A full date, with non-zero year, month and day values

6080

# * A month and day value, with a zero year, e.g. an anniversary

6081

# * A year on its own, with zero month and day values

6082

# * A year and month value, with a zero day, e.g. a credit card expiration date

6083

#

6084

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6085

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6086

# a year.

6087

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6088

# month and day.

6089

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6090

# if specifying a year by itself or a year and month where the day is not

6091

# significant.

6092

},

6093

"stringValue": "A String", # string

6094

"integerValue": "A String", # integer

6095

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6096

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6097

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6098

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6099

# to allow the value "24:00:00" for scenarios like business closing time.

6100

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

6101

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6102

# allow the value 60 if it allows leap-seconds.

6103

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6104

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

6105

"booleanValue": True or False, # boolean

6106

"floatValue": 3.14, # float

6107

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6108

},

6109

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

6110

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

6111

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

6112

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

6113

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

6114

# grouped together into a single bucket; for example if `lower_bound` = 10,

6115

# then all values less than 10 are replaced with the value "-10".

6116

# Note that for the purposes of inspection or transformation, the number

6117

# of bytes considered to comprise a 'Value' is based on its representation

6118

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6119

# 123456789, the number of bytes would be counted as 9, even though an

6120

# int64 only holds up to 8 bytes of data.

6121

"timestampValue": "A String", # timestamp

6122

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6123

# and time zone are either specified elsewhere or are not significant. The date

6124

# is relative to the Proleptic Gregorian Calendar. This can represent:

6125

#

6126

# * A full date, with non-zero year, month and day values

6127

# * A month and day value, with a zero year, e.g. an anniversary

6128

# * A year on its own, with zero month and day values

6129

# * A year and month value, with a zero day, e.g. a credit card expiration date

6130

#

6131

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6132

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6133

# a year.

6134

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6135

# month and day.

6136

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6137

# if specifying a year by itself or a year and month where the day is not

6138

# significant.

6139

},

6140

"stringValue": "A String", # string

6141

"integerValue": "A String", # integer

6142

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6143

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6144

# types are google.type.Date and `google.protobuf.Timestamp`.

6145

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6146

# to allow the value "24:00:00" for scenarios like business closing time.

6147

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

6148

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6149

# allow the value 60 if it allows leap-seconds.

6150

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6151

},

6152

"booleanValue": True or False, # boolean

6153

"floatValue": 3.14, # float

6154

"dayOfWeekValue": "A String", # day of week

6155

},

6156

},

6157

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

6158

# fixed character. Masking can start from the beginning or end of the string.

6159

# This can be used on data of any type (numbers, longs, and so on) and when

6160

# de-identifying structured data we'll attempt to preserve the original data's

6161

# type. (This allows you to take a long like 123 and modify it to a string like

6162

# **3.

6163

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

6164

# characters. For example, if the input string is `555-555-5555` and you

6165

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

6166

# returns `***-**5-5555`.

6167

{ # Characters to skip when doing deidentification of a value. These will be left

6168

# alone and skipped.

6169

"charactersToSkip": "A String", # Characters to not transform when masking.

6170

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

6175

# masked. Skipped characters do not count towards this tally.

6176

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

6177

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

6178

# code or credit card number. This string must have a length of 1. If not

6179

# supplied, this value defaults to `*` for strings, and `0` for digits.

6180

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

6181

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

6182

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

6183

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

6184

# is `true`, then the string `12345` is masked as `12***`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6185

},

6186

},

6187

"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the

6188

# given `RecordCondition`. The conditions are allowed to reference fields

6189

# that are not used in the actual transformation.

#

# Example Use Cases:

#

# - Apply a different bucket transformation to an age column if the zip code

6194

# column for the same record is within a specific range.

6195

# - Redact a field if the date of birth field is greater than 85.

6196

# a field.

6197

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

6198

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

6199

# only supported value is `AND`.

6200

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

6201

"conditions": [ # A collection of conditions.

6202

{ # The field type of `value` and `field` do not need to match to be

6203

# considered equal, but not all comparisons are possible.

6204

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

6205

# but all other comparisons are invalid with incompatible types.

6206

# A `value` of type:

6207

#

6208

# - `string` can be compared against all other types

6209

# - `boolean` can only be compared against other booleans

6210

# - `integer` can be compared against doubles or a string if the string value

6211

# can be parsed as an integer.

6212

# - `double` can be compared against integers or a string if the string can

6213

# be parsed as a double.

6214

# - `Timestamp` can be compared against strings in RFC 3339 date string

6215

# format.

6216

# - `TimeOfDay` can be compared against timestamps and strings in the format

6217

# of 'HH:mm:ss'.

6218

#

6219

# If we fail to compare do to type mismatch, a warning will be given and

6220

# the condition will evaluate to false.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6221

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

6222

# Note that for the purposes of inspection or transformation, the number

6223

# of bytes considered to comprise a 'Value' is based on its representation

6224

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6225

# 123456789, the number of bytes would be counted as 9, even though an

6226

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6227

"timestampValue": "A String", # timestamp

6228

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6229

# and time zone are either specified elsewhere or are not significant. The date

6230

# is relative to the Proleptic Gregorian Calendar. This can represent:

6231

#

6232

# * A full date, with non-zero year, month and day values

6233

# * A month and day value, with a zero year, e.g. an anniversary

6234

# * A year on its own, with zero month and day values

6235

# * A year and month value, with a zero day, e.g. a credit card expiration date

6236

#

6237

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6238

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6239

# a year.

6240

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6241

# month and day.

6242

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6243

# if specifying a year by itself or a year and month where the day is not

6244

# significant.

6245

},

6246

"stringValue": "A String", # string

6247

"integerValue": "A String", # integer

6248

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6249

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6250

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6251

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6252

# to allow the value "24:00:00" for scenarios like business closing time.

6253

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

6254

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6255

# allow the value 60 if it allows leap-seconds.

6256

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6257

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

6258

"booleanValue": True or False, # boolean

6259

"floatValue": 3.14, # float

6260

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6261

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

6262

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

6263

"name": "A String", # Name describing the field.

6264

},

6265

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6266

},

6267

],

6268

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6269

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6270

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6271

},

6272

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

6273

"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that

6274

# match any suppression rule are omitted from the output.

6275

{ # Configuration to suppress records whose suppression conditions evaluate to

6276

# true.

6277

"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being

6278

# evaluated to be suppressed from the transformed content.

6279

# a field.

6280

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

6281

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

6282

# only supported value is `AND`.

6283

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

6284

"conditions": [ # A collection of conditions.

6285

{ # The field type of `value` and `field` do not need to match to be

6286

# considered equal, but not all comparisons are possible.

6287

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

6288

# but all other comparisons are invalid with incompatible types.

6289

# A `value` of type:

6290

#

6291

# - `string` can be compared against all other types

6292

# - `boolean` can only be compared against other booleans

6293

# - `integer` can be compared against doubles or a string if the string value

6294

# can be parsed as an integer.

6295

# - `double` can be compared against integers or a string if the string can

6296

# be parsed as a double.

6297

# - `Timestamp` can be compared against strings in RFC 3339 date string

6298

# format.

6299

# - `TimeOfDay` can be compared against timestamps and strings in the format

6300

# of 'HH:mm:ss'.

6301

#

6302

# If we fail to compare do to type mismatch, a warning will be given and

6303

# the condition will evaluate to false.

6304

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

6305

# Note that for the purposes of inspection or transformation, the number

6306

# of bytes considered to comprise a 'Value' is based on its representation

6307

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6308

# 123456789, the number of bytes would be counted as 9, even though an

6309

# int64 only holds up to 8 bytes of data.

6310

"timestampValue": "A String", # timestamp

6311

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6312

# and time zone are either specified elsewhere or are not significant. The date

6313

# is relative to the Proleptic Gregorian Calendar. This can represent:

6314

#

6315

# * A full date, with non-zero year, month and day values

6316

# * A month and day value, with a zero year, e.g. an anniversary

6317

# * A year on its own, with zero month and day values

6318

# * A year and month value, with a zero day, e.g. a credit card expiration date

6319

#

6320

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6321

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6322

# a year.

6323

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6324

# month and day.

6325

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6326

# if specifying a year by itself or a year and month where the day is not

6327

# significant.

6328

},

6329

"stringValue": "A String", # string

6330

"integerValue": "A String", # integer

6331

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6332

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6333

# types are google.type.Date and `google.protobuf.Timestamp`.

6334

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6335

# to allow the value "24:00:00" for scenarios like business closing time.

6336

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

6337

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6338

# allow the value 60 if it allows leap-seconds.

6339

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6340

},

6341

"booleanValue": True or False, # boolean

6342

"floatValue": 3.14, # float

6343

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6344

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

6345

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

6346

"name": "A String", # Name describing the field.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6347

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

6348

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6349

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

6350

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6351

},

6352

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6353

},

6354

},

6355

],

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

6356

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6357

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

}</pre>

</div>

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

6362

<code class="details" id="list">list(parent, orderBy=None, pageToken=None, locationId=None, pageSize=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6363

<pre>Lists DeidentifyTemplates.

6364

See https://cloud.google.com/dlp/docs/creating-templates-deid to learn

6365

more.

6366

6367

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

6368

parent: string, Required. The parent resource name, for example projects/my-project-id or

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6369

organizations/my-org-id. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

6370

orderBy: string, Comma separated list of fields to order by,

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6371

followed by `asc` or `desc` postfix. This list is case-insensitive,

6372

default sorting order is ascending, redundant space characters are

6373

insignificant.

6374

6375

Example: `name asc,update_time, create_time desc`

6376

6377

Supported fields are:

6378

6379

- `create_time`: corresponds to time the template was created.

6380

- `update_time`: corresponds to time the template was last updated.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6381

- `name`: corresponds to template's name.

6382

- `display_name`: corresponds to template's display name.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

6383

pageToken: string, Page token to continue retrieval. Comes from previous call

6384

to `ListDeidentifyTemplates`.

6385

locationId: string, The geographic location where deidentifications templates will be retrieved

6386

from. Use `-` for all locations. Reserved for future extensions.

6387

pageSize: integer, Size of the page, can be limited by server. If zero server returns

6388

a page of max size 100.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6389

x__xgafv: string, V1 error format.

6390

Allowed values

6391

1 - v1 error format

6392

2 - v2 error format

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6393

6394

Returns:

6395

An object of the form:

6396

6397

{ # Response message for ListDeidentifyTemplates.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6398

"nextPageToken": "A String", # If the next page is available then the next page token to be used

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6399

# in following ListDeidentifyTemplates request.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6400

"deidentifyTemplates": [ # List of deidentify templates, up to page_size in

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6401

# ListDeidentifyTemplatesRequest.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

6402

{ # DeidentifyTemplates contains instructions on how to de-identify content.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

6403

# See https://cloud.google.com/dlp/docs/concepts-templates to learn more.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

6404

"name": "A String", # Output only. The template name.

6405

#

6406

# The template will have one of the following formats:

6407

# `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR

6408

# `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`

6409

"description": "A String", # Short description (max 256 chars).

6410

"displayName": "A String", # Display name (max 256 chars).

6411

"createTime": "A String", # Output only. The creation timestamp of an inspectTemplate.

6412

"updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate.

6413

"deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

6414

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text

6415

# transformation everywhere.

6416

# apply various `PrimitiveTransformation`s to each finding, where the

6417

# transformation is applied to only values that were identified as a specific

6418

# info_type.

6419

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

6420

# for a given infoType.

6421

{ # A transformation to apply to text that is identified as a specific

6422

# info_type.

6423

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

6424

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

6425

# portion of the value.

6426

"partToExtract": "A String", # The part of the time to keep.

6427

},

6428

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

6429

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

6430

# to learn more.

6431

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

6432

# If set, must also set cryptoKey. If set, shift will be consistent for the

6433

# given context.

6434

"name": "A String", # Name describing the field.

6435

},

6436

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

6437

# range (inclusive ends). Negative means shift to earlier in time. Must not

6438

# be more than 365250 days (1000 years) each direction.

6439

#

6440

# For example, 3 means shift date to at most 3 days into the future.

6441

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

6442

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

6443

# results in the same shift for the same context and crypto_key. If

6444

# set, must also set context. Can only be applied to table items.

6445

# a key encryption key (KEK) stored by KMS).

6446

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

6447

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

6448

# unwrap the data crypto key.

6449

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

6450

# leaking the key. Choose another type of key if possible.

6451

"key": "A String", # Required. A 128/192/256 bit key.

6452

},

6453

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

6454

# It will be discarded after the request finishes.

6455

"name": "A String", # Required. Name of the key.

6456

# This is an arbitrary string used to differentiate different keys.

6457

# A unique key is generated per name: two separate `TransientCryptoKey`

6458

# protos share the same generated key if their names are the same.

6459

# When the data crypto key is generated, this name is not used in any way

6460

# (repeating the api call will result in a different key being generated).

6461

},

6462

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

6463

# The wrapped key must be a 128/192/256 bit key.

6464

# Authorization requires the following IAM permissions when sending a request

6465

# to perform a crypto transformation using a kms-wrapped crypto key:

6466

# dlp.kms.encrypt

6467

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

6468

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

6473

},

6474

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

6475

# Uses SHA-256.

6476

# The key size must be either 32 or 64 bytes.

6477

# Outputs a base64 encoded representation of the hashed output

6478

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

6479

# Currently, only string and integer values can be hashed.

6480

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

6481

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

6482

# a key encryption key (KEK) stored by KMS).

6483

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

6484

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

6485

# unwrap the data crypto key.

6486

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

6487

# leaking the key. Choose another type of key if possible.

6488

"key": "A String", # Required. A 128/192/256 bit key.

6489

},

6490

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

6491

# It will be discarded after the request finishes.

6492

"name": "A String", # Required. Name of the key.

6493

# This is an arbitrary string used to differentiate different keys.

6494

# A unique key is generated per name: two separate `TransientCryptoKey`

6495

# protos share the same generated key if their names are the same.

6496

# When the data crypto key is generated, this name is not used in any way

6497

# (repeating the api call will result in a different key being generated).

6498

},

6499

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

6500

# The wrapped key must be a 128/192/256 bit key.

6501

# Authorization requires the following IAM permissions when sending a request

6502

# to perform a crypto transformation using a kms-wrapped crypto key:

6503

# dlp.kms.encrypt

6504

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

6505

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

6510

# (FPE) with the FFX mode of operation; however when used in the

6511

# `ReidentifyContent` API method, it serves the opposite function by reversing

6512

# the surrogate back into the original identifier. The identifier must be

6513

# encoded as ASCII. For a given crypto key and context, the same identifier

6514

# will be replaced with the same surrogate. Identifiers must be at least two

6515

# characters long. In the case that the identifier is the empty string, it will

6516

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

6517

# more.

6518

#

6519

# Note: We recommend using CryptoDeterministicConfig for all use cases which

6520

# do not require preserving the input alphabet space and size, plus warrant

6521

# referential integrity.

6522

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

6523

# This annotation will be applied to the surrogate by prefixing it with

6524

# the name of the custom infoType followed by the number of

6525

# characters comprising the surrogate. The following scheme defines the

6526

# format: info_type_name(surrogate_character_count):surrogate

6527

#

6528

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

6529

# the surrogate is 'abc', the full replacement value

6530

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

6531

#

6532

# This annotation identifies the surrogate when inspecting content using the

6533

# custom infoType

6534

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

6535

# This facilitates reversal of the surrogate when it occurs in free text.

6536

#

6537

# In order for inspection to work properly, the name of this infoType must

6538

# not occur naturally anywhere in your data; otherwise, inspection may

6539

# find a surrogate that does not correspond to an actual identifier.

6540

# Therefore, choose your custom infoType name carefully after considering

6541

# what your data looks like. One way to select a name that has a high chance

6542

# of yielding reliable detection is to include one or more unicode characters

6543

# that are highly improbable to exist in your data.

6544

# For example, assuming your data is entered from a regular ASCII keyboard,

6545

# the symbol with the hex code point 29DD might be used like so:

6546

# ⧝MY_TOKEN_TYPE

6547

"name": "A String", # Name of the information type. Either a name of your choosing when

6548

# creating a CustomInfoType, or one of the names listed

6549

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

6550

# a built-in type. InfoType names should conform to the pattern

6551

# `[a-zA-Z0-9_]{1,64}`.

6552

},

6553

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

6554

# identifier in two different contexts won't be given the same surrogate. If

6555

# the context is not set, a default tweak will be used.

6556

#

6557

# If the context is set but:

6558

#

6559

# 1. there is no record present when transforming a given value or

6560

# 1. the field is not present when transforming a given value,

6561

#

6562

# a default tweak will be used.

6563

#

6564

# Note that case (1) is expected when an `InfoTypeTransformation` is

6565

# applied to both structured and non-structured `ContentItem`s.

6566

# Currently, the referenced field may be of value type integer or string.

6567

#

6568

# The tweak is constructed as a sequence of bytes in big endian byte order

6569

# such that:

6570

#

6571

# - a 64 bit integer is encoded followed by a single byte of value 1

6572

# - a string is encoded in UTF-8 format followed by a single byte of value 2

6573

"name": "A String", # Name describing the field.

6574

},

6575

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

6576

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

6577

# a key encryption key (KEK) stored by KMS).

6578

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

6579

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

6580

# unwrap the data crypto key.

6581

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

6582

# leaking the key. Choose another type of key if possible.

6583

"key": "A String", # Required. A 128/192/256 bit key.

6584

},

6585

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

6586

# It will be discarded after the request finishes.

6587

"name": "A String", # Required. Name of the key.

6588

# This is an arbitrary string used to differentiate different keys.

6589

# A unique key is generated per name: two separate `TransientCryptoKey`

6590

# protos share the same generated key if their names are the same.

6591

# When the data crypto key is generated, this name is not used in any way

6592

# (repeating the api call will result in a different key being generated).

6593

},

6594

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

6595

# The wrapped key must be a 128/192/256 bit key.

6596

# Authorization requires the following IAM permissions when sending a request

6597

# to perform a crypto transformation using a kms-wrapped crypto key:

6598

# dlp.kms.encrypt

6599

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

6600

"wrappedKey": "A String", # Required. The wrapped data crypto key.

6601

},

6602

},

6603

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

6604

# that the FFX mode natively supports. This happens before/after

6605

# encryption/decryption.

6606

# Each character listed must appear only once.

6607

# Number of characters must be in the range [2, 95].

6608

# This must be encoded as ASCII.

6609

# The order of characters does not matter.

6610

"commonAlphabet": "A String", # Common alphabets.

6611

},

6612

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

6613

# input. Outputs a base64 encoded representation of the encrypted output.

6614

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

6615

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

6616

# This annotation will be applied to the surrogate by prefixing it with

6617

# the name of the custom info type followed by the number of

6618

# characters comprising the surrogate. The following scheme defines the

6619

# format: {info type name}({surrogate character count}):{surrogate}

6620

#

6621

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

6622

# the surrogate is 'abc', the full replacement value

6623

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

6624

#

6625

# This annotation identifies the surrogate when inspecting content using the

6626

# custom info type 'Surrogate'. This facilitates reversal of the

6627

# surrogate when it occurs in free text.

6628

#

6629

# Note: For record transformations where the entire cell in a table is being

6630

# transformed, surrogates are not mandatory. Surrogates are used to denote

6631

# the location of the token and are necessary for re-identification in free

6632

# form text.

6633

#

6634

# In order for inspection to work properly, the name of this info type must

6635

# not occur naturally anywhere in your data; otherwise, inspection may either

6636

#

6637

# - reverse a surrogate that does not correspond to an actual identifier

6638

# - be unable to parse the surrogate and result in an error

6639

#

6640

# Therefore, choose your custom info type name carefully after considering

6641

# what your data looks like. One way to select a name that has a high chance

6642

# of yielding reliable detection is to include one or more unicode characters

6643

# that are highly improbable to exist in your data.

6644

# For example, assuming your data is entered from a regular ASCII keyboard,

6645

# the symbol with the hex code point 29DD might be used like so:

6646

# ⧝MY_TOKEN_TYPE.

6647

"name": "A String", # Name of the information type. Either a name of your choosing when

6648

# creating a CustomInfoType, or one of the names listed

6649

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

6650

# a built-in type. InfoType names should conform to the pattern

6651

# `[a-zA-Z0-9_]{1,64}`.

6652

},

6653

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

6654

# referential integrity such that the same identifier in two different

6655

# contexts will be given a distinct surrogate. The context is appended to

6656

# plaintext value being encrypted. On decryption the provided context is

6657

# validated against the value used during encryption. If a context was

6658

# provided during encryption, same context must be provided during decryption

6659

# as well.

6660

#

6661

# If the context is not set, plaintext would be used as is for encryption.

6662

# If the context is set but:

6663

#

6664

# 1. there is no record present when transforming a given value or

6665

# 2. the field is not present when transforming a given value,

6666

#

6667

# plaintext would be used as is for encryption.

6668

#

6669

# Note that case (1) is expected when an `InfoTypeTransformation` is

6670

# applied to both structured and non-structured `ContentItem`s.

6671

"name": "A String", # Name describing the field.

6672

},

6673

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

6674

# a key encryption key (KEK) stored by KMS).

6675

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

6676

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

6677

# unwrap the data crypto key.

6678

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

6679

# leaking the key. Choose another type of key if possible.

6680

"key": "A String", # Required. A 128/192/256 bit key.

6681

},

6682

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

6683

# It will be discarded after the request finishes.

6684

"name": "A String", # Required. Name of the key.

6685

# This is an arbitrary string used to differentiate different keys.

6686

# A unique key is generated per name: two separate `TransientCryptoKey`

6687

# protos share the same generated key if their names are the same.

6688

# When the data crypto key is generated, this name is not used in any way

6689

# (repeating the api call will result in a different key being generated).

6690

},

6691

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

6692

# The wrapped key must be a 128/192/256 bit key.

6693

# Authorization requires the following IAM permissions when sending a request

6694

# to perform a crypto transformation using a kms-wrapped crypto key:

6695

# dlp.kms.encrypt

6696

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

6697

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

6702

# replacement values are dynamically provided by the user for custom behavior,

6703

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

6704

# This can be used on

6705

# data of type: number, long, string, timestamp.

6706

# If the bound `Value` type differs from the type of data being transformed, we

6707

# will first attempt converting the type of the data to be transformed to match

6708

# the type of the bound before comparing.

6709

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

6710

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

6711

{ # Bucket is represented as a range, along with replacement values.

6712

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

6713

# the default behavior will be to hyphenate the min-max range.

6714

# Note that for the purposes of inspection or transformation, the number

6715

# of bytes considered to comprise a 'Value' is based on its representation

6716

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6717

# 123456789, the number of bytes would be counted as 9, even though an

6718

# int64 only holds up to 8 bytes of data.

6719

"timestampValue": "A String", # timestamp

6720

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6721

# and time zone are either specified elsewhere or are not significant. The date

6722

# is relative to the Proleptic Gregorian Calendar. This can represent:

6723

#

6724

# * A full date, with non-zero year, month and day values

6725

# * A month and day value, with a zero year, e.g. an anniversary

6726

# * A year on its own, with zero month and day values

6727

# * A year and month value, with a zero day, e.g. a credit card expiration date

6728

#

6729

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6730

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6731

# a year.

6732

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6733

# month and day.

6734

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6735

# if specifying a year by itself or a year and month where the day is not

6736

# significant.

6737

},

6738

"stringValue": "A String", # string

6739

"integerValue": "A String", # integer

6740

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6741

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6742

# types are google.type.Date and `google.protobuf.Timestamp`.

6743

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6744

# to allow the value "24:00:00" for scenarios like business closing time.

6745

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

6746

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6747

# allow the value 60 if it allows leap-seconds.

6748

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6749

},

6750

"booleanValue": True or False, # boolean

6751

"floatValue": 3.14, # float

6752

"dayOfWeekValue": "A String", # day of week

6753

},

6754

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

6755

# used.

6756

# Note that for the purposes of inspection or transformation, the number

6757

# of bytes considered to comprise a 'Value' is based on its representation

6758

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6759

# 123456789, the number of bytes would be counted as 9, even though an

6760

# int64 only holds up to 8 bytes of data.

6761

"timestampValue": "A String", # timestamp

6762

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6763

# and time zone are either specified elsewhere or are not significant. The date

6764

# is relative to the Proleptic Gregorian Calendar. This can represent:

6765

#

6766

# * A full date, with non-zero year, month and day values

6767

# * A month and day value, with a zero year, e.g. an anniversary

6768

# * A year on its own, with zero month and day values

6769

# * A year and month value, with a zero day, e.g. a credit card expiration date

6770

#

6771

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6772

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6773

# a year.

6774

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6775

# month and day.

6776

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6777

# if specifying a year by itself or a year and month where the day is not

6778

# significant.

6779

},

6780

"stringValue": "A String", # string

6781

"integerValue": "A String", # integer

6782

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6783

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6784

# types are google.type.Date and `google.protobuf.Timestamp`.

6785

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6786

# to allow the value "24:00:00" for scenarios like business closing time.

6787

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

6788

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6789

# allow the value 60 if it allows leap-seconds.

6790

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6791

},

6792

"booleanValue": True or False, # boolean

6793

"floatValue": 3.14, # float

6794

"dayOfWeekValue": "A String", # day of week

6795

},

6796

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

6797

# Note that for the purposes of inspection or transformation, the number

6798

# of bytes considered to comprise a 'Value' is based on its representation

6799

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6800

# 123456789, the number of bytes would be counted as 9, even though an

6801

# int64 only holds up to 8 bytes of data.

6802

"timestampValue": "A String", # timestamp

6803

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6804

# and time zone are either specified elsewhere or are not significant. The date

6805

# is relative to the Proleptic Gregorian Calendar. This can represent:

6806

#

6807

# * A full date, with non-zero year, month and day values

6808

# * A month and day value, with a zero year, e.g. an anniversary

6809

# * A year on its own, with zero month and day values

6810

# * A year and month value, with a zero day, e.g. a credit card expiration date

6811

#

6812

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6813

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6814

# a year.

6815

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6816

# month and day.

6817

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6818

# if specifying a year by itself or a year and month where the day is not

6819

# significant.

6820

},

6821

"stringValue": "A String", # string

6822

"integerValue": "A String", # integer

6823

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6824

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6825

# types are google.type.Date and `google.protobuf.Timestamp`.

6826

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6827

# to allow the value "24:00:00" for scenarios like business closing time.

6828

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

6829

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6830

# allow the value 60 if it allows leap-seconds.

6831

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6832

},

6833

"booleanValue": True or False, # boolean

6834

"floatValue": 3.14, # float

6835

"dayOfWeekValue": "A String", # day of week

},

},

],

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

6841

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

6842

# output would be 'My phone number is '.

6843

},

6844

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

6845

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

6846

# Note that for the purposes of inspection or transformation, the number

6847

# of bytes considered to comprise a 'Value' is based on its representation

6848

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6849

# 123456789, the number of bytes would be counted as 9, even though an

6850

# int64 only holds up to 8 bytes of data.

6851

"timestampValue": "A String", # timestamp

6852

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6853

# and time zone are either specified elsewhere or are not significant. The date

6854

# is relative to the Proleptic Gregorian Calendar. This can represent:

6855

#

6856

# * A full date, with non-zero year, month and day values

6857

# * A month and day value, with a zero year, e.g. an anniversary

6858

# * A year on its own, with zero month and day values

6859

# * A year and month value, with a zero day, e.g. a credit card expiration date

6860

#

6861

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6862

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6863

# a year.

6864

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6865

# month and day.

6866

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6867

# if specifying a year by itself or a year and month where the day is not

6868

# significant.

6869

},

6870

"stringValue": "A String", # string

6871

"integerValue": "A String", # integer

6872

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6873

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6874

# types are google.type.Date and `google.protobuf.Timestamp`.

6875

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6876

# to allow the value "24:00:00" for scenarios like business closing time.

6877

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

6878

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6879

# allow the value 60 if it allows leap-seconds.

6880

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6881

},

6882

"booleanValue": True or False, # boolean

6883

"floatValue": 3.14, # float

6884

"dayOfWeekValue": "A String", # day of week

6885

},

6886

},

6887

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

6888

# Bucketing transformation can provide all of this functionality,

6889

# but requires more configuration. This message is provided as a convenience to

6890

# the user for simple bucketing strategies.

6891

#

6892

# The transformed value will be a hyphenated string of

6893

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

6894

# all values that are within this bucket will be replaced with "10-20".

6895

#

6896

# This can be used on data of type: double, long.

6897

#

6898

# If the bound Value type differs from the type of data

6899

# being transformed, we will first attempt converting the type of the data to

6900

# be transformed to match the type of the bound before comparing.

6901

#

6902

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

6903

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

6904

# grouped together into a single bucket; for example if `upper_bound` = 89,

6905

# then all values greater than 89 are replaced with the value "89+".

6906

# Note that for the purposes of inspection or transformation, the number

6907

# of bytes considered to comprise a 'Value' is based on its representation

6908

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6909

# 123456789, the number of bytes would be counted as 9, even though an

6910

# int64 only holds up to 8 bytes of data.

6911

"timestampValue": "A String", # timestamp

6912

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6913

# and time zone are either specified elsewhere or are not significant. The date

6914

# is relative to the Proleptic Gregorian Calendar. This can represent:

6915

#

6916

# * A full date, with non-zero year, month and day values

6917

# * A month and day value, with a zero year, e.g. an anniversary

6918

# * A year on its own, with zero month and day values

6919

# * A year and month value, with a zero day, e.g. a credit card expiration date

6920

#

6921

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6922

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6923

# a year.

6924

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6925

# month and day.

6926

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6927

# if specifying a year by itself or a year and month where the day is not

6928

# significant.

6929

},

6930

"stringValue": "A String", # string

6931

"integerValue": "A String", # integer

6932

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6933

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6934

# types are google.type.Date and `google.protobuf.Timestamp`.

6935

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6936

# to allow the value "24:00:00" for scenarios like business closing time.

6937

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

6938

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6939

# allow the value 60 if it allows leap-seconds.

6940

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6941

},

6942

"booleanValue": True or False, # boolean

6943

"floatValue": 3.14, # float

6944

"dayOfWeekValue": "A String", # day of week

6945

},

6946

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

6947

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

6948

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

6949

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

6950

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

6951

# grouped together into a single bucket; for example if `lower_bound` = 10,

6952

# then all values less than 10 are replaced with the value "-10".

6953

# Note that for the purposes of inspection or transformation, the number

6954

# of bytes considered to comprise a 'Value' is based on its representation

6955

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6956

# 123456789, the number of bytes would be counted as 9, even though an

6957

# int64 only holds up to 8 bytes of data.

6958

"timestampValue": "A String", # timestamp

6959

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6960

# and time zone are either specified elsewhere or are not significant. The date

6961

# is relative to the Proleptic Gregorian Calendar. This can represent:

6962

#

6963

# * A full date, with non-zero year, month and day values

6964

# * A month and day value, with a zero year, e.g. an anniversary

6965

# * A year on its own, with zero month and day values

6966

# * A year and month value, with a zero day, e.g. a credit card expiration date

6967

#

6968

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6969

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6970

# a year.

6971

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6972

# month and day.

6973

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6974

# if specifying a year by itself or a year and month where the day is not

6975

# significant.

6976

},

6977

"stringValue": "A String", # string

6978

"integerValue": "A String", # integer

6979

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6980

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6981

# types are google.type.Date and `google.protobuf.Timestamp`.

6982

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6983

# to allow the value "24:00:00" for scenarios like business closing time.

6984

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

6985

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6986

# allow the value 60 if it allows leap-seconds.

6987

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6988

},

6989

"booleanValue": True or False, # boolean

6990

"floatValue": 3.14, # float

6991

"dayOfWeekValue": "A String", # day of week

6992

},

6993

},

6994

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

6995

# fixed character. Masking can start from the beginning or end of the string.

6996

# This can be used on data of any type (numbers, longs, and so on) and when

6997

# de-identifying structured data we'll attempt to preserve the original data's

6998

# type. (This allows you to take a long like 123 and modify it to a string like

6999

# **3.

7000

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

7001

# characters. For example, if the input string is `555-555-5555` and you

7002

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

7003

# returns `***-**5-5555`.

7004

{ # Characters to skip when doing deidentification of a value. These will be left

7005

# alone and skipped.

7006

"charactersToSkip": "A String", # Characters to not transform when masking.

7007

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

7012

# masked. Skipped characters do not count towards this tally.

7013

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

7014

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

7015

# code or credit card number. This string must have a length of 1. If not

7016

# supplied, this value defaults to `*` for strings, and `0` for digits.

7017

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

7018

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

7019

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

7020

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

7021

# is `true`, then the string `12345` is masked as `12***`.

7022

},

7023

},

7024

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

7025

# this transformation to apply to all findings that correspond to

7026

# infoTypes that were requested in `InspectConfig`.

7027

{ # Type of information detected by the API.

7028

"name": "A String", # Name of the information type. Either a name of your choosing when

7029

# creating a CustomInfoType, or one of the names listed

7030

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

7031

# a built-in type. InfoType names should conform to the pattern

7032

# `[a-zA-Z0-9_]{1,64}`.

},

],

},

],

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7038

"transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default

7039

# mode is `TransformationErrorHandling.ThrowError`.

7040

# transformation error occurs when the requested transformation is incompatible

7041

# with the data. For example, trying to de-identify an IP address using a

7042

# `DateShift` transformation would result in a transformation error, since date

7043

# info cannot be extracted from an IP address.

7044

# Information about any incompatible transformations, and how they were

7045

# handled, is returned in the response as part of the

7046

# `TransformationOverviews`.

7047

"throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error

7048

},

7049

"leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors

7050

# cause an error. For example, if a `DateShift` transformation were applied

7051

# an an IP address, this mode would leave the IP address unchanged in the

7052

# response.

7053

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

7054

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7055

"recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

7056

# specific locations within structured datasets, such as transforming

7057

# a column within a table.

7058

# table.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7059

"fieldTransformations": [ # Transform the record by applying various field transformations.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

7060

{ # The transformation to apply to the field.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7061

"fields": [ # Required. Input field(s) to apply the transformation to.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

7062

{ # General identifier of a data field in a storage service.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7063

"name": "A String", # Name describing the field.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

7064

},

7065

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7066

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

7067

# transform content that matches an `InfoType`.

7068

# apply various `PrimitiveTransformation`s to each finding, where the

7069

# transformation is applied to only values that were identified as a specific

7070

# info_type.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7071

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

7072

# for a given infoType.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

7073

{ # A transformation to apply to text that is identified as a specific

7074

# info_type.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7075

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

7076

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

7077

# portion of the value.

7078

"partToExtract": "A String", # The part of the time to keep.

7079

},

7080

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

7081

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

7082

# to learn more.

7083

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

7084

# If set, must also set cryptoKey. If set, shift will be consistent for the

7085

# given context.

7086

"name": "A String", # Name describing the field.

7087

},

7088

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

7089

# range (inclusive ends). Negative means shift to earlier in time. Must not

7090

# be more than 365250 days (1000 years) each direction.

7091

#

7092

# For example, 3 means shift date to at most 3 days into the future.

7093

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

7094

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

7095

# results in the same shift for the same context and crypto_key. If

7096

# set, must also set context. Can only be applied to table items.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

7097

# a key encryption key (KEK) stored by KMS).

7098

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

7099

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

7100

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7101

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

7102

# leaking the key. Choose another type of key if possible.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7103

"key": "A String", # Required. A 128/192/256 bit key.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

7104

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7105

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

7106

# It will be discarded after the request finishes.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7107

"name": "A String", # Required. Name of the key.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

7108

# This is an arbitrary string used to differentiate different keys.

7109

# A unique key is generated per name: two separate `TransientCryptoKey`

7110

# protos share the same generated key if their names are the same.

7111

# When the data crypto key is generated, this name is not used in any way

7112

# (repeating the api call will result in a different key being generated).

7113

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

7114

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

7115

# The wrapped key must be a 128/192/256 bit key.

7116

# Authorization requires the following IAM permissions when sending a request

7117

# to perform a crypto transformation using a kms-wrapped crypto key:

7118

# dlp.kms.encrypt

7119

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

7120

"wrappedKey": "A String", # Required. The wrapped data crypto key.

7121

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

7122

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7123

},

7124

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

7125

},

7126

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

7127

# Uses SHA-256.

7128

# The key size must be either 32 or 64 bytes.

7129

# Outputs a base64 encoded representation of the hashed output

7130

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

7131

# Currently, only string and integer values can be hashed.

7132

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

7133

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

7134

# a key encryption key (KEK) stored by KMS).

7135

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

7136

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

7137

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7138

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

7139

# leaking the key. Choose another type of key if possible.

7140

"key": "A String", # Required. A 128/192/256 bit key.

7141

},

7142

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

7143

# It will be discarded after the request finishes.

7144

"name": "A String", # Required. Name of the key.

7145

# This is an arbitrary string used to differentiate different keys.

7146

# A unique key is generated per name: two separate `TransientCryptoKey`

7147

# protos share the same generated key if their names are the same.

7148

# When the data crypto key is generated, this name is not used in any way

7149

# (repeating the api call will result in a different key being generated).

7150

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

7151

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

7152

# The wrapped key must be a 128/192/256 bit key.

7153

# Authorization requires the following IAM permissions when sending a request

7154

# to perform a crypto transformation using a kms-wrapped crypto key:

7155

# dlp.kms.encrypt

7156

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

7157

"wrappedKey": "A String", # Required. The wrapped data crypto key.

7158

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7159

},

7160

},

7161

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

7162

# (FPE) with the FFX mode of operation; however when used in the

7163

# `ReidentifyContent` API method, it serves the opposite function by reversing

7164

# the surrogate back into the original identifier. The identifier must be

7165

# encoded as ASCII. For a given crypto key and context, the same identifier

7166

# will be replaced with the same surrogate. Identifiers must be at least two

7167

# characters long. In the case that the identifier is the empty string, it will

7168

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

7169

# more.

7170

#

7171

# Note: We recommend using CryptoDeterministicConfig for all use cases which

7172

# do not require preserving the input alphabet space and size, plus warrant

7173

# referential integrity.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7174

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

7175

# This annotation will be applied to the surrogate by prefixing it with

7176

# the name of the custom infoType followed by the number of

7177

# characters comprising the surrogate. The following scheme defines the

7178

# format: info_type_name(surrogate_character_count):surrogate

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

7179

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7180

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

7181

# the surrogate is 'abc', the full replacement value

7182

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

7183

#

7184

# This annotation identifies the surrogate when inspecting content using the

7185

# custom infoType

7186

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

7187

# This facilitates reversal of the surrogate when it occurs in free text.

7188

#

7189

# In order for inspection to work properly, the name of this infoType must

7190

# not occur naturally anywhere in your data; otherwise, inspection may

7191

# find a surrogate that does not correspond to an actual identifier.

7192

# Therefore, choose your custom infoType name carefully after considering

7193

# what your data looks like. One way to select a name that has a high chance

7194

# of yielding reliable detection is to include one or more unicode characters

7195

# that are highly improbable to exist in your data.

7196

# For example, assuming your data is entered from a regular ASCII keyboard,

7197

# the symbol with the hex code point 29DD might be used like so:

7198

# ⧝MY_TOKEN_TYPE

7199

"name": "A String", # Name of the information type. Either a name of your choosing when

7200

# creating a CustomInfoType, or one of the names listed

7201

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

7202

# a built-in type. InfoType names should conform to the pattern

7203

# `[a-zA-Z0-9_]{1,64}`.

7204

},

7205

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

7206

# identifier in two different contexts won't be given the same surrogate. If

7207

# the context is not set, a default tweak will be used.

7208

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

7209

# If the context is set but:

7210

#

7211

# 1. there is no record present when transforming a given value or

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7212

# 1. the field is not present when transforming a given value,

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

7213

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7214

# a default tweak will be used.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

7215

#

7216

# Note that case (1) is expected when an `InfoTypeTransformation` is

7217

# applied to both structured and non-structured `ContentItem`s.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7218

# Currently, the referenced field may be of value type integer or string.

7219

#

7220

# The tweak is constructed as a sequence of bytes in big endian byte order

7221

# such that:

7222

#

7223

# - a 64 bit integer is encoded followed by a single byte of value 1

7224

# - a string is encoded in UTF-8 format followed by a single byte of value 2

7225

"name": "A String", # Name describing the field.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

7226

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7227

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

7228

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

7229

# a key encryption key (KEK) stored by KMS).

7230

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

7231

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

7232

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7233

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

7234

# leaking the key. Choose another type of key if possible.

7235

"key": "A String", # Required. A 128/192/256 bit key.

7236

},

7237

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

7238

# It will be discarded after the request finishes.

7239

"name": "A String", # Required. Name of the key.

7240

# This is an arbitrary string used to differentiate different keys.

7241

# A unique key is generated per name: two separate `TransientCryptoKey`

7242

# protos share the same generated key if their names are the same.

7243

# When the data crypto key is generated, this name is not used in any way

7244

# (repeating the api call will result in a different key being generated).

7245

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

7246

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

7247

# The wrapped key must be a 128/192/256 bit key.

7248

# Authorization requires the following IAM permissions when sending a request

7249

# to perform a crypto transformation using a kms-wrapped crypto key:

7250

# dlp.kms.encrypt

7251

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

7252

"wrappedKey": "A String", # Required. The wrapped data crypto key.

7253

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7254

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

7255

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

7256

# that the FFX mode natively supports. This happens before/after

7257

# encryption/decryption.

7258

# Each character listed must appear only once.

7259

# Number of characters must be in the range [2, 95].

7260

# This must be encoded as ASCII.

7261

# The order of characters does not matter.

7262

"commonAlphabet": "A String", # Common alphabets.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7263

},

7264

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

7265

# input. Outputs a base64 encoded representation of the encrypted output.

7266

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

7267

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

7268

# This annotation will be applied to the surrogate by prefixing it with

7269

# the name of the custom info type followed by the number of

7270

# characters comprising the surrogate. The following scheme defines the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

7271

# format: {info type name}({surrogate character count}):{surrogate}

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

7272

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7273

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

7274

# the surrogate is 'abc', the full replacement value

7275

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

7276

#

7277

# This annotation identifies the surrogate when inspecting content using the

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7278

# custom info type 'Surrogate'. This facilitates reversal of the

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

7279

# surrogate when it occurs in free text.

7280

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

7281

# Note: For record transformations where the entire cell in a table is being

7282

# transformed, surrogates are not mandatory. Surrogates are used to denote

7283

# the location of the token and are necessary for re-identification in free

7284

# form text.

7285

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

7286

# In order for inspection to work properly, the name of this info type must

7287

# not occur naturally anywhere in your data; otherwise, inspection may either

7288

#

7289

# - reverse a surrogate that does not correspond to an actual identifier

7290

# - be unable to parse the surrogate and result in an error

7291

#

7292

# Therefore, choose your custom info type name carefully after considering

7293

# what your data looks like. One way to select a name that has a high chance

7294

# of yielding reliable detection is to include one or more unicode characters

7295

# that are highly improbable to exist in your data.

7296

# For example, assuming your data is entered from a regular ASCII keyboard,

7297

# the symbol with the hex code point 29DD might be used like so:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

7298

# ⧝MY_TOKEN_TYPE.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7299

"name": "A String", # Name of the information type. Either a name of your choosing when

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

7300

# creating a CustomInfoType, or one of the names listed

7301

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

7302

# a built-in type. InfoType names should conform to the pattern

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

7303

# `[a-zA-Z0-9_]{1,64}`.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

7304

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7305

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

7306

# referential integrity such that the same identifier in two different

7307

# contexts will be given a distinct surrogate. The context is appended to

7308

# plaintext value being encrypted. On decryption the provided context is

7309

# validated against the value used during encryption. If a context was

7310

# provided during encryption, same context must be provided during decryption

7311

# as well.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

7312

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7313

# If the context is not set, plaintext would be used as is for encryption.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

7314

# If the context is set but:

7315

#

7316

# 1. there is no record present when transforming a given value or

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7317

# 2. the field is not present when transforming a given value,

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

7318

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7319

# plaintext would be used as is for encryption.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

7320

#

7321

# Note that case (1) is expected when an `InfoTypeTransformation` is

7322

# applied to both structured and non-structured `ContentItem`s.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7323

"name": "A String", # Name describing the field.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

7324

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7325

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

7326

# a key encryption key (KEK) stored by KMS).

7327

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

7328

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

7329

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7330

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

7331

# leaking the key. Choose another type of key if possible.

7332

"key": "A String", # Required. A 128/192/256 bit key.

7333

},

7334

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

7335

# It will be discarded after the request finishes.

7336

"name": "A String", # Required. Name of the key.

7337

# This is an arbitrary string used to differentiate different keys.

7338

# A unique key is generated per name: two separate `TransientCryptoKey`

7339

# protos share the same generated key if their names are the same.

7340

# When the data crypto key is generated, this name is not used in any way

7341

# (repeating the api call will result in a different key being generated).

7342

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

7343

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

7344

# The wrapped key must be a 128/192/256 bit key.

7345

# Authorization requires the following IAM permissions when sending a request

7346

# to perform a crypto transformation using a kms-wrapped crypto key:

7347

# dlp.kms.encrypt

7348

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

7349

"wrappedKey": "A String", # Required. The wrapped data crypto key.

7350

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

7351

},

7352

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7353

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

7354

# replacement values are dynamically provided by the user for custom behavior,

7355

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

7356

# This can be used on

7357

# data of type: number, long, string, timestamp.

7358

# If the bound `Value` type differs from the type of data being transformed, we

7359

# will first attempt converting the type of the data to be transformed to match

7360

# the type of the bound before comparing.

7361

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7362

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

7363

{ # Bucket is represented as a range, along with replacement values.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7364

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

7365

# the default behavior will be to hyphenate the min-max range.

7366

# Note that for the purposes of inspection or transformation, the number

7367

# of bytes considered to comprise a 'Value' is based on its representation

7368

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7369

# 123456789, the number of bytes would be counted as 9, even though an

7370

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7371

"timestampValue": "A String", # timestamp

7372

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7373

# and time zone are either specified elsewhere or are not significant. The date

7374

# is relative to the Proleptic Gregorian Calendar. This can represent:

7375

#

7376

# * A full date, with non-zero year, month and day values

7377

# * A month and day value, with a zero year, e.g. an anniversary

7378

# * A year on its own, with zero month and day values

7379

# * A year and month value, with a zero day, e.g. a credit card expiration date

7380

#

7381

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7382

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7383

# a year.

7384

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

7385

# month and day.

7386

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

7387

# if specifying a year by itself or a year and month where the day is not

7388

# significant.

7389

},

7390

"stringValue": "A String", # string

7391

"integerValue": "A String", # integer

7392

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7393

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7394

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7395

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7396

# to allow the value "24:00:00" for scenarios like business closing time.

7397

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

7398

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7399

# allow the value 60 if it allows leap-seconds.

7400

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7401

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

7402

"booleanValue": True or False, # boolean

7403

"floatValue": 3.14, # float

7404

"dayOfWeekValue": "A String", # day of week

7405

},

7406

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

7407

# used.

7408

# Note that for the purposes of inspection or transformation, the number

7409

# of bytes considered to comprise a 'Value' is based on its representation

7410

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7411

# 123456789, the number of bytes would be counted as 9, even though an

7412

# int64 only holds up to 8 bytes of data.

7413

"timestampValue": "A String", # timestamp

7414

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7415

# and time zone are either specified elsewhere or are not significant. The date

7416

# is relative to the Proleptic Gregorian Calendar. This can represent:

7417

#

7418

# * A full date, with non-zero year, month and day values

7419

# * A month and day value, with a zero year, e.g. an anniversary

7420

# * A year on its own, with zero month and day values

7421

# * A year and month value, with a zero day, e.g. a credit card expiration date

7422

#

7423

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7424

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7425

# a year.

7426

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

7427

# month and day.

7428

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

7429

# if specifying a year by itself or a year and month where the day is not

7430

# significant.

7431

},

7432

"stringValue": "A String", # string

7433

"integerValue": "A String", # integer

7434

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7435

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7436

# types are google.type.Date and `google.protobuf.Timestamp`.

7437

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7438

# to allow the value "24:00:00" for scenarios like business closing time.

7439

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

7440

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7441

# allow the value 60 if it allows leap-seconds.

7442

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

7443

},

7444

"booleanValue": True or False, # boolean

7445

"floatValue": 3.14, # float

7446

"dayOfWeekValue": "A String", # day of week

7447

},

7448

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

7449

# Note that for the purposes of inspection or transformation, the number

7450

# of bytes considered to comprise a 'Value' is based on its representation

7451

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7452

# 123456789, the number of bytes would be counted as 9, even though an

7453

# int64 only holds up to 8 bytes of data.

7454

"timestampValue": "A String", # timestamp

7455

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7456

# and time zone are either specified elsewhere or are not significant. The date

7457

# is relative to the Proleptic Gregorian Calendar. This can represent:

7458

#

7459

# * A full date, with non-zero year, month and day values

7460

# * A month and day value, with a zero year, e.g. an anniversary

7461

# * A year on its own, with zero month and day values

7462

# * A year and month value, with a zero day, e.g. a credit card expiration date

7463

#

7464

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7465

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7466

# a year.

7467

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

7468

# month and day.

7469

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

7470

# if specifying a year by itself or a year and month where the day is not

7471

# significant.

7472

},

7473

"stringValue": "A String", # string

7474

"integerValue": "A String", # integer

7475

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7476

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7477

# types are google.type.Date and `google.protobuf.Timestamp`.

7478

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7479

# to allow the value "24:00:00" for scenarios like business closing time.

7480

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

7481

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7482

# allow the value 60 if it allows leap-seconds.

7483

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

7484

},

7485

"booleanValue": True or False, # boolean

7486

"floatValue": 3.14, # float

7487

"dayOfWeekValue": "A String", # day of week

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

},

},

],

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

7492

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

7493

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

7494

# output would be 'My phone number is '.

7495

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7496

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

7497

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

7498

# Note that for the purposes of inspection or transformation, the number

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7499

# of bytes considered to comprise a 'Value' is based on its representation

7500

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

7501

# 123456789, the number of bytes would be counted as 9, even though an

7502

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7503

"timestampValue": "A String", # timestamp

7504

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

7505

# and time zone are either specified elsewhere or are not significant. The date

7506

# is relative to the Proleptic Gregorian Calendar. This can represent:

7507

#

7508

# * A full date, with non-zero year, month and day values

7509

# * A month and day value, with a zero year, e.g. an anniversary

7510

# * A year on its own, with zero month and day values

7511

# * A year and month value, with a zero day, e.g. a credit card expiration date

7512

#

7513

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7514

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7515

# a year.

7516

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

7517

# month and day.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7518

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

7519

# if specifying a year by itself or a year and month where the day is not

7520

# significant.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

7521

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7522

"stringValue": "A String", # string

7523

"integerValue": "A String", # integer

7524

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7525

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7526

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7527

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7528

# to allow the value "24:00:00" for scenarios like business closing time.

7529

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

7530

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7531

# allow the value 60 if it allows leap-seconds.

7532

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7533

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

7534

"booleanValue": True or False, # boolean

7535

"floatValue": 3.14, # float

7536

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7537

},

7538

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7539

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

7540

# Bucketing transformation can provide all of this functionality,

7541

# but requires more configuration. This message is provided as a convenience to

7542

# the user for simple bucketing strategies.

7543

#

7544

# The transformed value will be a hyphenated string of

7545

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

7546

# all values that are within this bucket will be replaced with "10-20".

7547

#

7548

# This can be used on data of type: double, long.

7549

#

7550

# If the bound Value type differs from the type of data

7551

# being transformed, we will first attempt converting the type of the data to

7552

# be transformed to match the type of the bound before comparing.

7553

#

7554

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7555

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

7556

# grouped together into a single bucket; for example if `upper_bound` = 89,

7557

# then all values greater than 89 are replaced with the value "89+".

7558

# Note that for the purposes of inspection or transformation, the number

7559

# of bytes considered to comprise a 'Value' is based on its representation

7560

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7561

# 123456789, the number of bytes would be counted as 9, even though an

7562

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7563

"timestampValue": "A String", # timestamp

7564

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7565

# and time zone are either specified elsewhere or are not significant. The date

7566

# is relative to the Proleptic Gregorian Calendar. This can represent:

7567

#

7568

# * A full date, with non-zero year, month and day values

7569

# * A month and day value, with a zero year, e.g. an anniversary

7570

# * A year on its own, with zero month and day values

7571

# * A year and month value, with a zero day, e.g. a credit card expiration date

7572

#

7573

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7574

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7575

# a year.

7576

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

7577

# month and day.

7578

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

7579

# if specifying a year by itself or a year and month where the day is not

7580

# significant.

7581

},

7582

"stringValue": "A String", # string

7583

"integerValue": "A String", # integer

7584

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7585

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7586

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7587

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7588

# to allow the value "24:00:00" for scenarios like business closing time.

7589

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

7590

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7591

# allow the value 60 if it allows leap-seconds.

7592

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7593

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

7594

"booleanValue": True or False, # boolean

7595

"floatValue": 3.14, # float

7596

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7597

},

7598

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

7599

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

7600

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

7601

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

7602

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

7603

# grouped together into a single bucket; for example if `lower_bound` = 10,

7604

# then all values less than 10 are replaced with the value "-10".

7605

# Note that for the purposes of inspection or transformation, the number

7606

# of bytes considered to comprise a 'Value' is based on its representation

7607

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7608

# 123456789, the number of bytes would be counted as 9, even though an

7609

# int64 only holds up to 8 bytes of data.

7610

"timestampValue": "A String", # timestamp

7611

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7612

# and time zone are either specified elsewhere or are not significant. The date

7613

# is relative to the Proleptic Gregorian Calendar. This can represent:

7614

#

7615

# * A full date, with non-zero year, month and day values

7616

# * A month and day value, with a zero year, e.g. an anniversary

7617

# * A year on its own, with zero month and day values

7618

# * A year and month value, with a zero day, e.g. a credit card expiration date

7619

#

7620

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7621

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7622

# a year.

7623

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

7624

# month and day.

7625

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

7626

# if specifying a year by itself or a year and month where the day is not

7627

# significant.

7628

},

7629

"stringValue": "A String", # string

7630

"integerValue": "A String", # integer

7631

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7632

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7633

# types are google.type.Date and `google.protobuf.Timestamp`.

7634

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7635

# to allow the value "24:00:00" for scenarios like business closing time.

7636

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

7637

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7638

# allow the value 60 if it allows leap-seconds.

7639

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

7640

},

7641

"booleanValue": True or False, # boolean

7642

"floatValue": 3.14, # float

7643

"dayOfWeekValue": "A String", # day of week

7644

},

7645

},

7646

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

7647

# fixed character. Masking can start from the beginning or end of the string.

7648

# This can be used on data of any type (numbers, longs, and so on) and when

7649

# de-identifying structured data we'll attempt to preserve the original data's

7650

# type. (This allows you to take a long like 123 and modify it to a string like

7651

# **3.

7652

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

7653

# characters. For example, if the input string is `555-555-5555` and you

7654

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

7655

# returns `***-**5-5555`.

7656

{ # Characters to skip when doing deidentification of a value. These will be left

7657

# alone and skipped.

7658

"charactersToSkip": "A String", # Characters to not transform when masking.

7659

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

7664

# masked. Skipped characters do not count towards this tally.

7665

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

7666

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

7667

# code or credit card number. This string must have a length of 1. If not

7668

# supplied, this value defaults to `*` for strings, and `0` for digits.

7669

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

7670

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

7671

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

7672

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

7673

# is `true`, then the string `12345` is masked as `12***`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7674

},

7675

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

7676

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

7677

# this transformation to apply to all findings that correspond to

7678

# infoTypes that were requested in `InspectConfig`.

7679

{ # Type of information detected by the API.

7680

"name": "A String", # Name of the information type. Either a name of your choosing when

7681

# creating a CustomInfoType, or one of the names listed

7682

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

7683

# a built-in type. InfoType names should conform to the pattern

7684

# `[a-zA-Z0-9_]{1,64}`.

7685

},

7686

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

},

],

},

"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.

7691

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

7692

# portion of the value.

7693

"partToExtract": "A String", # The part of the time to keep.

7694

},

7695

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

7696

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

7697

# to learn more.

7698

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

7699

# If set, must also set cryptoKey. If set, shift will be consistent for the

7700

# given context.

7701

"name": "A String", # Name describing the field.

7702

},

7703

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

7704

# range (inclusive ends). Negative means shift to earlier in time. Must not

7705

# be more than 365250 days (1000 years) each direction.

7706

#

7707

# For example, 3 means shift date to at most 3 days into the future.

7708

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

7709

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

7710

# results in the same shift for the same context and crypto_key. If

7711

# set, must also set context. Can only be applied to table items.

7712

# a key encryption key (KEK) stored by KMS).

7713

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

7714

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

7715

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7716

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

7717

# leaking the key. Choose another type of key if possible.

7718

"key": "A String", # Required. A 128/192/256 bit key.

7719

},

7720

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

7721

# It will be discarded after the request finishes.

7722

"name": "A String", # Required. Name of the key.

7723

# This is an arbitrary string used to differentiate different keys.

7724

# A unique key is generated per name: two separate `TransientCryptoKey`

7725

# protos share the same generated key if their names are the same.

7726

# When the data crypto key is generated, this name is not used in any way

7727

# (repeating the api call will result in a different key being generated).

7728

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

7729

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

7730

# The wrapped key must be a 128/192/256 bit key.

7731

# Authorization requires the following IAM permissions when sending a request

7732

# to perform a crypto transformation using a kms-wrapped crypto key:

7733

# dlp.kms.encrypt

7734

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

7735

"wrappedKey": "A String", # Required. The wrapped data crypto key.

7736

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7737

},

7738

},

7739

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

7740

},

7741

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

7742

# Uses SHA-256.

7743

# The key size must be either 32 or 64 bytes.

7744

# Outputs a base64 encoded representation of the hashed output

7745

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

7746

# Currently, only string and integer values can be hashed.

7747

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

7748

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

7749

# a key encryption key (KEK) stored by KMS).

7750

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

7751

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

7752

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7753

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

7754

# leaking the key. Choose another type of key if possible.

7755

"key": "A String", # Required. A 128/192/256 bit key.

7756

},

7757

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

7758

# It will be discarded after the request finishes.

7759

"name": "A String", # Required. Name of the key.

7760

# This is an arbitrary string used to differentiate different keys.

7761

# A unique key is generated per name: two separate `TransientCryptoKey`

7762

# protos share the same generated key if their names are the same.

7763

# When the data crypto key is generated, this name is not used in any way

7764

# (repeating the api call will result in a different key being generated).

7765

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

7766

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

7767

# The wrapped key must be a 128/192/256 bit key.

7768

# Authorization requires the following IAM permissions when sending a request

7769

# to perform a crypto transformation using a kms-wrapped crypto key:

7770

# dlp.kms.encrypt

7771

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

7772

"wrappedKey": "A String", # Required. The wrapped data crypto key.

7773

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7774

},

7775

},

7776

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

7777

# (FPE) with the FFX mode of operation; however when used in the

7778

# `ReidentifyContent` API method, it serves the opposite function by reversing

7779

# the surrogate back into the original identifier. The identifier must be

7780

# encoded as ASCII. For a given crypto key and context, the same identifier

7781

# will be replaced with the same surrogate. Identifiers must be at least two

7782

# characters long. In the case that the identifier is the empty string, it will

7783

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

7784

# more.

7785

#

7786

# Note: We recommend using CryptoDeterministicConfig for all use cases which

7787

# do not require preserving the input alphabet space and size, plus warrant

7788

# referential integrity.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7789

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

7790

# This annotation will be applied to the surrogate by prefixing it with

7791

# the name of the custom infoType followed by the number of

7792

# characters comprising the surrogate. The following scheme defines the

7793

# format: info_type_name(surrogate_character_count):surrogate

7794

#

7795

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

7796

# the surrogate is 'abc', the full replacement value

7797

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

7798

#

7799

# This annotation identifies the surrogate when inspecting content using the

7800

# custom infoType

7801

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

7802

# This facilitates reversal of the surrogate when it occurs in free text.

7803

#

7804

# In order for inspection to work properly, the name of this infoType must

7805

# not occur naturally anywhere in your data; otherwise, inspection may

7806

# find a surrogate that does not correspond to an actual identifier.

7807

# Therefore, choose your custom infoType name carefully after considering

7808

# what your data looks like. One way to select a name that has a high chance

7809

# of yielding reliable detection is to include one or more unicode characters

7810

# that are highly improbable to exist in your data.

7811

# For example, assuming your data is entered from a regular ASCII keyboard,

7812

# the symbol with the hex code point 29DD might be used like so:

7813

# ⧝MY_TOKEN_TYPE

7814

"name": "A String", # Name of the information type. Either a name of your choosing when

7815

# creating a CustomInfoType, or one of the names listed

7816

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

7817

# a built-in type. InfoType names should conform to the pattern

7818

# `[a-zA-Z0-9_]{1,64}`.

7819

},

7820

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

7821

# identifier in two different contexts won't be given the same surrogate. If

7822

# the context is not set, a default tweak will be used.

7823

#

7824

# If the context is set but:

7825

#

7826

# 1. there is no record present when transforming a given value or

7827

# 1. the field is not present when transforming a given value,

7828

#

7829

# a default tweak will be used.

7830

#

7831

# Note that case (1) is expected when an `InfoTypeTransformation` is

7832

# applied to both structured and non-structured `ContentItem`s.

7833

# Currently, the referenced field may be of value type integer or string.

7834

#

7835

# The tweak is constructed as a sequence of bytes in big endian byte order

7836

# such that:

7837

#

7838

# - a 64 bit integer is encoded followed by a single byte of value 1

7839

# - a string is encoded in UTF-8 format followed by a single byte of value 2

7840

"name": "A String", # Name describing the field.

7841

},

7842

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

7843

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

7844

# a key encryption key (KEK) stored by KMS).

7845

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

7846

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

7847

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7848

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

7849

# leaking the key. Choose another type of key if possible.

7850

"key": "A String", # Required. A 128/192/256 bit key.

7851

},

7852

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

7853

# It will be discarded after the request finishes.

7854

"name": "A String", # Required. Name of the key.

7855

# This is an arbitrary string used to differentiate different keys.

7856

# A unique key is generated per name: two separate `TransientCryptoKey`

7857

# protos share the same generated key if their names are the same.

7858

# When the data crypto key is generated, this name is not used in any way

7859

# (repeating the api call will result in a different key being generated).

7860

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

7861

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

7862

# The wrapped key must be a 128/192/256 bit key.

7863

# Authorization requires the following IAM permissions when sending a request

7864

# to perform a crypto transformation using a kms-wrapped crypto key:

7865

# dlp.kms.encrypt

7866

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

7867

"wrappedKey": "A String", # Required. The wrapped data crypto key.

7868

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7869

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

7870

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

7871

# that the FFX mode natively supports. This happens before/after

7872

# encryption/decryption.

7873

# Each character listed must appear only once.

7874

# Number of characters must be in the range [2, 95].

7875

# This must be encoded as ASCII.

7876

# The order of characters does not matter.

7877

"commonAlphabet": "A String", # Common alphabets.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7878

},

7879

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

7880

# input. Outputs a base64 encoded representation of the encrypted output.

7881

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

7882

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

7883

# This annotation will be applied to the surrogate by prefixing it with

7884

# the name of the custom info type followed by the number of

7885

# characters comprising the surrogate. The following scheme defines the

7886

# format: {info type name}({surrogate character count}):{surrogate}

7887

#

7888

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

7889

# the surrogate is 'abc', the full replacement value

7890

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

7891

#

7892

# This annotation identifies the surrogate when inspecting content using the

7893

# custom info type 'Surrogate'. This facilitates reversal of the

7894

# surrogate when it occurs in free text.

7895

#

7896

# Note: For record transformations where the entire cell in a table is being

7897

# transformed, surrogates are not mandatory. Surrogates are used to denote

7898

# the location of the token and are necessary for re-identification in free

7899

# form text.

7900

#

7901

# In order for inspection to work properly, the name of this info type must

7902

# not occur naturally anywhere in your data; otherwise, inspection may either

7903

#

7904

# - reverse a surrogate that does not correspond to an actual identifier

7905

# - be unable to parse the surrogate and result in an error

7906

#

7907

# Therefore, choose your custom info type name carefully after considering

7908

# what your data looks like. One way to select a name that has a high chance

7909

# of yielding reliable detection is to include one or more unicode characters

7910

# that are highly improbable to exist in your data.

7911

# For example, assuming your data is entered from a regular ASCII keyboard,

7912

# the symbol with the hex code point 29DD might be used like so:

7913

# ⧝MY_TOKEN_TYPE.

7914

"name": "A String", # Name of the information type. Either a name of your choosing when

7915

# creating a CustomInfoType, or one of the names listed

7916

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

7917

# a built-in type. InfoType names should conform to the pattern

7918

# `[a-zA-Z0-9_]{1,64}`.

7919

},

7920

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

7921

# referential integrity such that the same identifier in two different

7922

# contexts will be given a distinct surrogate. The context is appended to

7923

# plaintext value being encrypted. On decryption the provided context is

7924

# validated against the value used during encryption. If a context was

7925

# provided during encryption, same context must be provided during decryption

7926

# as well.

7927

#

7928

# If the context is not set, plaintext would be used as is for encryption.

7929

# If the context is set but:

7930

#

7931

# 1. there is no record present when transforming a given value or

7932

# 2. the field is not present when transforming a given value,

7933

#

7934

# plaintext would be used as is for encryption.

7935

#

7936

# Note that case (1) is expected when an `InfoTypeTransformation` is

7937

# applied to both structured and non-structured `ContentItem`s.

7938

"name": "A String", # Name describing the field.

7939

},

7940

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

7941

# a key encryption key (KEK) stored by KMS).

7942

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

7943

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

7944

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7945

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

7946

# leaking the key. Choose another type of key if possible.

7947

"key": "A String", # Required. A 128/192/256 bit key.

7948

},

7949

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

7950

# It will be discarded after the request finishes.

7951

"name": "A String", # Required. Name of the key.

7952

# This is an arbitrary string used to differentiate different keys.

7953

# A unique key is generated per name: two separate `TransientCryptoKey`

7954

# protos share the same generated key if their names are the same.

7955

# When the data crypto key is generated, this name is not used in any way

7956

# (repeating the api call will result in a different key being generated).

7957

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

7958

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

7959

# The wrapped key must be a 128/192/256 bit key.

7960

# Authorization requires the following IAM permissions when sending a request

7961

# to perform a crypto transformation using a kms-wrapped crypto key:

7962

# dlp.kms.encrypt

7963

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

7964

"wrappedKey": "A String", # Required. The wrapped data crypto key.

7965

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7966

},

7967

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7968

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

7969

# replacement values are dynamically provided by the user for custom behavior,

7970

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

7971

# This can be used on

7972

# data of type: number, long, string, timestamp.

7973

# If the bound `Value` type differs from the type of data being transformed, we

7974

# will first attempt converting the type of the data to be transformed to match

7975

# the type of the bound before comparing.

7976

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

7977

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

7978

{ # Bucket is represented as a range, along with replacement values.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7979

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

7980

# the default behavior will be to hyphenate the min-max range.

7981

# Note that for the purposes of inspection or transformation, the number

7982

# of bytes considered to comprise a 'Value' is based on its representation

7983

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7984

# 123456789, the number of bytes would be counted as 9, even though an

7985

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

7986

"timestampValue": "A String", # timestamp

7987

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7988

# and time zone are either specified elsewhere or are not significant. The date

7989

# is relative to the Proleptic Gregorian Calendar. This can represent:

7990

#

7991

# * A full date, with non-zero year, month and day values

7992

# * A month and day value, with a zero year, e.g. an anniversary

7993

# * A year on its own, with zero month and day values

7994

# * A year and month value, with a zero day, e.g. a credit card expiration date

7995

#

7996

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7997

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7998

# a year.

7999

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8000

# month and day.

8001

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8002

# if specifying a year by itself or a year and month where the day is not

8003

# significant.

8004

},

8005

"stringValue": "A String", # string

8006

"integerValue": "A String", # integer

8007

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8008

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8009

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8010

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8011

# to allow the value "24:00:00" for scenarios like business closing time.

8012

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

8013

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8014

# allow the value 60 if it allows leap-seconds.

8015

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8016

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

8017

"booleanValue": True or False, # boolean

8018

"floatValue": 3.14, # float

8019

"dayOfWeekValue": "A String", # day of week

8020

},

8021

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

8022

# used.

8023

# Note that for the purposes of inspection or transformation, the number

8024

# of bytes considered to comprise a 'Value' is based on its representation

8025

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8026

# 123456789, the number of bytes would be counted as 9, even though an

8027

# int64 only holds up to 8 bytes of data.

8028

"timestampValue": "A String", # timestamp

8029

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8030

# and time zone are either specified elsewhere or are not significant. The date

8031

# is relative to the Proleptic Gregorian Calendar. This can represent:

8032

#

8033

# * A full date, with non-zero year, month and day values

8034

# * A month and day value, with a zero year, e.g. an anniversary

8035

# * A year on its own, with zero month and day values

8036

# * A year and month value, with a zero day, e.g. a credit card expiration date

8037

#

8038

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8039

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8040

# a year.

8041

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8042

# month and day.

8043

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8044

# if specifying a year by itself or a year and month where the day is not

8045

# significant.

8046

},

8047

"stringValue": "A String", # string

8048

"integerValue": "A String", # integer

8049

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8050

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8051

# types are google.type.Date and `google.protobuf.Timestamp`.

8052

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8053

# to allow the value "24:00:00" for scenarios like business closing time.

8054

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

8055

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8056

# allow the value 60 if it allows leap-seconds.

8057

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8058

},

8059

"booleanValue": True or False, # boolean

8060

"floatValue": 3.14, # float

8061

"dayOfWeekValue": "A String", # day of week

8062

},

8063

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

8064

# Note that for the purposes of inspection or transformation, the number

8065

# of bytes considered to comprise a 'Value' is based on its representation

8066

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8067

# 123456789, the number of bytes would be counted as 9, even though an

8068

# int64 only holds up to 8 bytes of data.

8069

"timestampValue": "A String", # timestamp

8070

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8071

# and time zone are either specified elsewhere or are not significant. The date

8072

# is relative to the Proleptic Gregorian Calendar. This can represent:

8073

#

8074

# * A full date, with non-zero year, month and day values

8075

# * A month and day value, with a zero year, e.g. an anniversary

8076

# * A year on its own, with zero month and day values

8077

# * A year and month value, with a zero day, e.g. a credit card expiration date

8078

#

8079

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8080

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8081

# a year.

8082

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8083

# month and day.

8084

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8085

# if specifying a year by itself or a year and month where the day is not

8086

# significant.

8087

},

8088

"stringValue": "A String", # string

8089

"integerValue": "A String", # integer

8090

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8091

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8092

# types are google.type.Date and `google.protobuf.Timestamp`.

8093

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8094

# to allow the value "24:00:00" for scenarios like business closing time.

8095

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

8096

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8097

# allow the value 60 if it allows leap-seconds.

8098

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8099

},

8100

"booleanValue": True or False, # boolean

8101

"floatValue": 3.14, # float

8102

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8103

},

8104

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8105

],

8106

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

8107

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

8108

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

8109

# output would be 'My phone number is '.

8110

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8111

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

8112

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

8113

# Note that for the purposes of inspection or transformation, the number

8114

# of bytes considered to comprise a 'Value' is based on its representation

8115

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8116

# 123456789, the number of bytes would be counted as 9, even though an

8117

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8118

"timestampValue": "A String", # timestamp

8119

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8120

# and time zone are either specified elsewhere or are not significant. The date

8121

# is relative to the Proleptic Gregorian Calendar. This can represent:

8122

#

8123

# * A full date, with non-zero year, month and day values

8124

# * A month and day value, with a zero year, e.g. an anniversary

8125

# * A year on its own, with zero month and day values

8126

# * A year and month value, with a zero day, e.g. a credit card expiration date

8127

#

8128

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8129

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8130

# a year.

8131

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8132

# month and day.

8133

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8134

# if specifying a year by itself or a year and month where the day is not

8135

# significant.

8136

},

8137

"stringValue": "A String", # string

8138

"integerValue": "A String", # integer

8139

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8140

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8141

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8142

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8143

# to allow the value "24:00:00" for scenarios like business closing time.

8144

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

8145

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8146

# allow the value 60 if it allows leap-seconds.

8147

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8148

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

8149

"booleanValue": True or False, # boolean

8150

"floatValue": 3.14, # float

8151

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8152

},

8153

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8154

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

8155

# Bucketing transformation can provide all of this functionality,

8156

# but requires more configuration. This message is provided as a convenience to

8157

# the user for simple bucketing strategies.

8158

#

8159

# The transformed value will be a hyphenated string of

8160

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

8161

# all values that are within this bucket will be replaced with "10-20".

8162

#

8163

# This can be used on data of type: double, long.

8164

#

8165

# If the bound Value type differs from the type of data

8166

# being transformed, we will first attempt converting the type of the data to

8167

# be transformed to match the type of the bound before comparing.

8168

#

8169

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8170

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

8171

# grouped together into a single bucket; for example if `upper_bound` = 89,

8172

# then all values greater than 89 are replaced with the value "89+".

8173

# Note that for the purposes of inspection or transformation, the number

8174

# of bytes considered to comprise a 'Value' is based on its representation

8175

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8176

# 123456789, the number of bytes would be counted as 9, even though an

8177

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8178

"timestampValue": "A String", # timestamp

8179

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8180

# and time zone are either specified elsewhere or are not significant. The date

8181

# is relative to the Proleptic Gregorian Calendar. This can represent:

8182

#

8183

# * A full date, with non-zero year, month and day values

8184

# * A month and day value, with a zero year, e.g. an anniversary

8185

# * A year on its own, with zero month and day values

8186

# * A year and month value, with a zero day, e.g. a credit card expiration date

8187

#

8188

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8189

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8190

# a year.

8191

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8192

# month and day.

8193

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8194

# if specifying a year by itself or a year and month where the day is not

8195

# significant.

8196

},

8197

"stringValue": "A String", # string

8198

"integerValue": "A String", # integer

8199

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8200

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8201

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8202

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8203

# to allow the value "24:00:00" for scenarios like business closing time.

8204

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

8205

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8206

# allow the value 60 if it allows leap-seconds.

8207

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8208

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

8209

"booleanValue": True or False, # boolean

8210

"floatValue": 3.14, # float

8211

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8212

},

8213

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

8214

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

8215

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

8216

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

8217

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

8218

# grouped together into a single bucket; for example if `lower_bound` = 10,

8219

# then all values less than 10 are replaced with the value "-10".

8220

# Note that for the purposes of inspection or transformation, the number

8221

# of bytes considered to comprise a 'Value' is based on its representation

8222

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8223

# 123456789, the number of bytes would be counted as 9, even though an

8224

# int64 only holds up to 8 bytes of data.

8225

"timestampValue": "A String", # timestamp

8226

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8227

# and time zone are either specified elsewhere or are not significant. The date

8228

# is relative to the Proleptic Gregorian Calendar. This can represent:

8229

#

8230

# * A full date, with non-zero year, month and day values

8231

# * A month and day value, with a zero year, e.g. an anniversary

8232

# * A year on its own, with zero month and day values

8233

# * A year and month value, with a zero day, e.g. a credit card expiration date

8234

#

8235

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8236

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8237

# a year.

8238

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8239

# month and day.

8240

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8241

# if specifying a year by itself or a year and month where the day is not

8242

# significant.

8243

},

8244

"stringValue": "A String", # string

8245

"integerValue": "A String", # integer

8246

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8247

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8248

# types are google.type.Date and `google.protobuf.Timestamp`.

8249

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8250

# to allow the value "24:00:00" for scenarios like business closing time.

8251

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

8252

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8253

# allow the value 60 if it allows leap-seconds.

8254

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8255

},

8256

"booleanValue": True or False, # boolean

8257

"floatValue": 3.14, # float

8258

"dayOfWeekValue": "A String", # day of week

8259

},

8260

},

8261

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

8262

# fixed character. Masking can start from the beginning or end of the string.

8263

# This can be used on data of any type (numbers, longs, and so on) and when

8264

# de-identifying structured data we'll attempt to preserve the original data's

8265

# type. (This allows you to take a long like 123 and modify it to a string like

8266

# **3.

8267

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

8268

# characters. For example, if the input string is `555-555-5555` and you

8269

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

8270

# returns `***-**5-5555`.

8271

{ # Characters to skip when doing deidentification of a value. These will be left

8272

# alone and skipped.

8273

"charactersToSkip": "A String", # Characters to not transform when masking.

8274

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

8279

# masked. Skipped characters do not count towards this tally.

8280

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

8281

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

8282

# code or credit card number. This string must have a length of 1. If not

8283

# supplied, this value defaults to `*` for strings, and `0` for digits.

8284

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

8285

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

8286

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

8287

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

8288

# is `true`, then the string `12345` is masked as `12***`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8289

},

8290

},

8291

"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the

8292

# given `RecordCondition`. The conditions are allowed to reference fields

8293

# that are not used in the actual transformation.

#

# Example Use Cases:

#

# - Apply a different bucket transformation to an age column if the zip code

8298

# column for the same record is within a specific range.

8299

# - Redact a field if the date of birth field is greater than 85.

8300

# a field.

8301

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

8302

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

8303

# only supported value is `AND`.

8304

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

8305

"conditions": [ # A collection of conditions.

8306

{ # The field type of `value` and `field` do not need to match to be

8307

# considered equal, but not all comparisons are possible.

8308

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

8309

# but all other comparisons are invalid with incompatible types.

8310

# A `value` of type:

8311

#

8312

# - `string` can be compared against all other types

8313

# - `boolean` can only be compared against other booleans

8314

# - `integer` can be compared against doubles or a string if the string value

8315

# can be parsed as an integer.

8316

# - `double` can be compared against integers or a string if the string can

8317

# be parsed as a double.

8318

# - `Timestamp` can be compared against strings in RFC 3339 date string

8319

# format.

8320

# - `TimeOfDay` can be compared against timestamps and strings in the format

8321

# of 'HH:mm:ss'.

8322

#

8323

# If we fail to compare do to type mismatch, a warning will be given and

8324

# the condition will evaluate to false.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8325

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

8326

# Note that for the purposes of inspection or transformation, the number

8327

# of bytes considered to comprise a 'Value' is based on its representation

8328

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8329

# 123456789, the number of bytes would be counted as 9, even though an

8330

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8331

"timestampValue": "A String", # timestamp

8332

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8333

# and time zone are either specified elsewhere or are not significant. The date

8334

# is relative to the Proleptic Gregorian Calendar. This can represent:

8335

#

8336

# * A full date, with non-zero year, month and day values

8337

# * A month and day value, with a zero year, e.g. an anniversary

8338

# * A year on its own, with zero month and day values

8339

# * A year and month value, with a zero day, e.g. a credit card expiration date

8340

#

8341

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8342

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8343

# a year.

8344

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8345

# month and day.

8346

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8347

# if specifying a year by itself or a year and month where the day is not

8348

# significant.

8349

},

8350

"stringValue": "A String", # string

8351

"integerValue": "A String", # integer

8352

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8353

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8354

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8355

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8356

# to allow the value "24:00:00" for scenarios like business closing time.

8357

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

8358

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8359

# allow the value 60 if it allows leap-seconds.

8360

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8361

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

8362

"booleanValue": True or False, # boolean

8363

"floatValue": 3.14, # float

8364

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8365

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

8366

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

8367

"name": "A String", # Name describing the field.

8368

},

8369

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8370

},

8371

],

8372

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8373

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8374

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8375

},

8376

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

8377

"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that

8378

# match any suppression rule are omitted from the output.

8379

{ # Configuration to suppress records whose suppression conditions evaluate to

8380

# true.

8381

"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being

8382

# evaluated to be suppressed from the transformed content.

8383

# a field.

8384

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

8385

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

8386

# only supported value is `AND`.

8387

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

8388

"conditions": [ # A collection of conditions.

8389

{ # The field type of `value` and `field` do not need to match to be

8390

# considered equal, but not all comparisons are possible.

8391

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

8392

# but all other comparisons are invalid with incompatible types.

8393

# A `value` of type:

8394

#

8395

# - `string` can be compared against all other types

8396

# - `boolean` can only be compared against other booleans

8397

# - `integer` can be compared against doubles or a string if the string value

8398

# can be parsed as an integer.

8399

# - `double` can be compared against integers or a string if the string can

8400

# be parsed as a double.

8401

# - `Timestamp` can be compared against strings in RFC 3339 date string

8402

# format.

8403

# - `TimeOfDay` can be compared against timestamps and strings in the format

8404

# of 'HH:mm:ss'.

8405

#

8406

# If we fail to compare do to type mismatch, a warning will be given and

8407

# the condition will evaluate to false.

8408

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

8409

# Note that for the purposes of inspection or transformation, the number

8410

# of bytes considered to comprise a 'Value' is based on its representation

8411

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8412

# 123456789, the number of bytes would be counted as 9, even though an

8413

# int64 only holds up to 8 bytes of data.

8414

"timestampValue": "A String", # timestamp

8415

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8416

# and time zone are either specified elsewhere or are not significant. The date

8417

# is relative to the Proleptic Gregorian Calendar. This can represent:

8418

#

8419

# * A full date, with non-zero year, month and day values

8420

# * A month and day value, with a zero year, e.g. an anniversary

8421

# * A year on its own, with zero month and day values

8422

# * A year and month value, with a zero day, e.g. a credit card expiration date

8423

#

8424

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8425

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8426

# a year.

8427

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8428

# month and day.

8429

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8430

# if specifying a year by itself or a year and month where the day is not

8431

# significant.

8432

},

8433

"stringValue": "A String", # string

8434

"integerValue": "A String", # integer

8435

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8436

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8437

# types are google.type.Date and `google.protobuf.Timestamp`.

8438

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8439

# to allow the value "24:00:00" for scenarios like business closing time.

8440

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

8441

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8442

# allow the value 60 if it allows leap-seconds.

8443

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8444

},

8445

"booleanValue": True or False, # boolean

8446

"floatValue": 3.14, # float

8447

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8448

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

8449

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

8450

"name": "A String", # Name describing the field.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8451

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

8452

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8453

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

8454

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8455

},

8456

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8457

},

8458

},

8459

],

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

8460

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8461

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

},

],

}</pre>

</div>

<code class="details" id="list_next">list_next(previous_request, previous_response)</code>

8469

<pre>Retrieves the next page of results.

8470

8471

Args:

8472

previous_request: The request for the previous page. (required)

8473

previous_response: The response from the request for the previous page. (required)

8474

8475

Returns:

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8476

A request object that you can call 'execute()' on to request the next

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8477

page. Returns None if there are no more items in the collection.

</pre>

</div>

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

8482

<code class="details" id="patch">patch(name, body=None, x__xgafv=None)</code>

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8483

<pre>Updates the DeidentifyTemplate.

8484

See https://cloud.google.com/dlp/docs/creating-templates-deid to learn

8485

more.

8486

8487

Args:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

8488

name: string, Required. Resource name of organization and deidentify template to be updated, for

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8489

example `organizations/433245324/deidentifyTemplates/432452342` or

8490

projects/project-id/deidentifyTemplates/432452342. (required)

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

8491

body: object, The request body.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8492

The object takes the form of:

8493

8494

{ # Request message for UpdateDeidentifyTemplate.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8495

"deidentifyTemplate": { # DeidentifyTemplates contains instructions on how to de-identify content. # New DeidentifyTemplate value.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

8496

# See https://cloud.google.com/dlp/docs/concepts-templates to learn more.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

8497

"name": "A String", # Output only. The template name.

8498

#

8499

# The template will have one of the following formats:

8500

# `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR

8501

# `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`

8502

"description": "A String", # Short description (max 256 chars).

8503

"displayName": "A String", # Display name (max 256 chars).

8504

"createTime": "A String", # Output only. The creation timestamp of an inspectTemplate.

8505

"updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate.

8506

"deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

8507

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text

8508

# transformation everywhere.

8509

# apply various `PrimitiveTransformation`s to each finding, where the

8510

# transformation is applied to only values that were identified as a specific

8511

# info_type.

8512

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

8513

# for a given infoType.

8514

{ # A transformation to apply to text that is identified as a specific

8515

# info_type.

8516

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

8517

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

8518

# portion of the value.

8519

"partToExtract": "A String", # The part of the time to keep.

8520

},

8521

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

8522

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

8523

# to learn more.

8524

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

8525

# If set, must also set cryptoKey. If set, shift will be consistent for the

8526

# given context.

8527

"name": "A String", # Name describing the field.

8528

},

8529

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

8530

# range (inclusive ends). Negative means shift to earlier in time. Must not

8531

# be more than 365250 days (1000 years) each direction.

8532

#

8533

# For example, 3 means shift date to at most 3 days into the future.

8534

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

8535

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

8536

# results in the same shift for the same context and crypto_key. If

8537

# set, must also set context. Can only be applied to table items.

8538

# a key encryption key (KEK) stored by KMS).

8539

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

8540

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

8541

# unwrap the data crypto key.

8542

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

8543

# leaking the key. Choose another type of key if possible.

8544

"key": "A String", # Required. A 128/192/256 bit key.

8545

},

8546

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

8547

# It will be discarded after the request finishes.

8548

"name": "A String", # Required. Name of the key.

8549

# This is an arbitrary string used to differentiate different keys.

8550

# A unique key is generated per name: two separate `TransientCryptoKey`

8551

# protos share the same generated key if their names are the same.

8552

# When the data crypto key is generated, this name is not used in any way

8553

# (repeating the api call will result in a different key being generated).

8554

},

8555

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

8556

# The wrapped key must be a 128/192/256 bit key.

8557

# Authorization requires the following IAM permissions when sending a request

8558

# to perform a crypto transformation using a kms-wrapped crypto key:

8559

# dlp.kms.encrypt

8560

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

8561

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

8566

},

8567

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

8568

# Uses SHA-256.

8569

# The key size must be either 32 or 64 bytes.

8570

# Outputs a base64 encoded representation of the hashed output

8571

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

8572

# Currently, only string and integer values can be hashed.

8573

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

8574

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

8575

# a key encryption key (KEK) stored by KMS).

8576

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

8577

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

8578

# unwrap the data crypto key.

8579

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

8580

# leaking the key. Choose another type of key if possible.

8581

"key": "A String", # Required. A 128/192/256 bit key.

8582

},

8583

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

8584

# It will be discarded after the request finishes.

8585

"name": "A String", # Required. Name of the key.

8586

# This is an arbitrary string used to differentiate different keys.

8587

# A unique key is generated per name: two separate `TransientCryptoKey`

8588

# protos share the same generated key if their names are the same.

8589

# When the data crypto key is generated, this name is not used in any way

8590

# (repeating the api call will result in a different key being generated).

8591

},

8592

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

8593

# The wrapped key must be a 128/192/256 bit key.

8594

# Authorization requires the following IAM permissions when sending a request

8595

# to perform a crypto transformation using a kms-wrapped crypto key:

8596

# dlp.kms.encrypt

8597

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

8598

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

8603

# (FPE) with the FFX mode of operation; however when used in the

8604

# `ReidentifyContent` API method, it serves the opposite function by reversing

8605

# the surrogate back into the original identifier. The identifier must be

8606

# encoded as ASCII. For a given crypto key and context, the same identifier

8607

# will be replaced with the same surrogate. Identifiers must be at least two

8608

# characters long. In the case that the identifier is the empty string, it will

8609

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

8610

# more.

8611

#

8612

# Note: We recommend using CryptoDeterministicConfig for all use cases which

8613

# do not require preserving the input alphabet space and size, plus warrant

8614

# referential integrity.

8615

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

8616

# This annotation will be applied to the surrogate by prefixing it with

8617

# the name of the custom infoType followed by the number of

8618

# characters comprising the surrogate. The following scheme defines the

8619

# format: info_type_name(surrogate_character_count):surrogate

8620

#

8621

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

8622

# the surrogate is 'abc', the full replacement value

8623

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

8624

#

8625

# This annotation identifies the surrogate when inspecting content using the

8626

# custom infoType

8627

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

8628

# This facilitates reversal of the surrogate when it occurs in free text.

8629

#

8630

# In order for inspection to work properly, the name of this infoType must

8631

# not occur naturally anywhere in your data; otherwise, inspection may

8632

# find a surrogate that does not correspond to an actual identifier.

8633

# Therefore, choose your custom infoType name carefully after considering

8634

# what your data looks like. One way to select a name that has a high chance

8635

# of yielding reliable detection is to include one or more unicode characters

8636

# that are highly improbable to exist in your data.

8637

# For example, assuming your data is entered from a regular ASCII keyboard,

8638

# the symbol with the hex code point 29DD might be used like so:

8639

# ⧝MY_TOKEN_TYPE

8640

"name": "A String", # Name of the information type. Either a name of your choosing when

8641

# creating a CustomInfoType, or one of the names listed

8642

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

8643

# a built-in type. InfoType names should conform to the pattern

8644

# `[a-zA-Z0-9_]{1,64}`.

8645

},

8646

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

8647

# identifier in two different contexts won't be given the same surrogate. If

8648

# the context is not set, a default tweak will be used.

8649

#

8650

# If the context is set but:

8651

#

8652

# 1. there is no record present when transforming a given value or

8653

# 1. the field is not present when transforming a given value,

8654

#

8655

# a default tweak will be used.

8656

#

8657

# Note that case (1) is expected when an `InfoTypeTransformation` is

8658

# applied to both structured and non-structured `ContentItem`s.

8659

# Currently, the referenced field may be of value type integer or string.

8660

#

8661

# The tweak is constructed as a sequence of bytes in big endian byte order

8662

# such that:

8663

#

8664

# - a 64 bit integer is encoded followed by a single byte of value 1

8665

# - a string is encoded in UTF-8 format followed by a single byte of value 2

8666

"name": "A String", # Name describing the field.

8667

},

8668

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

8669

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

8670

# a key encryption key (KEK) stored by KMS).

8671

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

8672

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

8673

# unwrap the data crypto key.

8674

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

8675

# leaking the key. Choose another type of key if possible.

8676

"key": "A String", # Required. A 128/192/256 bit key.

8677

},

8678

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

8679

# It will be discarded after the request finishes.

8680

"name": "A String", # Required. Name of the key.

8681

# This is an arbitrary string used to differentiate different keys.

8682

# A unique key is generated per name: two separate `TransientCryptoKey`

8683

# protos share the same generated key if their names are the same.

8684

# When the data crypto key is generated, this name is not used in any way

8685

# (repeating the api call will result in a different key being generated).

8686

},

8687

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

8688

# The wrapped key must be a 128/192/256 bit key.

8689

# Authorization requires the following IAM permissions when sending a request

8690

# to perform a crypto transformation using a kms-wrapped crypto key:

8691

# dlp.kms.encrypt

8692

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

8693

"wrappedKey": "A String", # Required. The wrapped data crypto key.

8694

},

8695

},

8696

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

8697

# that the FFX mode natively supports. This happens before/after

8698

# encryption/decryption.

8699

# Each character listed must appear only once.

8700

# Number of characters must be in the range [2, 95].

8701

# This must be encoded as ASCII.

8702

# The order of characters does not matter.

8703

"commonAlphabet": "A String", # Common alphabets.

8704

},

8705

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

8706

# input. Outputs a base64 encoded representation of the encrypted output.

8707

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

8708

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

8709

# This annotation will be applied to the surrogate by prefixing it with

8710

# the name of the custom info type followed by the number of

8711

# characters comprising the surrogate. The following scheme defines the

8712

# format: {info type name}({surrogate character count}):{surrogate}

8713

#

8714

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

8715

# the surrogate is 'abc', the full replacement value

8716

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

8717

#

8718

# This annotation identifies the surrogate when inspecting content using the

8719

# custom info type 'Surrogate'. This facilitates reversal of the

8720

# surrogate when it occurs in free text.

8721

#

8722

# Note: For record transformations where the entire cell in a table is being

8723

# transformed, surrogates are not mandatory. Surrogates are used to denote

8724

# the location of the token and are necessary for re-identification in free

8725

# form text.

8726

#

8727

# In order for inspection to work properly, the name of this info type must

8728

# not occur naturally anywhere in your data; otherwise, inspection may either

8729

#

8730

# - reverse a surrogate that does not correspond to an actual identifier

8731

# - be unable to parse the surrogate and result in an error

8732

#

8733

# Therefore, choose your custom info type name carefully after considering

8734

# what your data looks like. One way to select a name that has a high chance

8735

# of yielding reliable detection is to include one or more unicode characters

8736

# that are highly improbable to exist in your data.

8737

# For example, assuming your data is entered from a regular ASCII keyboard,

8738

# the symbol with the hex code point 29DD might be used like so:

8739

# ⧝MY_TOKEN_TYPE.

8740

"name": "A String", # Name of the information type. Either a name of your choosing when

8741

# creating a CustomInfoType, or one of the names listed

8742

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

8743

# a built-in type. InfoType names should conform to the pattern

8744

# `[a-zA-Z0-9_]{1,64}`.

8745

},

8746

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

8747

# referential integrity such that the same identifier in two different

8748

# contexts will be given a distinct surrogate. The context is appended to

8749

# plaintext value being encrypted. On decryption the provided context is

8750

# validated against the value used during encryption. If a context was

8751

# provided during encryption, same context must be provided during decryption

8752

# as well.

8753

#

8754

# If the context is not set, plaintext would be used as is for encryption.

8755

# If the context is set but:

8756

#

8757

# 1. there is no record present when transforming a given value or

8758

# 2. the field is not present when transforming a given value,

8759

#

8760

# plaintext would be used as is for encryption.

8761

#

8762

# Note that case (1) is expected when an `InfoTypeTransformation` is

8763

# applied to both structured and non-structured `ContentItem`s.

8764

"name": "A String", # Name describing the field.

8765

},

8766

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

8767

# a key encryption key (KEK) stored by KMS).

8768

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

8769

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

8770

# unwrap the data crypto key.

8771

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

8772

# leaking the key. Choose another type of key if possible.

8773

"key": "A String", # Required. A 128/192/256 bit key.

8774

},

8775

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

8776

# It will be discarded after the request finishes.

8777

"name": "A String", # Required. Name of the key.

8778

# This is an arbitrary string used to differentiate different keys.

8779

# A unique key is generated per name: two separate `TransientCryptoKey`

8780

# protos share the same generated key if their names are the same.

8781

# When the data crypto key is generated, this name is not used in any way

8782

# (repeating the api call will result in a different key being generated).

8783

},

8784

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

8785

# The wrapped key must be a 128/192/256 bit key.

8786

# Authorization requires the following IAM permissions when sending a request

8787

# to perform a crypto transformation using a kms-wrapped crypto key:

8788

# dlp.kms.encrypt

8789

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

8790

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

8795

# replacement values are dynamically provided by the user for custom behavior,

8796

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

8797

# This can be used on

8798

# data of type: number, long, string, timestamp.

8799

# If the bound `Value` type differs from the type of data being transformed, we

8800

# will first attempt converting the type of the data to be transformed to match

8801

# the type of the bound before comparing.

8802

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

8803

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

8804

{ # Bucket is represented as a range, along with replacement values.

8805

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

8806

# the default behavior will be to hyphenate the min-max range.

8807

# Note that for the purposes of inspection or transformation, the number

8808

# of bytes considered to comprise a 'Value' is based on its representation

8809

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8810

# 123456789, the number of bytes would be counted as 9, even though an

8811

# int64 only holds up to 8 bytes of data.

8812

"timestampValue": "A String", # timestamp

8813

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8814

# and time zone are either specified elsewhere or are not significant. The date

8815

# is relative to the Proleptic Gregorian Calendar. This can represent:

8816

#

8817

# * A full date, with non-zero year, month and day values

8818

# * A month and day value, with a zero year, e.g. an anniversary

8819

# * A year on its own, with zero month and day values

8820

# * A year and month value, with a zero day, e.g. a credit card expiration date

8821

#

8822

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8823

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8824

# a year.

8825

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8826

# month and day.

8827

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8828

# if specifying a year by itself or a year and month where the day is not

8829

# significant.

8830

},

8831

"stringValue": "A String", # string

8832

"integerValue": "A String", # integer

8833

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8834

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8835

# types are google.type.Date and `google.protobuf.Timestamp`.

8836

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8837

# to allow the value "24:00:00" for scenarios like business closing time.

8838

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

8839

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8840

# allow the value 60 if it allows leap-seconds.

8841

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8842

},

8843

"booleanValue": True or False, # boolean

8844

"floatValue": 3.14, # float

8845

"dayOfWeekValue": "A String", # day of week

8846

},

8847

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

8848

# used.

8849

# Note that for the purposes of inspection or transformation, the number

8850

# of bytes considered to comprise a 'Value' is based on its representation

8851

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8852

# 123456789, the number of bytes would be counted as 9, even though an

8853

# int64 only holds up to 8 bytes of data.

8854

"timestampValue": "A String", # timestamp

8855

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8856

# and time zone are either specified elsewhere or are not significant. The date

8857

# is relative to the Proleptic Gregorian Calendar. This can represent:

8858

#

8859

# * A full date, with non-zero year, month and day values

8860

# * A month and day value, with a zero year, e.g. an anniversary

8861

# * A year on its own, with zero month and day values

8862

# * A year and month value, with a zero day, e.g. a credit card expiration date

8863

#

8864

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8865

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8866

# a year.

8867

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8868

# month and day.

8869

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8870

# if specifying a year by itself or a year and month where the day is not

8871

# significant.

8872

},

8873

"stringValue": "A String", # string

8874

"integerValue": "A String", # integer

8875

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8876

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8877

# types are google.type.Date and `google.protobuf.Timestamp`.

8878

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8879

# to allow the value "24:00:00" for scenarios like business closing time.

8880

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

8881

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8882

# allow the value 60 if it allows leap-seconds.

8883

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8884

},

8885

"booleanValue": True or False, # boolean

8886

"floatValue": 3.14, # float

8887

"dayOfWeekValue": "A String", # day of week

8888

},

8889

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

8890

# Note that for the purposes of inspection or transformation, the number

8891

# of bytes considered to comprise a 'Value' is based on its representation

8892

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8893

# 123456789, the number of bytes would be counted as 9, even though an

8894

# int64 only holds up to 8 bytes of data.

8895

"timestampValue": "A String", # timestamp

8896

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8897

# and time zone are either specified elsewhere or are not significant. The date

8898

# is relative to the Proleptic Gregorian Calendar. This can represent:

8899

#

8900

# * A full date, with non-zero year, month and day values

8901

# * A month and day value, with a zero year, e.g. an anniversary

8902

# * A year on its own, with zero month and day values

8903

# * A year and month value, with a zero day, e.g. a credit card expiration date

8904

#

8905

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8906

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8907

# a year.

8908

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8909

# month and day.

8910

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8911

# if specifying a year by itself or a year and month where the day is not

8912

# significant.

8913

},

8914

"stringValue": "A String", # string

8915

"integerValue": "A String", # integer

8916

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8917

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8918

# types are google.type.Date and `google.protobuf.Timestamp`.

8919

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8920

# to allow the value "24:00:00" for scenarios like business closing time.

8921

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

8922

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8923

# allow the value 60 if it allows leap-seconds.

8924

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8925

},

8926

"booleanValue": True or False, # boolean

8927

"floatValue": 3.14, # float

8928

"dayOfWeekValue": "A String", # day of week

},

},

],

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

8934

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

8935

# output would be 'My phone number is '.

8936

},

8937

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

8938

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

8939

# Note that for the purposes of inspection or transformation, the number

8940

# of bytes considered to comprise a 'Value' is based on its representation

8941

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8942

# 123456789, the number of bytes would be counted as 9, even though an

8943

# int64 only holds up to 8 bytes of data.

8944

"timestampValue": "A String", # timestamp

8945

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8946

# and time zone are either specified elsewhere or are not significant. The date

8947

# is relative to the Proleptic Gregorian Calendar. This can represent:

8948

#

8949

# * A full date, with non-zero year, month and day values

8950

# * A month and day value, with a zero year, e.g. an anniversary

8951

# * A year on its own, with zero month and day values

8952

# * A year and month value, with a zero day, e.g. a credit card expiration date

8953

#

8954

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8955

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8956

# a year.

8957

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8958

# month and day.

8959

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8960

# if specifying a year by itself or a year and month where the day is not

8961

# significant.

8962

},

8963

"stringValue": "A String", # string

8964

"integerValue": "A String", # integer

8965

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8966

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8967

# types are google.type.Date and `google.protobuf.Timestamp`.

8968

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8969

# to allow the value "24:00:00" for scenarios like business closing time.

8970

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

8971

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8972

# allow the value 60 if it allows leap-seconds.

8973

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8974

},

8975

"booleanValue": True or False, # boolean

8976

"floatValue": 3.14, # float

8977

"dayOfWeekValue": "A String", # day of week

8978

},

8979

},

8980

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

8981

# Bucketing transformation can provide all of this functionality,

8982

# but requires more configuration. This message is provided as a convenience to

8983

# the user for simple bucketing strategies.

8984

#

8985

# The transformed value will be a hyphenated string of

8986

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

8987

# all values that are within this bucket will be replaced with "10-20".

8988

#

8989

# This can be used on data of type: double, long.

8990

#

8991

# If the bound Value type differs from the type of data

8992

# being transformed, we will first attempt converting the type of the data to

8993

# be transformed to match the type of the bound before comparing.

8994

#

8995

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

8996

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

8997

# grouped together into a single bucket; for example if `upper_bound` = 89,

8998

# then all values greater than 89 are replaced with the value "89+".

8999

# Note that for the purposes of inspection or transformation, the number

9000

# of bytes considered to comprise a 'Value' is based on its representation

9001

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9002

# 123456789, the number of bytes would be counted as 9, even though an

9003

# int64 only holds up to 8 bytes of data.

9004

"timestampValue": "A String", # timestamp

9005

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9006

# and time zone are either specified elsewhere or are not significant. The date

9007

# is relative to the Proleptic Gregorian Calendar. This can represent:

9008

#

9009

# * A full date, with non-zero year, month and day values

9010

# * A month and day value, with a zero year, e.g. an anniversary

9011

# * A year on its own, with zero month and day values

9012

# * A year and month value, with a zero day, e.g. a credit card expiration date

9013

#

9014

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9015

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9016

# a year.

9017

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9018

# month and day.

9019

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9020

# if specifying a year by itself or a year and month where the day is not

9021

# significant.

9022

},

9023

"stringValue": "A String", # string

9024

"integerValue": "A String", # integer

9025

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9026

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9027

# types are google.type.Date and `google.protobuf.Timestamp`.

9028

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9029

# to allow the value "24:00:00" for scenarios like business closing time.

9030

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

9031

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9032

# allow the value 60 if it allows leap-seconds.

9033

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9034

},

9035

"booleanValue": True or False, # boolean

9036

"floatValue": 3.14, # float

9037

"dayOfWeekValue": "A String", # day of week

9038

},

9039

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

9040

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

9041

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

9042

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

9043

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

9044

# grouped together into a single bucket; for example if `lower_bound` = 10,

9045

# then all values less than 10 are replaced with the value "-10".

9046

# Note that for the purposes of inspection or transformation, the number

9047

# of bytes considered to comprise a 'Value' is based on its representation

9048

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9049

# 123456789, the number of bytes would be counted as 9, even though an

9050

# int64 only holds up to 8 bytes of data.

9051

"timestampValue": "A String", # timestamp

9052

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9053

# and time zone are either specified elsewhere or are not significant. The date

9054

# is relative to the Proleptic Gregorian Calendar. This can represent:

9055

#

9056

# * A full date, with non-zero year, month and day values

9057

# * A month and day value, with a zero year, e.g. an anniversary

9058

# * A year on its own, with zero month and day values

9059

# * A year and month value, with a zero day, e.g. a credit card expiration date

9060

#

9061

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9062

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9063

# a year.

9064

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9065

# month and day.

9066

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9067

# if specifying a year by itself or a year and month where the day is not

9068

# significant.

9069

},

9070

"stringValue": "A String", # string

9071

"integerValue": "A String", # integer

9072

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9073

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9074

# types are google.type.Date and `google.protobuf.Timestamp`.

9075

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9076

# to allow the value "24:00:00" for scenarios like business closing time.

9077

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

9078

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9079

# allow the value 60 if it allows leap-seconds.

9080

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9081

},

9082

"booleanValue": True or False, # boolean

9083

"floatValue": 3.14, # float

9084

"dayOfWeekValue": "A String", # day of week

9085

},

9086

},

9087

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

9088

# fixed character. Masking can start from the beginning or end of the string.

9089

# This can be used on data of any type (numbers, longs, and so on) and when

9090

# de-identifying structured data we'll attempt to preserve the original data's

9091

# type. (This allows you to take a long like 123 and modify it to a string like

9092

# **3.

9093

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

9094

# characters. For example, if the input string is `555-555-5555` and you

9095

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

9096

# returns `***-**5-5555`.

9097

{ # Characters to skip when doing deidentification of a value. These will be left

9098

# alone and skipped.

9099

"charactersToSkip": "A String", # Characters to not transform when masking.

9100

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

9105

# masked. Skipped characters do not count towards this tally.

9106

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

9107

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

9108

# code or credit card number. This string must have a length of 1. If not

9109

# supplied, this value defaults to `*` for strings, and `0` for digits.

9110

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

9111

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

9112

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

9113

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

9114

# is `true`, then the string `12345` is masked as `12***`.

9115

},

9116

},

9117

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

9118

# this transformation to apply to all findings that correspond to

9119

# infoTypes that were requested in `InspectConfig`.

9120

{ # Type of information detected by the API.

9121

"name": "A String", # Name of the information type. Either a name of your choosing when

9122

# creating a CustomInfoType, or one of the names listed

9123

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

9124

# a built-in type. InfoType names should conform to the pattern

9125

# `[a-zA-Z0-9_]{1,64}`.

},

],

},

],

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9131

"transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default

9132

# mode is `TransformationErrorHandling.ThrowError`.

9133

# transformation error occurs when the requested transformation is incompatible

9134

# with the data. For example, trying to de-identify an IP address using a

9135

# `DateShift` transformation would result in a transformation error, since date

9136

# info cannot be extracted from an IP address.

9137

# Information about any incompatible transformations, and how they were

9138

# handled, is returned in the response as part of the

9139

# `TransformationOverviews`.

9140

"throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error

9141

},

9142

"leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors

9143

# cause an error. For example, if a `DateShift` transformation were applied

9144

# an an IP address, this mode would leave the IP address unchanged in the

9145

# response.

9146

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9147

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9148

"recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9149

# specific locations within structured datasets, such as transforming

9150

# a column within a table.

9151

# table.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9152

"fieldTransformations": [ # Transform the record by applying various field transformations.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9153

{ # The transformation to apply to the field.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9154

"fields": [ # Required. Input field(s) to apply the transformation to.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

9155

{ # General identifier of a data field in a storage service.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9156

"name": "A String", # Name describing the field.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

9157

},

9158

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9159

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9160

# transform content that matches an `InfoType`.

9161

# apply various `PrimitiveTransformation`s to each finding, where the

9162

# transformation is applied to only values that were identified as a specific

9163

# info_type.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9164

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

9165

# for a given infoType.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9166

{ # A transformation to apply to text that is identified as a specific

9167

# info_type.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9168

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

9169

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

9170

# portion of the value.

9171

"partToExtract": "A String", # The part of the time to keep.

9172

},

9173

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

9174

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

9175

# to learn more.

9176

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

9177

# If set, must also set cryptoKey. If set, shift will be consistent for the

9178

# given context.

9179

"name": "A String", # Name describing the field.

9180

},

9181

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

9182

# range (inclusive ends). Negative means shift to earlier in time. Must not

9183

# be more than 365250 days (1000 years) each direction.

9184

#

9185

# For example, 3 means shift date to at most 3 days into the future.

9186

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

9187

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

9188

# results in the same shift for the same context and crypto_key. If

9189

# set, must also set context. Can only be applied to table items.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9190

# a key encryption key (KEK) stored by KMS).

9191

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

9192

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

9193

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9194

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9195

# leaking the key. Choose another type of key if possible.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9196

"key": "A String", # Required. A 128/192/256 bit key.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9197

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9198

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9199

# It will be discarded after the request finishes.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9200

"name": "A String", # Required. Name of the key.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9201

# This is an arbitrary string used to differentiate different keys.

9202

# A unique key is generated per name: two separate `TransientCryptoKey`

9203

# protos share the same generated key if their names are the same.

9204

# When the data crypto key is generated, this name is not used in any way

9205

# (repeating the api call will result in a different key being generated).

9206

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

9207

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

9208

# The wrapped key must be a 128/192/256 bit key.

9209

# Authorization requires the following IAM permissions when sending a request

9210

# to perform a crypto transformation using a kms-wrapped crypto key:

9211

# dlp.kms.encrypt

9212

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

9213

"wrappedKey": "A String", # Required. The wrapped data crypto key.

9214

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9215

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9216

},

9217

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

9218

},

9219

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

9220

# Uses SHA-256.

9221

# The key size must be either 32 or 64 bytes.

9222

# Outputs a base64 encoded representation of the hashed output

9223

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

9224

# Currently, only string and integer values can be hashed.

9225

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

9226

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

9227

# a key encryption key (KEK) stored by KMS).

9228

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

9229

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

9230

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9231

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

9232

# leaking the key. Choose another type of key if possible.

9233

"key": "A String", # Required. A 128/192/256 bit key.

9234

},

9235

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

9236

# It will be discarded after the request finishes.

9237

"name": "A String", # Required. Name of the key.

9238

# This is an arbitrary string used to differentiate different keys.

9239

# A unique key is generated per name: two separate `TransientCryptoKey`

9240

# protos share the same generated key if their names are the same.

9241

# When the data crypto key is generated, this name is not used in any way

9242

# (repeating the api call will result in a different key being generated).

9243

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

9244

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

9245

# The wrapped key must be a 128/192/256 bit key.

9246

# Authorization requires the following IAM permissions when sending a request

9247

# to perform a crypto transformation using a kms-wrapped crypto key:

9248

# dlp.kms.encrypt

9249

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

9250

"wrappedKey": "A String", # Required. The wrapped data crypto key.

9251

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9252

},

9253

},

9254

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

9255

# (FPE) with the FFX mode of operation; however when used in the

9256

# `ReidentifyContent` API method, it serves the opposite function by reversing

9257

# the surrogate back into the original identifier. The identifier must be

9258

# encoded as ASCII. For a given crypto key and context, the same identifier

9259

# will be replaced with the same surrogate. Identifiers must be at least two

9260

# characters long. In the case that the identifier is the empty string, it will

9261

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

9262

# more.

9263

#

9264

# Note: We recommend using CryptoDeterministicConfig for all use cases which

9265

# do not require preserving the input alphabet space and size, plus warrant

9266

# referential integrity.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9267

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

9268

# This annotation will be applied to the surrogate by prefixing it with

9269

# the name of the custom infoType followed by the number of

9270

# characters comprising the surrogate. The following scheme defines the

9271

# format: info_type_name(surrogate_character_count):surrogate

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9272

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9273

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

9274

# the surrogate is 'abc', the full replacement value

9275

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

9276

#

9277

# This annotation identifies the surrogate when inspecting content using the

9278

# custom infoType

9279

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

9280

# This facilitates reversal of the surrogate when it occurs in free text.

9281

#

9282

# In order for inspection to work properly, the name of this infoType must

9283

# not occur naturally anywhere in your data; otherwise, inspection may

9284

# find a surrogate that does not correspond to an actual identifier.

9285

# Therefore, choose your custom infoType name carefully after considering

9286

# what your data looks like. One way to select a name that has a high chance

9287

# of yielding reliable detection is to include one or more unicode characters

9288

# that are highly improbable to exist in your data.

9289

# For example, assuming your data is entered from a regular ASCII keyboard,

9290

# the symbol with the hex code point 29DD might be used like so:

9291

# ⧝MY_TOKEN_TYPE

9292

"name": "A String", # Name of the information type. Either a name of your choosing when

9293

# creating a CustomInfoType, or one of the names listed

9294

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

9295

# a built-in type. InfoType names should conform to the pattern

9296

# `[a-zA-Z0-9_]{1,64}`.

9297

},

9298

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

9299

# identifier in two different contexts won't be given the same surrogate. If

9300

# the context is not set, a default tweak will be used.

9301

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9302

# If the context is set but:

9303

#

9304

# 1. there is no record present when transforming a given value or

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9305

# 1. the field is not present when transforming a given value,

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9306

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9307

# a default tweak will be used.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9308

#

9309

# Note that case (1) is expected when an `InfoTypeTransformation` is

9310

# applied to both structured and non-structured `ContentItem`s.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9311

# Currently, the referenced field may be of value type integer or string.

9312

#

9313

# The tweak is constructed as a sequence of bytes in big endian byte order

9314

# such that:

9315

#

9316

# - a 64 bit integer is encoded followed by a single byte of value 1

9317

# - a string is encoded in UTF-8 format followed by a single byte of value 2

9318

"name": "A String", # Name describing the field.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9319

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9320

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

9321

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

9322

# a key encryption key (KEK) stored by KMS).

9323

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

9324

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

9325

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9326

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

9327

# leaking the key. Choose another type of key if possible.

9328

"key": "A String", # Required. A 128/192/256 bit key.

9329

},

9330

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

9331

# It will be discarded after the request finishes.

9332

"name": "A String", # Required. Name of the key.

9333

# This is an arbitrary string used to differentiate different keys.

9334

# A unique key is generated per name: two separate `TransientCryptoKey`

9335

# protos share the same generated key if their names are the same.

9336

# When the data crypto key is generated, this name is not used in any way

9337

# (repeating the api call will result in a different key being generated).

9338

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

9339

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

9340

# The wrapped key must be a 128/192/256 bit key.

9341

# Authorization requires the following IAM permissions when sending a request

9342

# to perform a crypto transformation using a kms-wrapped crypto key:

9343

# dlp.kms.encrypt

9344

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

9345

"wrappedKey": "A String", # Required. The wrapped data crypto key.

9346

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9347

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

9348

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

9349

# that the FFX mode natively supports. This happens before/after

9350

# encryption/decryption.

9351

# Each character listed must appear only once.

9352

# Number of characters must be in the range [2, 95].

9353

# This must be encoded as ASCII.

9354

# The order of characters does not matter.

9355

"commonAlphabet": "A String", # Common alphabets.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9356

},

9357

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

9358

# input. Outputs a base64 encoded representation of the encrypted output.

9359

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

9360

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9361

# This annotation will be applied to the surrogate by prefixing it with

9362

# the name of the custom info type followed by the number of

9363

# characters comprising the surrogate. The following scheme defines the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

9364

# format: {info type name}({surrogate character count}):{surrogate}

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9365

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9366

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

9367

# the surrogate is 'abc', the full replacement value

9368

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9369

#

9370

# This annotation identifies the surrogate when inspecting content using the

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9371

# custom info type 'Surrogate'. This facilitates reversal of the

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9372

# surrogate when it occurs in free text.

9373

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

9374

# Note: For record transformations where the entire cell in a table is being

9375

# transformed, surrogates are not mandatory. Surrogates are used to denote

9376

# the location of the token and are necessary for re-identification in free

9377

# form text.

9378

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9379

# In order for inspection to work properly, the name of this info type must

9380

# not occur naturally anywhere in your data; otherwise, inspection may either

9381

#

9382

# - reverse a surrogate that does not correspond to an actual identifier

9383

# - be unable to parse the surrogate and result in an error

9384

#

9385

# Therefore, choose your custom info type name carefully after considering

9386

# what your data looks like. One way to select a name that has a high chance

9387

# of yielding reliable detection is to include one or more unicode characters

9388

# that are highly improbable to exist in your data.

9389

# For example, assuming your data is entered from a regular ASCII keyboard,

9390

# the symbol with the hex code point 29DD might be used like so:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

9391

# ⧝MY_TOKEN_TYPE.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9392

"name": "A String", # Name of the information type. Either a name of your choosing when

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9393

# creating a CustomInfoType, or one of the names listed

9394

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

9395

# a built-in type. InfoType names should conform to the pattern

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

9396

# `[a-zA-Z0-9_]{1,64}`.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9397

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9398

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

9399

# referential integrity such that the same identifier in two different

9400

# contexts will be given a distinct surrogate. The context is appended to

9401

# plaintext value being encrypted. On decryption the provided context is

9402

# validated against the value used during encryption. If a context was

9403

# provided during encryption, same context must be provided during decryption

9404

# as well.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9405

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9406

# If the context is not set, plaintext would be used as is for encryption.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9407

# If the context is set but:

9408

#

9409

# 1. there is no record present when transforming a given value or

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9410

# 2. the field is not present when transforming a given value,

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9411

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9412

# plaintext would be used as is for encryption.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9413

#

9414

# Note that case (1) is expected when an `InfoTypeTransformation` is

9415

# applied to both structured and non-structured `ContentItem`s.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9416

"name": "A String", # Name describing the field.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9417

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9418

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

9419

# a key encryption key (KEK) stored by KMS).

9420

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

9421

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

9422

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9423

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

9424

# leaking the key. Choose another type of key if possible.

9425

"key": "A String", # Required. A 128/192/256 bit key.

9426

},

9427

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

9428

# It will be discarded after the request finishes.

9429

"name": "A String", # Required. Name of the key.

9430

# This is an arbitrary string used to differentiate different keys.

9431

# A unique key is generated per name: two separate `TransientCryptoKey`

9432

# protos share the same generated key if their names are the same.

9433

# When the data crypto key is generated, this name is not used in any way

9434

# (repeating the api call will result in a different key being generated).

9435

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

9436

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

9437

# The wrapped key must be a 128/192/256 bit key.

9438

# Authorization requires the following IAM permissions when sending a request

9439

# to perform a crypto transformation using a kms-wrapped crypto key:

9440

# dlp.kms.encrypt

9441

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

9442

"wrappedKey": "A String", # Required. The wrapped data crypto key.

9443

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9444

},

9445

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9446

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

9447

# replacement values are dynamically provided by the user for custom behavior,

9448

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

9449

# This can be used on

9450

# data of type: number, long, string, timestamp.

9451

# If the bound `Value` type differs from the type of data being transformed, we

9452

# will first attempt converting the type of the data to be transformed to match

9453

# the type of the bound before comparing.

9454

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9455

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

9456

{ # Bucket is represented as a range, along with replacement values.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9457

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

9458

# the default behavior will be to hyphenate the min-max range.

9459

# Note that for the purposes of inspection or transformation, the number

9460

# of bytes considered to comprise a 'Value' is based on its representation

9461

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9462

# 123456789, the number of bytes would be counted as 9, even though an

9463

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9464

"timestampValue": "A String", # timestamp

9465

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9466

# and time zone are either specified elsewhere or are not significant. The date

9467

# is relative to the Proleptic Gregorian Calendar. This can represent:

9468

#

9469

# * A full date, with non-zero year, month and day values

9470

# * A month and day value, with a zero year, e.g. an anniversary

9471

# * A year on its own, with zero month and day values

9472

# * A year and month value, with a zero day, e.g. a credit card expiration date

9473

#

9474

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9475

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9476

# a year.

9477

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9478

# month and day.

9479

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9480

# if specifying a year by itself or a year and month where the day is not

9481

# significant.

9482

},

9483

"stringValue": "A String", # string

9484

"integerValue": "A String", # integer

9485

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9486

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9487

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9488

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9489

# to allow the value "24:00:00" for scenarios like business closing time.

9490

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

9491

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9492

# allow the value 60 if it allows leap-seconds.

9493

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9494

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

9495

"booleanValue": True or False, # boolean

9496

"floatValue": 3.14, # float

9497

"dayOfWeekValue": "A String", # day of week

9498

},

9499

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

9500

# used.

9501

# Note that for the purposes of inspection or transformation, the number

9502

# of bytes considered to comprise a 'Value' is based on its representation

9503

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9504

# 123456789, the number of bytes would be counted as 9, even though an

9505

# int64 only holds up to 8 bytes of data.

9506

"timestampValue": "A String", # timestamp

9507

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9508

# and time zone are either specified elsewhere or are not significant. The date

9509

# is relative to the Proleptic Gregorian Calendar. This can represent:

9510

#

9511

# * A full date, with non-zero year, month and day values

9512

# * A month and day value, with a zero year, e.g. an anniversary

9513

# * A year on its own, with zero month and day values

9514

# * A year and month value, with a zero day, e.g. a credit card expiration date

9515

#

9516

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9517

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9518

# a year.

9519

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9520

# month and day.

9521

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9522

# if specifying a year by itself or a year and month where the day is not

9523

# significant.

9524

},

9525

"stringValue": "A String", # string

9526

"integerValue": "A String", # integer

9527

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9528

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9529

# types are google.type.Date and `google.protobuf.Timestamp`.

9530

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9531

# to allow the value "24:00:00" for scenarios like business closing time.

9532

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

9533

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9534

# allow the value 60 if it allows leap-seconds.

9535

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9536

},

9537

"booleanValue": True or False, # boolean

9538

"floatValue": 3.14, # float

9539

"dayOfWeekValue": "A String", # day of week

9540

},

9541

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

9542

# Note that for the purposes of inspection or transformation, the number

9543

# of bytes considered to comprise a 'Value' is based on its representation

9544

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9545

# 123456789, the number of bytes would be counted as 9, even though an

9546

# int64 only holds up to 8 bytes of data.

9547

"timestampValue": "A String", # timestamp

9548

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9549

# and time zone are either specified elsewhere or are not significant. The date

9550

# is relative to the Proleptic Gregorian Calendar. This can represent:

9551

#

9552

# * A full date, with non-zero year, month and day values

9553

# * A month and day value, with a zero year, e.g. an anniversary

9554

# * A year on its own, with zero month and day values

9555

# * A year and month value, with a zero day, e.g. a credit card expiration date

9556

#

9557

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9558

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9559

# a year.

9560

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9561

# month and day.

9562

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9563

# if specifying a year by itself or a year and month where the day is not

9564

# significant.

9565

},

9566

"stringValue": "A String", # string

9567

"integerValue": "A String", # integer

9568

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9569

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9570

# types are google.type.Date and `google.protobuf.Timestamp`.

9571

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9572

# to allow the value "24:00:00" for scenarios like business closing time.

9573

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

9574

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9575

# allow the value 60 if it allows leap-seconds.

9576

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9577

},

9578

"booleanValue": True or False, # boolean

9579

"floatValue": 3.14, # float

9580

"dayOfWeekValue": "A String", # day of week

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

},

},

],

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

9585

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

9586

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

9587

# output would be 'My phone number is '.

9588

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9589

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

9590

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9591

# Note that for the purposes of inspection or transformation, the number

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9592

# of bytes considered to comprise a 'Value' is based on its representation

9593

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9594

# 123456789, the number of bytes would be counted as 9, even though an

9595

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9596

"timestampValue": "A String", # timestamp

9597

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9598

# and time zone are either specified elsewhere or are not significant. The date

9599

# is relative to the Proleptic Gregorian Calendar. This can represent:

9600

#

9601

# * A full date, with non-zero year, month and day values

9602

# * A month and day value, with a zero year, e.g. an anniversary

9603

# * A year on its own, with zero month and day values

9604

# * A year and month value, with a zero day, e.g. a credit card expiration date

9605

#

9606

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9607

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9608

# a year.

9609

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

9610

# month and day.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9611

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9612

# if specifying a year by itself or a year and month where the day is not

9613

# significant.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

9614

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9615

"stringValue": "A String", # string

9616

"integerValue": "A String", # integer

9617

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9618

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9619

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9620

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9621

# to allow the value "24:00:00" for scenarios like business closing time.

9622

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

9623

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9624

# allow the value 60 if it allows leap-seconds.

9625

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9626

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

9627

"booleanValue": True or False, # boolean

9628

"floatValue": 3.14, # float

9629

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9630

},

9631

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9632

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

9633

# Bucketing transformation can provide all of this functionality,

9634

# but requires more configuration. This message is provided as a convenience to

9635

# the user for simple bucketing strategies.

9636

#

9637

# The transformed value will be a hyphenated string of

9638

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

9639

# all values that are within this bucket will be replaced with "10-20".

9640

#

9641

# This can be used on data of type: double, long.

9642

#

9643

# If the bound Value type differs from the type of data

9644

# being transformed, we will first attempt converting the type of the data to

9645

# be transformed to match the type of the bound before comparing.

9646

#

9647

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9648

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

9649

# grouped together into a single bucket; for example if `upper_bound` = 89,

9650

# then all values greater than 89 are replaced with the value "89+".

9651

# Note that for the purposes of inspection or transformation, the number

9652

# of bytes considered to comprise a 'Value' is based on its representation

9653

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9654

# 123456789, the number of bytes would be counted as 9, even though an

9655

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9656

"timestampValue": "A String", # timestamp

9657

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9658

# and time zone are either specified elsewhere or are not significant. The date

9659

# is relative to the Proleptic Gregorian Calendar. This can represent:

9660

#

9661

# * A full date, with non-zero year, month and day values

9662

# * A month and day value, with a zero year, e.g. an anniversary

9663

# * A year on its own, with zero month and day values

9664

# * A year and month value, with a zero day, e.g. a credit card expiration date

9665

#

9666

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9667

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9668

# a year.

9669

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9670

# month and day.

9671

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9672

# if specifying a year by itself or a year and month where the day is not

9673

# significant.

9674

},

9675

"stringValue": "A String", # string

9676

"integerValue": "A String", # integer

9677

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9678

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9679

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9680

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9681

# to allow the value "24:00:00" for scenarios like business closing time.

9682

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

9683

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9684

# allow the value 60 if it allows leap-seconds.

9685

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9686

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

9687

"booleanValue": True or False, # boolean

9688

"floatValue": 3.14, # float

9689

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9690

},

9691

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

9692

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

9693

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

9694

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

9695

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

9696

# grouped together into a single bucket; for example if `lower_bound` = 10,

9697

# then all values less than 10 are replaced with the value "-10".

9698

# Note that for the purposes of inspection or transformation, the number

9699

# of bytes considered to comprise a 'Value' is based on its representation

9700

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9701

# 123456789, the number of bytes would be counted as 9, even though an

9702

# int64 only holds up to 8 bytes of data.

9703

"timestampValue": "A String", # timestamp

9704

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9705

# and time zone are either specified elsewhere or are not significant. The date

9706

# is relative to the Proleptic Gregorian Calendar. This can represent:

9707

#

9708

# * A full date, with non-zero year, month and day values

9709

# * A month and day value, with a zero year, e.g. an anniversary

9710

# * A year on its own, with zero month and day values

9711

# * A year and month value, with a zero day, e.g. a credit card expiration date

9712

#

9713

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9714

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9715

# a year.

9716

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9717

# month and day.

9718

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9719

# if specifying a year by itself or a year and month where the day is not

9720

# significant.

9721

},

9722

"stringValue": "A String", # string

9723

"integerValue": "A String", # integer

9724

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9725

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9726

# types are google.type.Date and `google.protobuf.Timestamp`.

9727

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9728

# to allow the value "24:00:00" for scenarios like business closing time.

9729

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

9730

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9731

# allow the value 60 if it allows leap-seconds.

9732

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9733

},

9734

"booleanValue": True or False, # boolean

9735

"floatValue": 3.14, # float

9736

"dayOfWeekValue": "A String", # day of week

9737

},

9738

},

9739

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

9740

# fixed character. Masking can start from the beginning or end of the string.

9741

# This can be used on data of any type (numbers, longs, and so on) and when

9742

# de-identifying structured data we'll attempt to preserve the original data's

9743

# type. (This allows you to take a long like 123 and modify it to a string like

9744

# **3.

9745

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

9746

# characters. For example, if the input string is `555-555-5555` and you

9747

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

9748

# returns `***-**5-5555`.

9749

{ # Characters to skip when doing deidentification of a value. These will be left

9750

# alone and skipped.

9751

"charactersToSkip": "A String", # Characters to not transform when masking.

9752

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

9757

# masked. Skipped characters do not count towards this tally.

9758

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

9759

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

9760

# code or credit card number. This string must have a length of 1. If not

9761

# supplied, this value defaults to `*` for strings, and `0` for digits.

9762

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

9763

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

9764

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

9765

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

9766

# is `true`, then the string `12345` is masked as `12***`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9767

},

9768

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

9769

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

9770

# this transformation to apply to all findings that correspond to

9771

# infoTypes that were requested in `InspectConfig`.

9772

{ # Type of information detected by the API.

9773

"name": "A String", # Name of the information type. Either a name of your choosing when

9774

# creating a CustomInfoType, or one of the names listed

9775

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

9776

# a built-in type. InfoType names should conform to the pattern

9777

# `[a-zA-Z0-9_]{1,64}`.

9778

},

9779

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

},

],

},

"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.

9784

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

9785

# portion of the value.

9786

"partToExtract": "A String", # The part of the time to keep.

9787

},

9788

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

9789

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

9790

# to learn more.

9791

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

9792

# If set, must also set cryptoKey. If set, shift will be consistent for the

9793

# given context.

9794

"name": "A String", # Name describing the field.

9795

},

9796

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

9797

# range (inclusive ends). Negative means shift to earlier in time. Must not

9798

# be more than 365250 days (1000 years) each direction.

9799

#

9800

# For example, 3 means shift date to at most 3 days into the future.

9801

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

9802

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

9803

# results in the same shift for the same context and crypto_key. If

9804

# set, must also set context. Can only be applied to table items.

9805

# a key encryption key (KEK) stored by KMS).

9806

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

9807

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

9808

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9809

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

9810

# leaking the key. Choose another type of key if possible.

9811

"key": "A String", # Required. A 128/192/256 bit key.

9812

},

9813

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

9814

# It will be discarded after the request finishes.

9815

"name": "A String", # Required. Name of the key.

9816

# This is an arbitrary string used to differentiate different keys.

9817

# A unique key is generated per name: two separate `TransientCryptoKey`

9818

# protos share the same generated key if their names are the same.

9819

# When the data crypto key is generated, this name is not used in any way

9820

# (repeating the api call will result in a different key being generated).

9821

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

9822

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

9823

# The wrapped key must be a 128/192/256 bit key.

9824

# Authorization requires the following IAM permissions when sending a request

9825

# to perform a crypto transformation using a kms-wrapped crypto key:

9826

# dlp.kms.encrypt

9827

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

9828

"wrappedKey": "A String", # Required. The wrapped data crypto key.

9829

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9830

},

9831

},

9832

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

9833

},

9834

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

9835

# Uses SHA-256.

9836

# The key size must be either 32 or 64 bytes.

9837

# Outputs a base64 encoded representation of the hashed output

9838

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

9839

# Currently, only string and integer values can be hashed.

9840

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

9841

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

9842

# a key encryption key (KEK) stored by KMS).

9843

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

9844

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

9845

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9846

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

9847

# leaking the key. Choose another type of key if possible.

9848

"key": "A String", # Required. A 128/192/256 bit key.

9849

},

9850

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

9851

# It will be discarded after the request finishes.

9852

"name": "A String", # Required. Name of the key.

9853

# This is an arbitrary string used to differentiate different keys.

9854

# A unique key is generated per name: two separate `TransientCryptoKey`

9855

# protos share the same generated key if their names are the same.

9856

# When the data crypto key is generated, this name is not used in any way

9857

# (repeating the api call will result in a different key being generated).

9858

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

9859

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

9860

# The wrapped key must be a 128/192/256 bit key.

9861

# Authorization requires the following IAM permissions when sending a request

9862

# to perform a crypto transformation using a kms-wrapped crypto key:

9863

# dlp.kms.encrypt

9864

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

9865

"wrappedKey": "A String", # Required. The wrapped data crypto key.

9866

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9867

},

9868

},

9869

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

9870

# (FPE) with the FFX mode of operation; however when used in the

9871

# `ReidentifyContent` API method, it serves the opposite function by reversing

9872

# the surrogate back into the original identifier. The identifier must be

9873

# encoded as ASCII. For a given crypto key and context, the same identifier

9874

# will be replaced with the same surrogate. Identifiers must be at least two

9875

# characters long. In the case that the identifier is the empty string, it will

9876

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

9877

# more.

9878

#

9879

# Note: We recommend using CryptoDeterministicConfig for all use cases which

9880

# do not require preserving the input alphabet space and size, plus warrant

9881

# referential integrity.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9882

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

9883

# This annotation will be applied to the surrogate by prefixing it with

9884

# the name of the custom infoType followed by the number of

9885

# characters comprising the surrogate. The following scheme defines the

9886

# format: info_type_name(surrogate_character_count):surrogate

9887

#

9888

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

9889

# the surrogate is 'abc', the full replacement value

9890

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

9891

#

9892

# This annotation identifies the surrogate when inspecting content using the

9893

# custom infoType

9894

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

9895

# This facilitates reversal of the surrogate when it occurs in free text.

9896

#

9897

# In order for inspection to work properly, the name of this infoType must

9898

# not occur naturally anywhere in your data; otherwise, inspection may

9899

# find a surrogate that does not correspond to an actual identifier.

9900

# Therefore, choose your custom infoType name carefully after considering

9901

# what your data looks like. One way to select a name that has a high chance

9902

# of yielding reliable detection is to include one or more unicode characters

9903

# that are highly improbable to exist in your data.

9904

# For example, assuming your data is entered from a regular ASCII keyboard,

9905

# the symbol with the hex code point 29DD might be used like so:

9906

# ⧝MY_TOKEN_TYPE

9907

"name": "A String", # Name of the information type. Either a name of your choosing when

9908

# creating a CustomInfoType, or one of the names listed

9909

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

9910

# a built-in type. InfoType names should conform to the pattern

9911

# `[a-zA-Z0-9_]{1,64}`.

9912

},

9913

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

9914

# identifier in two different contexts won't be given the same surrogate. If

9915

# the context is not set, a default tweak will be used.

9916

#

9917

# If the context is set but:

9918

#

9919

# 1. there is no record present when transforming a given value or

9920

# 1. the field is not present when transforming a given value,

9921

#

9922

# a default tweak will be used.

9923

#

9924

# Note that case (1) is expected when an `InfoTypeTransformation` is

9925

# applied to both structured and non-structured `ContentItem`s.

9926

# Currently, the referenced field may be of value type integer or string.

9927

#

9928

# The tweak is constructed as a sequence of bytes in big endian byte order

9929

# such that:

9930

#

9931

# - a 64 bit integer is encoded followed by a single byte of value 1

9932

# - a string is encoded in UTF-8 format followed by a single byte of value 2

9933

"name": "A String", # Name describing the field.

9934

},

9935

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

9936

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

9937

# a key encryption key (KEK) stored by KMS).

9938

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

9939

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

9940

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9941

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

9942

# leaking the key. Choose another type of key if possible.

9943

"key": "A String", # Required. A 128/192/256 bit key.

9944

},

9945

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

9946

# It will be discarded after the request finishes.

9947

"name": "A String", # Required. Name of the key.

9948

# This is an arbitrary string used to differentiate different keys.

9949

# A unique key is generated per name: two separate `TransientCryptoKey`

9950

# protos share the same generated key if their names are the same.

9951

# When the data crypto key is generated, this name is not used in any way

9952

# (repeating the api call will result in a different key being generated).

9953

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

9954

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

9955

# The wrapped key must be a 128/192/256 bit key.

9956

# Authorization requires the following IAM permissions when sending a request

9957

# to perform a crypto transformation using a kms-wrapped crypto key:

9958

# dlp.kms.encrypt

9959

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

9960

"wrappedKey": "A String", # Required. The wrapped data crypto key.

9961

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9962

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

9963

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

9964

# that the FFX mode natively supports. This happens before/after

9965

# encryption/decryption.

9966

# Each character listed must appear only once.

9967

# Number of characters must be in the range [2, 95].

9968

# This must be encoded as ASCII.

9969

# The order of characters does not matter.

9970

"commonAlphabet": "A String", # Common alphabets.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

9971

},

9972

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

9973

# input. Outputs a base64 encoded representation of the encrypted output.

9974

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

9975

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

9976

# This annotation will be applied to the surrogate by prefixing it with

9977

# the name of the custom info type followed by the number of

9978

# characters comprising the surrogate. The following scheme defines the

9979

# format: {info type name}({surrogate character count}):{surrogate}

9980

#

9981

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

9982

# the surrogate is 'abc', the full replacement value

9983

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

9984

#

9985

# This annotation identifies the surrogate when inspecting content using the

9986

# custom info type 'Surrogate'. This facilitates reversal of the

9987

# surrogate when it occurs in free text.

9988

#

9989

# Note: For record transformations where the entire cell in a table is being

9990

# transformed, surrogates are not mandatory. Surrogates are used to denote

9991

# the location of the token and are necessary for re-identification in free

9992

# form text.

9993

#

9994

# In order for inspection to work properly, the name of this info type must

9995

# not occur naturally anywhere in your data; otherwise, inspection may either

9996

#

9997

# - reverse a surrogate that does not correspond to an actual identifier

9998

# - be unable to parse the surrogate and result in an error

9999

#

10000

# Therefore, choose your custom info type name carefully after considering

10001

# what your data looks like. One way to select a name that has a high chance

10002

# of yielding reliable detection is to include one or more unicode characters

10003

# that are highly improbable to exist in your data.

10004

# For example, assuming your data is entered from a regular ASCII keyboard,

10005

# the symbol with the hex code point 29DD might be used like so:

10006

# ⧝MY_TOKEN_TYPE.

10007

"name": "A String", # Name of the information type. Either a name of your choosing when

10008

# creating a CustomInfoType, or one of the names listed

10009

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

10010

# a built-in type. InfoType names should conform to the pattern

10011

# `[a-zA-Z0-9_]{1,64}`.

10012

},

10013

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

10014

# referential integrity such that the same identifier in two different

10015

# contexts will be given a distinct surrogate. The context is appended to

10016

# plaintext value being encrypted. On decryption the provided context is

10017

# validated against the value used during encryption. If a context was

10018

# provided during encryption, same context must be provided during decryption

10019

# as well.

10020

#

10021

# If the context is not set, plaintext would be used as is for encryption.

10022

# If the context is set but:

10023

#

10024

# 1. there is no record present when transforming a given value or

10025

# 2. the field is not present when transforming a given value,

10026

#

10027

# plaintext would be used as is for encryption.

10028

#

10029

# Note that case (1) is expected when an `InfoTypeTransformation` is

10030

# applied to both structured and non-structured `ContentItem`s.

10031

"name": "A String", # Name describing the field.

10032

},

10033

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

10034

# a key encryption key (KEK) stored by KMS).

10035

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

10036

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

10037

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10038

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

10039

# leaking the key. Choose another type of key if possible.

10040

"key": "A String", # Required. A 128/192/256 bit key.

10041

},

10042

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

10043

# It will be discarded after the request finishes.

10044

"name": "A String", # Required. Name of the key.

10045

# This is an arbitrary string used to differentiate different keys.

10046

# A unique key is generated per name: two separate `TransientCryptoKey`

10047

# protos share the same generated key if their names are the same.

10048

# When the data crypto key is generated, this name is not used in any way

10049

# (repeating the api call will result in a different key being generated).

10050

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

10051

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

10052

# The wrapped key must be a 128/192/256 bit key.

10053

# Authorization requires the following IAM permissions when sending a request

10054

# to perform a crypto transformation using a kms-wrapped crypto key:

10055

# dlp.kms.encrypt

10056

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

10057

"wrappedKey": "A String", # Required. The wrapped data crypto key.

10058

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10059

},

10060

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10061

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

10062

# replacement values are dynamically provided by the user for custom behavior,

10063

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

10064

# This can be used on

10065

# data of type: number, long, string, timestamp.

10066

# If the bound `Value` type differs from the type of data being transformed, we

10067

# will first attempt converting the type of the data to be transformed to match

10068

# the type of the bound before comparing.

10069

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

10070

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

10071

{ # Bucket is represented as a range, along with replacement values.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10072

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

10073

# the default behavior will be to hyphenate the min-max range.

10074

# Note that for the purposes of inspection or transformation, the number

10075

# of bytes considered to comprise a 'Value' is based on its representation

10076

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

10077

# 123456789, the number of bytes would be counted as 9, even though an

10078

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10079

"timestampValue": "A String", # timestamp

10080

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

10081

# and time zone are either specified elsewhere or are not significant. The date

10082

# is relative to the Proleptic Gregorian Calendar. This can represent:

10083

#

10084

# * A full date, with non-zero year, month and day values

10085

# * A month and day value, with a zero year, e.g. an anniversary

10086

# * A year on its own, with zero month and day values

10087

# * A year and month value, with a zero day, e.g. a credit card expiration date

10088

#

10089

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

10090

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

10091

# a year.

10092

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

10093

# month and day.

10094

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

10095

# if specifying a year by itself or a year and month where the day is not

10096

# significant.

10097

},

10098

"stringValue": "A String", # string

10099

"integerValue": "A String", # integer

10100

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

10101

# or are specified elsewhere. An API may choose to allow leap seconds. Related

10102

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10103

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

10104

# to allow the value "24:00:00" for scenarios like business closing time.

10105

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

10106

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

10107

# allow the value 60 if it allows leap-seconds.

10108

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10109

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

10110

"booleanValue": True or False, # boolean

10111

"floatValue": 3.14, # float

10112

"dayOfWeekValue": "A String", # day of week

10113

},

10114

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

10115

# used.

10116

# Note that for the purposes of inspection or transformation, the number

10117

# of bytes considered to comprise a 'Value' is based on its representation

10118

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

10119

# 123456789, the number of bytes would be counted as 9, even though an

10120

# int64 only holds up to 8 bytes of data.

10121

"timestampValue": "A String", # timestamp

10122

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

10123

# and time zone are either specified elsewhere or are not significant. The date

10124

# is relative to the Proleptic Gregorian Calendar. This can represent:

10125

#

10126

# * A full date, with non-zero year, month and day values

10127

# * A month and day value, with a zero year, e.g. an anniversary

10128

# * A year on its own, with zero month and day values

10129

# * A year and month value, with a zero day, e.g. a credit card expiration date

10130

#

10131

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

10132

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

10133

# a year.

10134

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

10135

# month and day.

10136

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

10137

# if specifying a year by itself or a year and month where the day is not

10138

# significant.

10139

},

10140

"stringValue": "A String", # string

10141

"integerValue": "A String", # integer

10142

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

10143

# or are specified elsewhere. An API may choose to allow leap seconds. Related

10144

# types are google.type.Date and `google.protobuf.Timestamp`.

10145

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

10146

# to allow the value "24:00:00" for scenarios like business closing time.

10147

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

10148

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

10149

# allow the value 60 if it allows leap-seconds.

10150

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

10151

},

10152

"booleanValue": True or False, # boolean

10153

"floatValue": 3.14, # float

10154

"dayOfWeekValue": "A String", # day of week

10155

},

10156

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

10157

# Note that for the purposes of inspection or transformation, the number

10158

# of bytes considered to comprise a 'Value' is based on its representation

10159

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

10160

# 123456789, the number of bytes would be counted as 9, even though an

10161

# int64 only holds up to 8 bytes of data.

10162

"timestampValue": "A String", # timestamp

10163

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

10164

# and time zone are either specified elsewhere or are not significant. The date

10165

# is relative to the Proleptic Gregorian Calendar. This can represent:

10166

#

10167

# * A full date, with non-zero year, month and day values

10168

# * A month and day value, with a zero year, e.g. an anniversary

10169

# * A year on its own, with zero month and day values

10170

# * A year and month value, with a zero day, e.g. a credit card expiration date

10171

#

10172

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

10173

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

10174

# a year.

10175

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

10176

# month and day.

10177

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

10178

# if specifying a year by itself or a year and month where the day is not

10179

# significant.

10180

},

10181

"stringValue": "A String", # string

10182

"integerValue": "A String", # integer

10183

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

10184

# or are specified elsewhere. An API may choose to allow leap seconds. Related

10185

# types are google.type.Date and `google.protobuf.Timestamp`.

10186

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

10187

# to allow the value "24:00:00" for scenarios like business closing time.

10188

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

10189

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

10190

# allow the value 60 if it allows leap-seconds.

10191

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

10192

},

10193

"booleanValue": True or False, # boolean

10194

"floatValue": 3.14, # float

10195

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10196

},

10197

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10198

],

10199

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

10200

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

10201

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

10202

# output would be 'My phone number is '.

10203

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10204

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

10205

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

10206

# Note that for the purposes of inspection or transformation, the number

10207

# of bytes considered to comprise a 'Value' is based on its representation

10208

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

10209

# 123456789, the number of bytes would be counted as 9, even though an

10210

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10211

"timestampValue": "A String", # timestamp

10212

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

10213

# and time zone are either specified elsewhere or are not significant. The date

10214

# is relative to the Proleptic Gregorian Calendar. This can represent:

10215

#

10216

# * A full date, with non-zero year, month and day values

10217

# * A month and day value, with a zero year, e.g. an anniversary

10218

# * A year on its own, with zero month and day values

10219

# * A year and month value, with a zero day, e.g. a credit card expiration date

10220

#

10221

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

10222

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

10223

# a year.

10224

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

10225

# month and day.

10226

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

10227

# if specifying a year by itself or a year and month where the day is not

10228

# significant.

10229

},

10230

"stringValue": "A String", # string

10231

"integerValue": "A String", # integer

10232

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

10233

# or are specified elsewhere. An API may choose to allow leap seconds. Related

10234

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10235

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

10236

# to allow the value "24:00:00" for scenarios like business closing time.

10237

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

10238

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

10239

# allow the value 60 if it allows leap-seconds.

10240

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10241

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

10242

"booleanValue": True or False, # boolean

10243

"floatValue": 3.14, # float

10244

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10245

},

10246

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10247

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

10248

# Bucketing transformation can provide all of this functionality,

10249

# but requires more configuration. This message is provided as a convenience to

10250

# the user for simple bucketing strategies.

10251

#

10252

# The transformed value will be a hyphenated string of

10253

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

10254

# all values that are within this bucket will be replaced with "10-20".

10255

#

10256

# This can be used on data of type: double, long.

10257

#

10258

# If the bound Value type differs from the type of data

10259

# being transformed, we will first attempt converting the type of the data to

10260

# be transformed to match the type of the bound before comparing.

10261

#

10262

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10263

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

10264

# grouped together into a single bucket; for example if `upper_bound` = 89,

10265

# then all values greater than 89 are replaced with the value "89+".

10266

# Note that for the purposes of inspection or transformation, the number

10267

# of bytes considered to comprise a 'Value' is based on its representation

10268

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

10269

# 123456789, the number of bytes would be counted as 9, even though an

10270

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10271

"timestampValue": "A String", # timestamp

10272

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

10273

# and time zone are either specified elsewhere or are not significant. The date

10274

# is relative to the Proleptic Gregorian Calendar. This can represent:

10275

#

10276

# * A full date, with non-zero year, month and day values

10277

# * A month and day value, with a zero year, e.g. an anniversary

10278

# * A year on its own, with zero month and day values

10279

# * A year and month value, with a zero day, e.g. a credit card expiration date

10280

#

10281

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

10282

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

10283

# a year.

10284

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

10285

# month and day.

10286

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

10287

# if specifying a year by itself or a year and month where the day is not

10288

# significant.

10289

},

10290

"stringValue": "A String", # string

10291

"integerValue": "A String", # integer

10292

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

10293

# or are specified elsewhere. An API may choose to allow leap seconds. Related

10294

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10295

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

10296

# to allow the value "24:00:00" for scenarios like business closing time.

10297

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

10298

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

10299

# allow the value 60 if it allows leap-seconds.

10300

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10301

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

10302

"booleanValue": True or False, # boolean

10303

"floatValue": 3.14, # float

10304

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10305

},

10306

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

10307

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

10308

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

10309

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

10310

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

10311

# grouped together into a single bucket; for example if `lower_bound` = 10,

10312

# then all values less than 10 are replaced with the value "-10".

10313

# Note that for the purposes of inspection or transformation, the number

10314

# of bytes considered to comprise a 'Value' is based on its representation

10315

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

10316

# 123456789, the number of bytes would be counted as 9, even though an

10317

# int64 only holds up to 8 bytes of data.

10318

"timestampValue": "A String", # timestamp

10319

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

10320

# and time zone are either specified elsewhere or are not significant. The date

10321

# is relative to the Proleptic Gregorian Calendar. This can represent:

10322

#

10323

# * A full date, with non-zero year, month and day values

10324

# * A month and day value, with a zero year, e.g. an anniversary

10325

# * A year on its own, with zero month and day values

10326

# * A year and month value, with a zero day, e.g. a credit card expiration date

10327

#

10328

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

10329

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

10330

# a year.

10331

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

10332

# month and day.

10333

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

10334

# if specifying a year by itself or a year and month where the day is not

10335

# significant.

10336

},

10337

"stringValue": "A String", # string

10338

"integerValue": "A String", # integer

10339

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

10340

# or are specified elsewhere. An API may choose to allow leap seconds. Related

10341

# types are google.type.Date and `google.protobuf.Timestamp`.

10342

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

10343

# to allow the value "24:00:00" for scenarios like business closing time.

10344

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

10345

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

10346

# allow the value 60 if it allows leap-seconds.

10347

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

10348

},

10349

"booleanValue": True or False, # boolean

10350

"floatValue": 3.14, # float

10351

"dayOfWeekValue": "A String", # day of week

10352

},

10353

},

10354

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

10355

# fixed character. Masking can start from the beginning or end of the string.

10356

# This can be used on data of any type (numbers, longs, and so on) and when

10357

# de-identifying structured data we'll attempt to preserve the original data's

10358

# type. (This allows you to take a long like 123 and modify it to a string like

10359

# **3.

10360

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

10361

# characters. For example, if the input string is `555-555-5555` and you

10362

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

10363

# returns `***-**5-5555`.

10364

{ # Characters to skip when doing deidentification of a value. These will be left

10365

# alone and skipped.

10366

"charactersToSkip": "A String", # Characters to not transform when masking.

10367

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

10372

# masked. Skipped characters do not count towards this tally.

10373

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

10374

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

10375

# code or credit card number. This string must have a length of 1. If not

10376

# supplied, this value defaults to `*` for strings, and `0` for digits.

10377

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

10378

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

10379

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

10380

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

10381

# is `true`, then the string `12345` is masked as `12***`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10382

},

10383

},

10384

"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the

10385

# given `RecordCondition`. The conditions are allowed to reference fields

10386

# that are not used in the actual transformation.

#

# Example Use Cases:

#

# - Apply a different bucket transformation to an age column if the zip code

10391

# column for the same record is within a specific range.

10392

# - Redact a field if the date of birth field is greater than 85.

10393

# a field.

10394

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

10395

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

10396

# only supported value is `AND`.

10397

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

10398

"conditions": [ # A collection of conditions.

10399

{ # The field type of `value` and `field` do not need to match to be

10400

# considered equal, but not all comparisons are possible.

10401

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

10402

# but all other comparisons are invalid with incompatible types.

10403

# A `value` of type:

10404

#

10405

# - `string` can be compared against all other types

10406

# - `boolean` can only be compared against other booleans

10407

# - `integer` can be compared against doubles or a string if the string value

10408

# can be parsed as an integer.

10409

# - `double` can be compared against integers or a string if the string can

10410

# be parsed as a double.

10411

# - `Timestamp` can be compared against strings in RFC 3339 date string

10412

# format.

10413

# - `TimeOfDay` can be compared against timestamps and strings in the format

10414

# of 'HH:mm:ss'.

10415

#

10416

# If we fail to compare do to type mismatch, a warning will be given and

10417

# the condition will evaluate to false.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10418

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

10419

# Note that for the purposes of inspection or transformation, the number

10420

# of bytes considered to comprise a 'Value' is based on its representation

10421

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

10422

# 123456789, the number of bytes would be counted as 9, even though an

10423

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10424

"timestampValue": "A String", # timestamp

10425

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

10426

# and time zone are either specified elsewhere or are not significant. The date

10427

# is relative to the Proleptic Gregorian Calendar. This can represent:

10428

#

10429

# * A full date, with non-zero year, month and day values

10430

# * A month and day value, with a zero year, e.g. an anniversary

10431

# * A year on its own, with zero month and day values

10432

# * A year and month value, with a zero day, e.g. a credit card expiration date

10433

#

10434

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

10435

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

10436

# a year.

10437

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

10438

# month and day.

10439

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

10440

# if specifying a year by itself or a year and month where the day is not

10441

# significant.

10442

},

10443

"stringValue": "A String", # string

10444

"integerValue": "A String", # integer

10445

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

10446

# or are specified elsewhere. An API may choose to allow leap seconds. Related

10447

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10448

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

10449

# to allow the value "24:00:00" for scenarios like business closing time.

10450

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

10451

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

10452

# allow the value 60 if it allows leap-seconds.

10453

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10454

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

10455

"booleanValue": True or False, # boolean

10456

"floatValue": 3.14, # float

10457

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10458

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

10459

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

10460

"name": "A String", # Name describing the field.

10461

},

10462

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10463

},

10464

],

10465

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10466

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10467

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10468

},

10469

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

10470

"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that

10471

# match any suppression rule are omitted from the output.

10472

{ # Configuration to suppress records whose suppression conditions evaluate to

10473

# true.

10474

"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being

10475

# evaluated to be suppressed from the transformed content.

10476

# a field.

10477

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

10478

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

10479

# only supported value is `AND`.

10480

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

10481

"conditions": [ # A collection of conditions.

10482

{ # The field type of `value` and `field` do not need to match to be

10483

# considered equal, but not all comparisons are possible.

10484

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

10485

# but all other comparisons are invalid with incompatible types.

10486

# A `value` of type:

10487

#

10488

# - `string` can be compared against all other types

10489

# - `boolean` can only be compared against other booleans

10490

# - `integer` can be compared against doubles or a string if the string value

10491

# can be parsed as an integer.

10492

# - `double` can be compared against integers or a string if the string can

10493

# be parsed as a double.

10494

# - `Timestamp` can be compared against strings in RFC 3339 date string

10495

# format.

10496

# - `TimeOfDay` can be compared against timestamps and strings in the format

10497

# of 'HH:mm:ss'.

10498

#

10499

# If we fail to compare do to type mismatch, a warning will be given and

10500

# the condition will evaluate to false.

10501

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

10502

# Note that for the purposes of inspection or transformation, the number

10503

# of bytes considered to comprise a 'Value' is based on its representation

10504

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

10505

# 123456789, the number of bytes would be counted as 9, even though an

10506

# int64 only holds up to 8 bytes of data.

10507

"timestampValue": "A String", # timestamp

10508

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

10509

# and time zone are either specified elsewhere or are not significant. The date

10510

# is relative to the Proleptic Gregorian Calendar. This can represent:

10511

#

10512

# * A full date, with non-zero year, month and day values

10513

# * A month and day value, with a zero year, e.g. an anniversary

10514

# * A year on its own, with zero month and day values

10515

# * A year and month value, with a zero day, e.g. a credit card expiration date

10516

#

10517

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

10518

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

10519

# a year.

10520

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

10521

# month and day.

10522

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

10523

# if specifying a year by itself or a year and month where the day is not

10524

# significant.

10525

},

10526

"stringValue": "A String", # string

10527

"integerValue": "A String", # integer

10528

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

10529

# or are specified elsewhere. An API may choose to allow leap seconds. Related

10530

# types are google.type.Date and `google.protobuf.Timestamp`.

10531

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

10532

# to allow the value "24:00:00" for scenarios like business closing time.

10533

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

10534

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

10535

# allow the value 60 if it allows leap-seconds.

10536

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

10537

},

10538

"booleanValue": True or False, # boolean

10539

"floatValue": 3.14, # float

10540

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10541

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

10542

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

10543

"name": "A String", # Name describing the field.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10544

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

10545

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10546

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

10547

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10548

},

10549

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10550

},

10551

},

10552

],

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

10553

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10554

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10555

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10556

"updateMask": "A String", # Mask to control which fields get updated.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10557

}

10558

10559

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

10566

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

10567

{ # DeidentifyTemplates contains instructions on how to de-identify content.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

10568

# See https://cloud.google.com/dlp/docs/concepts-templates to learn more.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

10569

"name": "A String", # Output only. The template name.

10570

#

10571

# The template will have one of the following formats:

10572

# `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR

10573

# `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`

10574

"description": "A String", # Short description (max 256 chars).

10575

"displayName": "A String", # Display name (max 256 chars).

10576

"createTime": "A String", # Output only. The creation timestamp of an inspectTemplate.

10577

"updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate.

10578

"deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

10579

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text

10580

# transformation everywhere.

10581

# apply various `PrimitiveTransformation`s to each finding, where the

10582

# transformation is applied to only values that were identified as a specific

10583

# info_type.

10584

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

10585

# for a given infoType.

10586

{ # A transformation to apply to text that is identified as a specific

10587

# info_type.

10588

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

10589

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

10590

# portion of the value.

10591

"partToExtract": "A String", # The part of the time to keep.

10592

},

10593

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

10594

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

10595

# to learn more.

10596

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

10597

# If set, must also set cryptoKey. If set, shift will be consistent for the

10598

# given context.

10599

"name": "A String", # Name describing the field.

10600

},

10601

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

10602

# range (inclusive ends). Negative means shift to earlier in time. Must not

10603

# be more than 365250 days (1000 years) each direction.

10604

#

10605

# For example, 3 means shift date to at most 3 days into the future.

10606

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

10607

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

10608

# results in the same shift for the same context and crypto_key. If

10609

# set, must also set context. Can only be applied to table items.

10610

# a key encryption key (KEK) stored by KMS).

10611

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

10612

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

10613

# unwrap the data crypto key.

10614

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

10615

# leaking the key. Choose another type of key if possible.

10616

"key": "A String", # Required. A 128/192/256 bit key.

10617

},

10618

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

10619

# It will be discarded after the request finishes.

10620

"name": "A String", # Required. Name of the key.

10621

# This is an arbitrary string used to differentiate different keys.

10622

# A unique key is generated per name: two separate `TransientCryptoKey`

10623

# protos share the same generated key if their names are the same.

10624

# When the data crypto key is generated, this name is not used in any way

10625

# (repeating the api call will result in a different key being generated).

10626

},

10627

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

10628

# The wrapped key must be a 128/192/256 bit key.

10629

# Authorization requires the following IAM permissions when sending a request

10630

# to perform a crypto transformation using a kms-wrapped crypto key:

10631

# dlp.kms.encrypt

10632

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

10633

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

10638

},

10639

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

10640

# Uses SHA-256.

10641

# The key size must be either 32 or 64 bytes.

10642

# Outputs a base64 encoded representation of the hashed output

10643

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

10644

# Currently, only string and integer values can be hashed.

10645

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

10646

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

10647

# a key encryption key (KEK) stored by KMS).

10648

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

10649

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

10650

# unwrap the data crypto key.

10651

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

10652

# leaking the key. Choose another type of key if possible.

10653

"key": "A String", # Required. A 128/192/256 bit key.

10654

},

10655

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

10656

# It will be discarded after the request finishes.

10657

"name": "A String", # Required. Name of the key.

10658

# This is an arbitrary string used to differentiate different keys.

10659

# A unique key is generated per name: two separate `TransientCryptoKey`

10660

# protos share the same generated key if their names are the same.

10661

# When the data crypto key is generated, this name is not used in any way

10662

# (repeating the api call will result in a different key being generated).

10663

},

10664

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

10665

# The wrapped key must be a 128/192/256 bit key.

10666

# Authorization requires the following IAM permissions when sending a request

10667

# to perform a crypto transformation using a kms-wrapped crypto key:

10668

# dlp.kms.encrypt

10669

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

10670

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

10675

# (FPE) with the FFX mode of operation; however when used in the

10676

# `ReidentifyContent` API method, it serves the opposite function by reversing

10677

# the surrogate back into the original identifier. The identifier must be

10678

# encoded as ASCII. For a given crypto key and context, the same identifier

10679

# will be replaced with the same surrogate. Identifiers must be at least two

10680

# characters long. In the case that the identifier is the empty string, it will

10681

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

10682

# more.

10683

#

10684

# Note: We recommend using CryptoDeterministicConfig for all use cases which

10685

# do not require preserving the input alphabet space and size, plus warrant

10686

# referential integrity.

10687

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

10688

# This annotation will be applied to the surrogate by prefixing it with

10689

# the name of the custom infoType followed by the number of

10690

# characters comprising the surrogate. The following scheme defines the

10691

# format: info_type_name(surrogate_character_count):surrogate

10692

#

10693

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

10694

# the surrogate is 'abc', the full replacement value

10695

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

10696

#

10697

# This annotation identifies the surrogate when inspecting content using the

10698

# custom infoType

10699

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

10700

# This facilitates reversal of the surrogate when it occurs in free text.

10701

#

10702

# In order for inspection to work properly, the name of this infoType must

10703

# not occur naturally anywhere in your data; otherwise, inspection may

10704

# find a surrogate that does not correspond to an actual identifier.

10705

# Therefore, choose your custom infoType name carefully after considering

10706

# what your data looks like. One way to select a name that has a high chance

10707

# of yielding reliable detection is to include one or more unicode characters

10708

# that are highly improbable to exist in your data.

10709

# For example, assuming your data is entered from a regular ASCII keyboard,

10710

# the symbol with the hex code point 29DD might be used like so:

10711

# ⧝MY_TOKEN_TYPE

10712

"name": "A String", # Name of the information type. Either a name of your choosing when

10713

# creating a CustomInfoType, or one of the names listed

10714

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

10715

# a built-in type. InfoType names should conform to the pattern

10716

# `[a-zA-Z0-9_]{1,64}`.

10717

},

10718

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

10719

# identifier in two different contexts won't be given the same surrogate. If

10720

# the context is not set, a default tweak will be used.

10721

#

10722

# If the context is set but:

10723

#

10724

# 1. there is no record present when transforming a given value or

10725

# 1. the field is not present when transforming a given value,

10726

#

10727

# a default tweak will be used.

10728

#

10729

# Note that case (1) is expected when an `InfoTypeTransformation` is

10730

# applied to both structured and non-structured `ContentItem`s.

10731

# Currently, the referenced field may be of value type integer or string.

10732

#

10733

# The tweak is constructed as a sequence of bytes in big endian byte order

10734

# such that:

10735

#

10736

# - a 64 bit integer is encoded followed by a single byte of value 1

10737

# - a string is encoded in UTF-8 format followed by a single byte of value 2

10738

"name": "A String", # Name describing the field.

10739

},

10740

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

10741

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

10742

# a key encryption key (KEK) stored by KMS).

10743

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

10744

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

10745

# unwrap the data crypto key.

10746

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

10747

# leaking the key. Choose another type of key if possible.

10748

"key": "A String", # Required. A 128/192/256 bit key.

10749

},

10750

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

10751

# It will be discarded after the request finishes.

10752

"name": "A String", # Required. Name of the key.

10753

# This is an arbitrary string used to differentiate different keys.

10754

# A unique key is generated per name: two separate `TransientCryptoKey`

10755

# protos share the same generated key if their names are the same.

10756

# When the data crypto key is generated, this name is not used in any way

10757

# (repeating the api call will result in a different key being generated).

10758

},

10759

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

10760

# The wrapped key must be a 128/192/256 bit key.

10761

# Authorization requires the following IAM permissions when sending a request

10762

# to perform a crypto transformation using a kms-wrapped crypto key:

10763

# dlp.kms.encrypt

10764

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

10765

"wrappedKey": "A String", # Required. The wrapped data crypto key.

10766

},

10767

},

10768

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

10769

# that the FFX mode natively supports. This happens before/after

10770

# encryption/decryption.

10771

# Each character listed must appear only once.

10772

# Number of characters must be in the range [2, 95].

10773

# This must be encoded as ASCII.

10774

# The order of characters does not matter.

10775

"commonAlphabet": "A String", # Common alphabets.

10776

},

10777

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

10778

# input. Outputs a base64 encoded representation of the encrypted output.

10779

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

10780

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

10781

# This annotation will be applied to the surrogate by prefixing it with

10782

# the name of the custom info type followed by the number of

10783

# characters comprising the surrogate. The following scheme defines the

10784

# format: {info type name}({surrogate character count}):{surrogate}

10785

#

10786

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

10787

# the surrogate is 'abc', the full replacement value

10788

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

10789

#

10790

# This annotation identifies the surrogate when inspecting content using the

10791

# custom info type 'Surrogate'. This facilitates reversal of the

10792

# surrogate when it occurs in free text.

10793

#

10794

# Note: For record transformations where the entire cell in a table is being

10795

# transformed, surrogates are not mandatory. Surrogates are used to denote

10796

# the location of the token and are necessary for re-identification in free

10797

# form text.

10798

#

10799

# In order for inspection to work properly, the name of this info type must

10800

# not occur naturally anywhere in your data; otherwise, inspection may either

10801

#

10802

# - reverse a surrogate that does not correspond to an actual identifier

10803

# - be unable to parse the surrogate and result in an error

10804

#

10805

# Therefore, choose your custom info type name carefully after considering

10806

# what your data looks like. One way to select a name that has a high chance

10807

# of yielding reliable detection is to include one or more unicode characters

10808

# that are highly improbable to exist in your data.

10809

# For example, assuming your data is entered from a regular ASCII keyboard,

10810

# the symbol with the hex code point 29DD might be used like so:

10811

# ⧝MY_TOKEN_TYPE.

10812

"name": "A String", # Name of the information type. Either a name of your choosing when

10813

# creating a CustomInfoType, or one of the names listed

10814

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

10815

# a built-in type. InfoType names should conform to the pattern

10816

# `[a-zA-Z0-9_]{1,64}`.

10817

},

10818

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

10819

# referential integrity such that the same identifier in two different

10820

# contexts will be given a distinct surrogate. The context is appended to

10821

# plaintext value being encrypted. On decryption the provided context is

10822

# validated against the value used during encryption. If a context was

10823

# provided during encryption, same context must be provided during decryption

10824

# as well.

10825

#

10826

# If the context is not set, plaintext would be used as is for encryption.

10827

# If the context is set but:

10828

#

10829

# 1. there is no record present when transforming a given value or

10830

# 2. the field is not present when transforming a given value,

10831

#

10832

# plaintext would be used as is for encryption.

10833

#

10834

# Note that case (1) is expected when an `InfoTypeTransformation` is

10835

# applied to both structured and non-structured `ContentItem`s.

10836

"name": "A String", # Name describing the field.

10837

},

10838

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

10839

# a key encryption key (KEK) stored by KMS).

10840

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

10841

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

10842

# unwrap the data crypto key.

10843

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

10844

# leaking the key. Choose another type of key if possible.

10845

"key": "A String", # Required. A 128/192/256 bit key.

10846

},

10847

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

10848

# It will be discarded after the request finishes.

10849

"name": "A String", # Required. Name of the key.

10850

# This is an arbitrary string used to differentiate different keys.

10851

# A unique key is generated per name: two separate `TransientCryptoKey`

10852

# protos share the same generated key if their names are the same.

10853

# When the data crypto key is generated, this name is not used in any way

10854

# (repeating the api call will result in a different key being generated).

10855

},

10856

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

10857

# The wrapped key must be a 128/192/256 bit key.

10858

# Authorization requires the following IAM permissions when sending a request

10859

# to perform a crypto transformation using a kms-wrapped crypto key:

10860

# dlp.kms.encrypt

10861

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

10862

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

10867

# replacement values are dynamically provided by the user for custom behavior,

10868

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

10869

# This can be used on

10870

# data of type: number, long, string, timestamp.

10871

# If the bound `Value` type differs from the type of data being transformed, we

10872

# will first attempt converting the type of the data to be transformed to match

10873

# the type of the bound before comparing.

10874

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

10875

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

10876

{ # Bucket is represented as a range, along with replacement values.

10877

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

10878

# the default behavior will be to hyphenate the min-max range.

10879

# Note that for the purposes of inspection or transformation, the number

10880

# of bytes considered to comprise a 'Value' is based on its representation

10881

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

10882

# 123456789, the number of bytes would be counted as 9, even though an

10883

# int64 only holds up to 8 bytes of data.

10884

"timestampValue": "A String", # timestamp

10885

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

10886

# and time zone are either specified elsewhere or are not significant. The date

10887

# is relative to the Proleptic Gregorian Calendar. This can represent:

10888

#

10889

# * A full date, with non-zero year, month and day values

10890

# * A month and day value, with a zero year, e.g. an anniversary

10891

# * A year on its own, with zero month and day values

10892

# * A year and month value, with a zero day, e.g. a credit card expiration date

10893

#

10894

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

10895

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

10896

# a year.

10897

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

10898

# month and day.

10899

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

10900

# if specifying a year by itself or a year and month where the day is not

10901

# significant.

10902

},

10903

"stringValue": "A String", # string

10904

"integerValue": "A String", # integer

10905

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

10906

# or are specified elsewhere. An API may choose to allow leap seconds. Related

10907

# types are google.type.Date and `google.protobuf.Timestamp`.

10908

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

10909

# to allow the value "24:00:00" for scenarios like business closing time.

10910

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

10911

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

10912

# allow the value 60 if it allows leap-seconds.

10913

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

10914

},

10915

"booleanValue": True or False, # boolean

10916

"floatValue": 3.14, # float

10917

"dayOfWeekValue": "A String", # day of week

10918

},

10919

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

10920

# used.

10921

# Note that for the purposes of inspection or transformation, the number

10922

# of bytes considered to comprise a 'Value' is based on its representation

10923

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

10924

# 123456789, the number of bytes would be counted as 9, even though an

10925

# int64 only holds up to 8 bytes of data.

10926

"timestampValue": "A String", # timestamp

10927

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

10928

# and time zone are either specified elsewhere or are not significant. The date

10929

# is relative to the Proleptic Gregorian Calendar. This can represent:

10930

#

10931

# * A full date, with non-zero year, month and day values

10932

# * A month and day value, with a zero year, e.g. an anniversary

10933

# * A year on its own, with zero month and day values

10934

# * A year and month value, with a zero day, e.g. a credit card expiration date

10935

#

10936

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

10937

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

10938

# a year.

10939

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

10940

# month and day.

10941

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

10942

# if specifying a year by itself or a year and month where the day is not

10943

# significant.

10944

},

10945

"stringValue": "A String", # string

10946

"integerValue": "A String", # integer

10947

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

10948

# or are specified elsewhere. An API may choose to allow leap seconds. Related

10949

# types are google.type.Date and `google.protobuf.Timestamp`.

10950

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

10951

# to allow the value "24:00:00" for scenarios like business closing time.

10952

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

10953

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

10954

# allow the value 60 if it allows leap-seconds.

10955

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

10956

},

10957

"booleanValue": True or False, # boolean

10958

"floatValue": 3.14, # float

10959

"dayOfWeekValue": "A String", # day of week

10960

},

10961

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

10962

# Note that for the purposes of inspection or transformation, the number

10963

# of bytes considered to comprise a 'Value' is based on its representation

10964

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

10965

# 123456789, the number of bytes would be counted as 9, even though an

10966

# int64 only holds up to 8 bytes of data.

10967

"timestampValue": "A String", # timestamp

10968

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

10969

# and time zone are either specified elsewhere or are not significant. The date

10970

# is relative to the Proleptic Gregorian Calendar. This can represent:

10971

#

10972

# * A full date, with non-zero year, month and day values

10973

# * A month and day value, with a zero year, e.g. an anniversary

10974

# * A year on its own, with zero month and day values

10975

# * A year and month value, with a zero day, e.g. a credit card expiration date

10976

#

10977

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

10978

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

10979

# a year.

10980

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

10981

# month and day.

10982

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

10983

# if specifying a year by itself or a year and month where the day is not

10984

# significant.

10985

},

10986

"stringValue": "A String", # string

10987

"integerValue": "A String", # integer

10988

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

10989

# or are specified elsewhere. An API may choose to allow leap seconds. Related

10990

# types are google.type.Date and `google.protobuf.Timestamp`.

10991

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

10992

# to allow the value "24:00:00" for scenarios like business closing time.

10993

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

10994

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

10995

# allow the value 60 if it allows leap-seconds.

10996

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

10997

},

10998

"booleanValue": True or False, # boolean

10999

"floatValue": 3.14, # float

11000

"dayOfWeekValue": "A String", # day of week

},

},

],

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

11006

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

11007

# output would be 'My phone number is '.

11008

},

11009

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

11010

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

11011

# Note that for the purposes of inspection or transformation, the number

11012

# of bytes considered to comprise a 'Value' is based on its representation

11013

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11014

# 123456789, the number of bytes would be counted as 9, even though an

11015

# int64 only holds up to 8 bytes of data.

11016

"timestampValue": "A String", # timestamp

11017

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11018

# and time zone are either specified elsewhere or are not significant. The date

11019

# is relative to the Proleptic Gregorian Calendar. This can represent:

11020

#

11021

# * A full date, with non-zero year, month and day values

11022

# * A month and day value, with a zero year, e.g. an anniversary

11023

# * A year on its own, with zero month and day values

11024

# * A year and month value, with a zero day, e.g. a credit card expiration date

11025

#

11026

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11027

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11028

# a year.

11029

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11030

# month and day.

11031

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11032

# if specifying a year by itself or a year and month where the day is not

11033

# significant.

11034

},

11035

"stringValue": "A String", # string

11036

"integerValue": "A String", # integer

11037

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11038

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11039

# types are google.type.Date and `google.protobuf.Timestamp`.

11040

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11041

# to allow the value "24:00:00" for scenarios like business closing time.

11042

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

11043

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11044

# allow the value 60 if it allows leap-seconds.

11045

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

11046

},

11047

"booleanValue": True or False, # boolean

11048

"floatValue": 3.14, # float

11049

"dayOfWeekValue": "A String", # day of week

11050

},

11051

},

11052

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

11053

# Bucketing transformation can provide all of this functionality,

11054

# but requires more configuration. This message is provided as a convenience to

11055

# the user for simple bucketing strategies.

11056

#

11057

# The transformed value will be a hyphenated string of

11058

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

11059

# all values that are within this bucket will be replaced with "10-20".

11060

#

11061

# This can be used on data of type: double, long.

11062

#

11063

# If the bound Value type differs from the type of data

11064

# being transformed, we will first attempt converting the type of the data to

11065

# be transformed to match the type of the bound before comparing.

11066

#

11067

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

11068

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

11069

# grouped together into a single bucket; for example if `upper_bound` = 89,

11070

# then all values greater than 89 are replaced with the value "89+".

11071

# Note that for the purposes of inspection or transformation, the number

11072

# of bytes considered to comprise a 'Value' is based on its representation

11073

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11074

# 123456789, the number of bytes would be counted as 9, even though an

11075

# int64 only holds up to 8 bytes of data.

11076

"timestampValue": "A String", # timestamp

11077

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11078

# and time zone are either specified elsewhere or are not significant. The date

11079

# is relative to the Proleptic Gregorian Calendar. This can represent:

11080

#

11081

# * A full date, with non-zero year, month and day values

11082

# * A month and day value, with a zero year, e.g. an anniversary

11083

# * A year on its own, with zero month and day values

11084

# * A year and month value, with a zero day, e.g. a credit card expiration date

11085

#

11086

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11087

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11088

# a year.

11089

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11090

# month and day.

11091

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11092

# if specifying a year by itself or a year and month where the day is not

11093

# significant.

11094

},

11095

"stringValue": "A String", # string

11096

"integerValue": "A String", # integer

11097

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11098

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11099

# types are google.type.Date and `google.protobuf.Timestamp`.

11100

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11101

# to allow the value "24:00:00" for scenarios like business closing time.

11102

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

11103

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11104

# allow the value 60 if it allows leap-seconds.

11105

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

11106

},

11107

"booleanValue": True or False, # boolean

11108

"floatValue": 3.14, # float

11109

"dayOfWeekValue": "A String", # day of week

11110

},

11111

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

11112

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

11113

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

11114

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

11115

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

11116

# grouped together into a single bucket; for example if `lower_bound` = 10,

11117

# then all values less than 10 are replaced with the value "-10".

11118

# Note that for the purposes of inspection or transformation, the number

11119

# of bytes considered to comprise a 'Value' is based on its representation

11120

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11121

# 123456789, the number of bytes would be counted as 9, even though an

11122

# int64 only holds up to 8 bytes of data.

11123

"timestampValue": "A String", # timestamp

11124

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11125

# and time zone are either specified elsewhere or are not significant. The date

11126

# is relative to the Proleptic Gregorian Calendar. This can represent:

11127

#

11128

# * A full date, with non-zero year, month and day values

11129

# * A month and day value, with a zero year, e.g. an anniversary

11130

# * A year on its own, with zero month and day values

11131

# * A year and month value, with a zero day, e.g. a credit card expiration date

11132

#

11133

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11134

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11135

# a year.

11136

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11137

# month and day.

11138

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11139

# if specifying a year by itself or a year and month where the day is not

11140

# significant.

11141

},

11142

"stringValue": "A String", # string

11143

"integerValue": "A String", # integer

11144

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11145

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11146

# types are google.type.Date and `google.protobuf.Timestamp`.

11147

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11148

# to allow the value "24:00:00" for scenarios like business closing time.

11149

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

11150

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11151

# allow the value 60 if it allows leap-seconds.

11152

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

11153

},

11154

"booleanValue": True or False, # boolean

11155

"floatValue": 3.14, # float

11156

"dayOfWeekValue": "A String", # day of week

11157

},

11158

},

11159

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

11160

# fixed character. Masking can start from the beginning or end of the string.

11161

# This can be used on data of any type (numbers, longs, and so on) and when

11162

# de-identifying structured data we'll attempt to preserve the original data's

11163

# type. (This allows you to take a long like 123 and modify it to a string like

11164

# **3.

11165

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

11166

# characters. For example, if the input string is `555-555-5555` and you

11167

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

11168

# returns `***-**5-5555`.

11169

{ # Characters to skip when doing deidentification of a value. These will be left

11170

# alone and skipped.

11171

"charactersToSkip": "A String", # Characters to not transform when masking.

11172

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

11177

# masked. Skipped characters do not count towards this tally.

11178

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

11179

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

11180

# code or credit card number. This string must have a length of 1. If not

11181

# supplied, this value defaults to `*` for strings, and `0` for digits.

11182

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

11183

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

11184

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

11185

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

11186

# is `true`, then the string `12345` is masked as `12***`.

11187

},

11188

},

11189

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

11190

# this transformation to apply to all findings that correspond to

11191

# infoTypes that were requested in `InspectConfig`.

11192

{ # Type of information detected by the API.

11193

"name": "A String", # Name of the information type. Either a name of your choosing when

11194

# creating a CustomInfoType, or one of the names listed

11195

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

11196

# a built-in type. InfoType names should conform to the pattern

11197

# `[a-zA-Z0-9_]{1,64}`.

},

],

},

],

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11203

"transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default

11204

# mode is `TransformationErrorHandling.ThrowError`.

11205

# transformation error occurs when the requested transformation is incompatible

11206

# with the data. For example, trying to de-identify an IP address using a

11207

# `DateShift` transformation would result in a transformation error, since date

11208

# info cannot be extracted from an IP address.

11209

# Information about any incompatible transformations, and how they were

11210

# handled, is returned in the response as part of the

11211

# `TransformationOverviews`.

11212

"throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error

11213

},

11214

"leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors

11215

# cause an error. For example, if a `DateShift` transformation were applied

11216

# an an IP address, this mode would leave the IP address unchanged in the

11217

# response.

11218

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11219

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11220

"recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11221

# specific locations within structured datasets, such as transforming

11222

# a column within a table.

11223

# table.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11224

"fieldTransformations": [ # Transform the record by applying various field transformations.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11225

{ # The transformation to apply to the field.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11226

"fields": [ # Required. Input field(s) to apply the transformation to.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

11227

{ # General identifier of a data field in a storage service.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11228

"name": "A String", # Name describing the field.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

11229

},

11230

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11231

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11232

# transform content that matches an `InfoType`.

11233

# apply various `PrimitiveTransformation`s to each finding, where the

11234

# transformation is applied to only values that were identified as a specific

11235

# info_type.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11236

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

11237

# for a given infoType.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11238

{ # A transformation to apply to text that is identified as a specific

11239

# info_type.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11240

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

11241

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

11242

# portion of the value.

11243

"partToExtract": "A String", # The part of the time to keep.

11244

},

11245

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

11246

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

11247

# to learn more.

11248

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

11249

# If set, must also set cryptoKey. If set, shift will be consistent for the

11250

# given context.

11251

"name": "A String", # Name describing the field.

11252

},

11253

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

11254

# range (inclusive ends). Negative means shift to earlier in time. Must not

11255

# be more than 365250 days (1000 years) each direction.

11256

#

11257

# For example, 3 means shift date to at most 3 days into the future.

11258

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

11259

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

11260

# results in the same shift for the same context and crypto_key. If

11261

# set, must also set context. Can only be applied to table items.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11262

# a key encryption key (KEK) stored by KMS).

11263

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

11264

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

11265

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11266

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11267

# leaking the key. Choose another type of key if possible.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11268

"key": "A String", # Required. A 128/192/256 bit key.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11269

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11270

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11271

# It will be discarded after the request finishes.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11272

"name": "A String", # Required. Name of the key.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11273

# This is an arbitrary string used to differentiate different keys.

11274

# A unique key is generated per name: two separate `TransientCryptoKey`

11275

# protos share the same generated key if their names are the same.

11276

# When the data crypto key is generated, this name is not used in any way

11277

# (repeating the api call will result in a different key being generated).

11278

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

11279

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

11280

# The wrapped key must be a 128/192/256 bit key.

11281

# Authorization requires the following IAM permissions when sending a request

11282

# to perform a crypto transformation using a kms-wrapped crypto key:

11283

# dlp.kms.encrypt

11284

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

11285

"wrappedKey": "A String", # Required. The wrapped data crypto key.

11286

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11287

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11288

},

11289

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

11290

},

11291

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

11292

# Uses SHA-256.

11293

# The key size must be either 32 or 64 bytes.

11294

# Outputs a base64 encoded representation of the hashed output

11295

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

11296

# Currently, only string and integer values can be hashed.

11297

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

11298

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

11299

# a key encryption key (KEK) stored by KMS).

11300

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

11301

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

11302

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11303

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

11304

# leaking the key. Choose another type of key if possible.

11305

"key": "A String", # Required. A 128/192/256 bit key.

11306

},

11307

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

11308

# It will be discarded after the request finishes.

11309

"name": "A String", # Required. Name of the key.

11310

# This is an arbitrary string used to differentiate different keys.

11311

# A unique key is generated per name: two separate `TransientCryptoKey`

11312

# protos share the same generated key if their names are the same.

11313

# When the data crypto key is generated, this name is not used in any way

11314

# (repeating the api call will result in a different key being generated).

11315

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

11316

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

11317

# The wrapped key must be a 128/192/256 bit key.

11318

# Authorization requires the following IAM permissions when sending a request

11319

# to perform a crypto transformation using a kms-wrapped crypto key:

11320

# dlp.kms.encrypt

11321

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

11322

"wrappedKey": "A String", # Required. The wrapped data crypto key.

11323

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11324

},

11325

},

11326

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

11327

# (FPE) with the FFX mode of operation; however when used in the

11328

# `ReidentifyContent` API method, it serves the opposite function by reversing

11329

# the surrogate back into the original identifier. The identifier must be

11330

# encoded as ASCII. For a given crypto key and context, the same identifier

11331

# will be replaced with the same surrogate. Identifiers must be at least two

11332

# characters long. In the case that the identifier is the empty string, it will

11333

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

11334

# more.

11335

#

11336

# Note: We recommend using CryptoDeterministicConfig for all use cases which

11337

# do not require preserving the input alphabet space and size, plus warrant

11338

# referential integrity.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11339

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

11340

# This annotation will be applied to the surrogate by prefixing it with

11341

# the name of the custom infoType followed by the number of

11342

# characters comprising the surrogate. The following scheme defines the

11343

# format: info_type_name(surrogate_character_count):surrogate

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11344

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11345

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

11346

# the surrogate is 'abc', the full replacement value

11347

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

11348

#

11349

# This annotation identifies the surrogate when inspecting content using the

11350

# custom infoType

11351

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

11352

# This facilitates reversal of the surrogate when it occurs in free text.

11353

#

11354

# In order for inspection to work properly, the name of this infoType must

11355

# not occur naturally anywhere in your data; otherwise, inspection may

11356

# find a surrogate that does not correspond to an actual identifier.

11357

# Therefore, choose your custom infoType name carefully after considering

11358

# what your data looks like. One way to select a name that has a high chance

11359

# of yielding reliable detection is to include one or more unicode characters

11360

# that are highly improbable to exist in your data.

11361

# For example, assuming your data is entered from a regular ASCII keyboard,

11362

# the symbol with the hex code point 29DD might be used like so:

11363

# ⧝MY_TOKEN_TYPE

11364

"name": "A String", # Name of the information type. Either a name of your choosing when

11365

# creating a CustomInfoType, or one of the names listed

11366

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

11367

# a built-in type. InfoType names should conform to the pattern

11368

# `[a-zA-Z0-9_]{1,64}`.

11369

},

11370

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

11371

# identifier in two different contexts won't be given the same surrogate. If

11372

# the context is not set, a default tweak will be used.

11373

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11374

# If the context is set but:

11375

#

11376

# 1. there is no record present when transforming a given value or

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11377

# 1. the field is not present when transforming a given value,

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11378

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11379

# a default tweak will be used.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11380

#

11381

# Note that case (1) is expected when an `InfoTypeTransformation` is

11382

# applied to both structured and non-structured `ContentItem`s.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11383

# Currently, the referenced field may be of value type integer or string.

11384

#

11385

# The tweak is constructed as a sequence of bytes in big endian byte order

11386

# such that:

11387

#

11388

# - a 64 bit integer is encoded followed by a single byte of value 1

11389

# - a string is encoded in UTF-8 format followed by a single byte of value 2

11390

"name": "A String", # Name describing the field.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11391

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11392

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

11393

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

11394

# a key encryption key (KEK) stored by KMS).

11395

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

11396

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

11397

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11398

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

11399

# leaking the key. Choose another type of key if possible.

11400

"key": "A String", # Required. A 128/192/256 bit key.

11401

},

11402

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

11403

# It will be discarded after the request finishes.

11404

"name": "A String", # Required. Name of the key.

11405

# This is an arbitrary string used to differentiate different keys.

11406

# A unique key is generated per name: two separate `TransientCryptoKey`

11407

# protos share the same generated key if their names are the same.

11408

# When the data crypto key is generated, this name is not used in any way

11409

# (repeating the api call will result in a different key being generated).

11410

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

11411

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

11412

# The wrapped key must be a 128/192/256 bit key.

11413

# Authorization requires the following IAM permissions when sending a request

11414

# to perform a crypto transformation using a kms-wrapped crypto key:

11415

# dlp.kms.encrypt

11416

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

11417

"wrappedKey": "A String", # Required. The wrapped data crypto key.

11418

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11419

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

11420

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

11421

# that the FFX mode natively supports. This happens before/after

11422

# encryption/decryption.

11423

# Each character listed must appear only once.

11424

# Number of characters must be in the range [2, 95].

11425

# This must be encoded as ASCII.

11426

# The order of characters does not matter.

11427

"commonAlphabet": "A String", # Common alphabets.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11428

},

11429

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

11430

# input. Outputs a base64 encoded representation of the encrypted output.

11431

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

11432

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11433

# This annotation will be applied to the surrogate by prefixing it with

11434

# the name of the custom info type followed by the number of

11435

# characters comprising the surrogate. The following scheme defines the

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

11436

# format: {info type name}({surrogate character count}):{surrogate}

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11437

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11438

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

11439

# the surrogate is 'abc', the full replacement value

11440

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11441

#

11442

# This annotation identifies the surrogate when inspecting content using the

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11443

# custom info type 'Surrogate'. This facilitates reversal of the

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11444

# surrogate when it occurs in free text.

11445

#

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

11446

# Note: For record transformations where the entire cell in a table is being

11447

# transformed, surrogates are not mandatory. Surrogates are used to denote

11448

# the location of the token and are necessary for re-identification in free

11449

# form text.

11450

#

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11451

# In order for inspection to work properly, the name of this info type must

11452

# not occur naturally anywhere in your data; otherwise, inspection may either

11453

#

11454

# - reverse a surrogate that does not correspond to an actual identifier

11455

# - be unable to parse the surrogate and result in an error

11456

#

11457

# Therefore, choose your custom info type name carefully after considering

11458

# what your data looks like. One way to select a name that has a high chance

11459

# of yielding reliable detection is to include one or more unicode characters

11460

# that are highly improbable to exist in your data.

11461

# For example, assuming your data is entered from a regular ASCII keyboard,

11462

# the symbol with the hex code point 29DD might be used like so:

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

11463

# ⧝MY_TOKEN_TYPE.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11464

"name": "A String", # Name of the information type. Either a name of your choosing when

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11465

# creating a CustomInfoType, or one of the names listed

11466

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

11467

# a built-in type. InfoType names should conform to the pattern

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

11468

# `[a-zA-Z0-9_]{1,64}`.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11469

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11470

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

11471

# referential integrity such that the same identifier in two different

11472

# contexts will be given a distinct surrogate. The context is appended to

11473

# plaintext value being encrypted. On decryption the provided context is

11474

# validated against the value used during encryption. If a context was

11475

# provided during encryption, same context must be provided during decryption

11476

# as well.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11477

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11478

# If the context is not set, plaintext would be used as is for encryption.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11479

# If the context is set but:

11480

#

11481

# 1. there is no record present when transforming a given value or

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11482

# 2. the field is not present when transforming a given value,

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11483

#

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11484

# plaintext would be used as is for encryption.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11485

#

11486

# Note that case (1) is expected when an `InfoTypeTransformation` is

11487

# applied to both structured and non-structured `ContentItem`s.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11488

"name": "A String", # Name describing the field.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11489

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11490

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

11491

# a key encryption key (KEK) stored by KMS).

11492

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

11493

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

11494

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11495

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

11496

# leaking the key. Choose another type of key if possible.

11497

"key": "A String", # Required. A 128/192/256 bit key.

11498

},

11499

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

11500

# It will be discarded after the request finishes.

11501

"name": "A String", # Required. Name of the key.

11502

# This is an arbitrary string used to differentiate different keys.

11503

# A unique key is generated per name: two separate `TransientCryptoKey`

11504

# protos share the same generated key if their names are the same.

11505

# When the data crypto key is generated, this name is not used in any way

11506

# (repeating the api call will result in a different key being generated).

11507

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

11508

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

11509

# The wrapped key must be a 128/192/256 bit key.

11510

# Authorization requires the following IAM permissions when sending a request

11511

# to perform a crypto transformation using a kms-wrapped crypto key:

11512

# dlp.kms.encrypt

11513

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

11514

"wrappedKey": "A String", # Required. The wrapped data crypto key.

11515

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11516

},

11517

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11518

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

11519

# replacement values are dynamically provided by the user for custom behavior,

11520

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

11521

# This can be used on

11522

# data of type: number, long, string, timestamp.

11523

# If the bound `Value` type differs from the type of data being transformed, we

11524

# will first attempt converting the type of the data to be transformed to match

11525

# the type of the bound before comparing.

11526

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11527

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

11528

{ # Bucket is represented as a range, along with replacement values.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11529

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

11530

# the default behavior will be to hyphenate the min-max range.

11531

# Note that for the purposes of inspection or transformation, the number

11532

# of bytes considered to comprise a 'Value' is based on its representation

11533

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11534

# 123456789, the number of bytes would be counted as 9, even though an

11535

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11536

"timestampValue": "A String", # timestamp

11537

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11538

# and time zone are either specified elsewhere or are not significant. The date

11539

# is relative to the Proleptic Gregorian Calendar. This can represent:

11540

#

11541

# * A full date, with non-zero year, month and day values

11542

# * A month and day value, with a zero year, e.g. an anniversary

11543

# * A year on its own, with zero month and day values

11544

# * A year and month value, with a zero day, e.g. a credit card expiration date

11545

#

11546

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11547

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11548

# a year.

11549

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11550

# month and day.

11551

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11552

# if specifying a year by itself or a year and month where the day is not

11553

# significant.

11554

},

11555

"stringValue": "A String", # string

11556

"integerValue": "A String", # integer

11557

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11558

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11559

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11560

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11561

# to allow the value "24:00:00" for scenarios like business closing time.

11562

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

11563

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11564

# allow the value 60 if it allows leap-seconds.

11565

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11566

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

11567

"booleanValue": True or False, # boolean

11568

"floatValue": 3.14, # float

11569

"dayOfWeekValue": "A String", # day of week

11570

},

11571

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

11572

# used.

11573

# Note that for the purposes of inspection or transformation, the number

11574

# of bytes considered to comprise a 'Value' is based on its representation

11575

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11576

# 123456789, the number of bytes would be counted as 9, even though an

11577

# int64 only holds up to 8 bytes of data.

11578

"timestampValue": "A String", # timestamp

11579

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11580

# and time zone are either specified elsewhere or are not significant. The date

11581

# is relative to the Proleptic Gregorian Calendar. This can represent:

11582

#

11583

# * A full date, with non-zero year, month and day values

11584

# * A month and day value, with a zero year, e.g. an anniversary

11585

# * A year on its own, with zero month and day values

11586

# * A year and month value, with a zero day, e.g. a credit card expiration date

11587

#

11588

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11589

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11590

# a year.

11591

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11592

# month and day.

11593

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11594

# if specifying a year by itself or a year and month where the day is not

11595

# significant.

11596

},

11597

"stringValue": "A String", # string

11598

"integerValue": "A String", # integer

11599

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11600

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11601

# types are google.type.Date and `google.protobuf.Timestamp`.

11602

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11603

# to allow the value "24:00:00" for scenarios like business closing time.

11604

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

11605

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11606

# allow the value 60 if it allows leap-seconds.

11607

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

11608

},

11609

"booleanValue": True or False, # boolean

11610

"floatValue": 3.14, # float

11611

"dayOfWeekValue": "A String", # day of week

11612

},

11613

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

11614

# Note that for the purposes of inspection or transformation, the number

11615

# of bytes considered to comprise a 'Value' is based on its representation

11616

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11617

# 123456789, the number of bytes would be counted as 9, even though an

11618

# int64 only holds up to 8 bytes of data.

11619

"timestampValue": "A String", # timestamp

11620

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11621

# and time zone are either specified elsewhere or are not significant. The date

11622

# is relative to the Proleptic Gregorian Calendar. This can represent:

11623

#

11624

# * A full date, with non-zero year, month and day values

11625

# * A month and day value, with a zero year, e.g. an anniversary

11626

# * A year on its own, with zero month and day values

11627

# * A year and month value, with a zero day, e.g. a credit card expiration date

11628

#

11629

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11630

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11631

# a year.

11632

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11633

# month and day.

11634

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11635

# if specifying a year by itself or a year and month where the day is not

11636

# significant.

11637

},

11638

"stringValue": "A String", # string

11639

"integerValue": "A String", # integer

11640

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11641

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11642

# types are google.type.Date and `google.protobuf.Timestamp`.

11643

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11644

# to allow the value "24:00:00" for scenarios like business closing time.

11645

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

11646

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11647

# allow the value 60 if it allows leap-seconds.

11648

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

11649

},

11650

"booleanValue": True or False, # boolean

11651

"floatValue": 3.14, # float

11652

"dayOfWeekValue": "A String", # day of week

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

},

},

],

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

11657

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

11658

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

11659

# output would be 'My phone number is '.

11660

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11661

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

11662

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11663

# Note that for the purposes of inspection or transformation, the number

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11664

# of bytes considered to comprise a 'Value' is based on its representation

11665

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11666

# 123456789, the number of bytes would be counted as 9, even though an

11667

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11668

"timestampValue": "A String", # timestamp

11669

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11670

# and time zone are either specified elsewhere or are not significant. The date

11671

# is relative to the Proleptic Gregorian Calendar. This can represent:

11672

#

11673

# * A full date, with non-zero year, month and day values

11674

# * A month and day value, with a zero year, e.g. an anniversary

11675

# * A year on its own, with zero month and day values

11676

# * A year and month value, with a zero day, e.g. a credit card expiration date

11677

#

11678

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11679

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11680

# a year.

11681

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

11682

# month and day.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11683

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11684

# if specifying a year by itself or a year and month where the day is not

11685

# significant.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

11686

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11687

"stringValue": "A String", # string

11688

"integerValue": "A String", # integer

11689

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11690

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11691

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11692

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11693

# to allow the value "24:00:00" for scenarios like business closing time.

11694

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

11695

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11696

# allow the value 60 if it allows leap-seconds.

11697

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11698

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

11699

"booleanValue": True or False, # boolean

11700

"floatValue": 3.14, # float

11701

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11702

},

11703

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11704

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

11705

# Bucketing transformation can provide all of this functionality,

11706

# but requires more configuration. This message is provided as a convenience to

11707

# the user for simple bucketing strategies.

11708

#

11709

# The transformed value will be a hyphenated string of

11710

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

11711

# all values that are within this bucket will be replaced with "10-20".

11712

#

11713

# This can be used on data of type: double, long.

11714

#

11715

# If the bound Value type differs from the type of data

11716

# being transformed, we will first attempt converting the type of the data to

11717

# be transformed to match the type of the bound before comparing.

11718

#

11719

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11720

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

11721

# grouped together into a single bucket; for example if `upper_bound` = 89,

11722

# then all values greater than 89 are replaced with the value "89+".

11723

# Note that for the purposes of inspection or transformation, the number

11724

# of bytes considered to comprise a 'Value' is based on its representation

11725

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11726

# 123456789, the number of bytes would be counted as 9, even though an

11727

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11728

"timestampValue": "A String", # timestamp

11729

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11730

# and time zone are either specified elsewhere or are not significant. The date

11731

# is relative to the Proleptic Gregorian Calendar. This can represent:

11732

#

11733

# * A full date, with non-zero year, month and day values

11734

# * A month and day value, with a zero year, e.g. an anniversary

11735

# * A year on its own, with zero month and day values

11736

# * A year and month value, with a zero day, e.g. a credit card expiration date

11737

#

11738

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11739

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11740

# a year.

11741

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11742

# month and day.

11743

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11744

# if specifying a year by itself or a year and month where the day is not

11745

# significant.

11746

},

11747

"stringValue": "A String", # string

11748

"integerValue": "A String", # integer

11749

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11750

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11751

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11752

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11753

# to allow the value "24:00:00" for scenarios like business closing time.

11754

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

11755

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11756

# allow the value 60 if it allows leap-seconds.

11757

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11758

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

11759

"booleanValue": True or False, # boolean

11760

"floatValue": 3.14, # float

11761

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11762

},

11763

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

11764

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

11765

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

11766

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

11767

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

11768

# grouped together into a single bucket; for example if `lower_bound` = 10,

11769

# then all values less than 10 are replaced with the value "-10".

11770

# Note that for the purposes of inspection or transformation, the number

11771

# of bytes considered to comprise a 'Value' is based on its representation

11772

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11773

# 123456789, the number of bytes would be counted as 9, even though an

11774

# int64 only holds up to 8 bytes of data.

11775

"timestampValue": "A String", # timestamp

11776

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11777

# and time zone are either specified elsewhere or are not significant. The date

11778

# is relative to the Proleptic Gregorian Calendar. This can represent:

11779

#

11780

# * A full date, with non-zero year, month and day values

11781

# * A month and day value, with a zero year, e.g. an anniversary

11782

# * A year on its own, with zero month and day values

11783

# * A year and month value, with a zero day, e.g. a credit card expiration date

11784

#

11785

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11786

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11787

# a year.

11788

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11789

# month and day.

11790

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11791

# if specifying a year by itself or a year and month where the day is not

11792

# significant.

11793

},

11794

"stringValue": "A String", # string

11795

"integerValue": "A String", # integer

11796

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11797

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11798

# types are google.type.Date and `google.protobuf.Timestamp`.

11799

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11800

# to allow the value "24:00:00" for scenarios like business closing time.

11801

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

11802

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11803

# allow the value 60 if it allows leap-seconds.

11804

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

11805

},

11806

"booleanValue": True or False, # boolean

11807

"floatValue": 3.14, # float

11808

"dayOfWeekValue": "A String", # day of week

11809

},

11810

},

11811

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

11812

# fixed character. Masking can start from the beginning or end of the string.

11813

# This can be used on data of any type (numbers, longs, and so on) and when

11814

# de-identifying structured data we'll attempt to preserve the original data's

11815

# type. (This allows you to take a long like 123 and modify it to a string like

11816

# **3.

11817

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

11818

# characters. For example, if the input string is `555-555-5555` and you

11819

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

11820

# returns `***-**5-5555`.

11821

{ # Characters to skip when doing deidentification of a value. These will be left

11822

# alone and skipped.

11823

"charactersToSkip": "A String", # Characters to not transform when masking.

11824

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

11829

# masked. Skipped characters do not count towards this tally.

11830

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

11831

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

11832

# code or credit card number. This string must have a length of 1. If not

11833

# supplied, this value defaults to `*` for strings, and `0` for digits.

11834

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

11835

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

11836

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

11837

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

11838

# is `true`, then the string `12345` is masked as `12***`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11839

},

11840

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

11841

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

11842

# this transformation to apply to all findings that correspond to

11843

# infoTypes that were requested in `InspectConfig`.

11844

{ # Type of information detected by the API.

11845

"name": "A String", # Name of the information type. Either a name of your choosing when

11846

# creating a CustomInfoType, or one of the names listed

11847

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

11848

# a built-in type. InfoType names should conform to the pattern

11849

# `[a-zA-Z0-9_]{1,64}`.

11850

},

11851

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

},

],

},

"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.

11856

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

11857

# portion of the value.

11858

"partToExtract": "A String", # The part of the time to keep.

11859

},

11860

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

11861

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

11862

# to learn more.

11863

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

11864

# If set, must also set cryptoKey. If set, shift will be consistent for the

11865

# given context.

11866

"name": "A String", # Name describing the field.

11867

},

11868

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

11869

# range (inclusive ends). Negative means shift to earlier in time. Must not

11870

# be more than 365250 days (1000 years) each direction.

11871

#

11872

# For example, 3 means shift date to at most 3 days into the future.

11873

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

11874

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

11875

# results in the same shift for the same context and crypto_key. If

11876

# set, must also set context. Can only be applied to table items.

11877

# a key encryption key (KEK) stored by KMS).

11878

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

11879

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

11880

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11881

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

11882

# leaking the key. Choose another type of key if possible.

11883

"key": "A String", # Required. A 128/192/256 bit key.

11884

},

11885

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

11886

# It will be discarded after the request finishes.

11887

"name": "A String", # Required. Name of the key.

11888

# This is an arbitrary string used to differentiate different keys.

11889

# A unique key is generated per name: two separate `TransientCryptoKey`

11890

# protos share the same generated key if their names are the same.

11891

# When the data crypto key is generated, this name is not used in any way

11892

# (repeating the api call will result in a different key being generated).

11893

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

11894

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

11895

# The wrapped key must be a 128/192/256 bit key.

11896

# Authorization requires the following IAM permissions when sending a request

11897

# to perform a crypto transformation using a kms-wrapped crypto key:

11898

# dlp.kms.encrypt

11899

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

11900

"wrappedKey": "A String", # Required. The wrapped data crypto key.

11901

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11902

},

11903

},

11904

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

11905

},

11906

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

11907

# Uses SHA-256.

11908

# The key size must be either 32 or 64 bytes.

11909

# Outputs a base64 encoded representation of the hashed output

11910

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

11911

# Currently, only string and integer values can be hashed.

11912

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

11913

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

11914

# a key encryption key (KEK) stored by KMS).

11915

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

11916

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

11917

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11918

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

11919

# leaking the key. Choose another type of key if possible.

11920

"key": "A String", # Required. A 128/192/256 bit key.

11921

},

11922

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

11923

# It will be discarded after the request finishes.

11924

"name": "A String", # Required. Name of the key.

11925

# This is an arbitrary string used to differentiate different keys.

11926

# A unique key is generated per name: two separate `TransientCryptoKey`

11927

# protos share the same generated key if their names are the same.

11928

# When the data crypto key is generated, this name is not used in any way

11929

# (repeating the api call will result in a different key being generated).

11930

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

11931

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

11932

# The wrapped key must be a 128/192/256 bit key.

11933

# Authorization requires the following IAM permissions when sending a request

11934

# to perform a crypto transformation using a kms-wrapped crypto key:

11935

# dlp.kms.encrypt

11936

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

11937

"wrappedKey": "A String", # Required. The wrapped data crypto key.

11938

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11939

},

11940

},

11941

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

11942

# (FPE) with the FFX mode of operation; however when used in the

11943

# `ReidentifyContent` API method, it serves the opposite function by reversing

11944

# the surrogate back into the original identifier. The identifier must be

11945

# encoded as ASCII. For a given crypto key and context, the same identifier

11946

# will be replaced with the same surrogate. Identifiers must be at least two

11947

# characters long. In the case that the identifier is the empty string, it will

11948

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

11949

# more.

11950

#

11951

# Note: We recommend using CryptoDeterministicConfig for all use cases which

11952

# do not require preserving the input alphabet space and size, plus warrant

11953

# referential integrity.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

11954

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

11955

# This annotation will be applied to the surrogate by prefixing it with

11956

# the name of the custom infoType followed by the number of

11957

# characters comprising the surrogate. The following scheme defines the

11958

# format: info_type_name(surrogate_character_count):surrogate

11959

#

11960

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

11961

# the surrogate is 'abc', the full replacement value

11962

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

11963

#

11964

# This annotation identifies the surrogate when inspecting content using the

11965

# custom infoType

11966

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

11967

# This facilitates reversal of the surrogate when it occurs in free text.

11968

#

11969

# In order for inspection to work properly, the name of this infoType must

11970

# not occur naturally anywhere in your data; otherwise, inspection may

11971

# find a surrogate that does not correspond to an actual identifier.

11972

# Therefore, choose your custom infoType name carefully after considering

11973

# what your data looks like. One way to select a name that has a high chance

11974

# of yielding reliable detection is to include one or more unicode characters

11975

# that are highly improbable to exist in your data.

11976

# For example, assuming your data is entered from a regular ASCII keyboard,

11977

# the symbol with the hex code point 29DD might be used like so:

11978

# ⧝MY_TOKEN_TYPE

11979

"name": "A String", # Name of the information type. Either a name of your choosing when

11980

# creating a CustomInfoType, or one of the names listed

11981

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

11982

# a built-in type. InfoType names should conform to the pattern

11983

# `[a-zA-Z0-9_]{1,64}`.

11984

},

11985

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

11986

# identifier in two different contexts won't be given the same surrogate. If

11987

# the context is not set, a default tweak will be used.

11988

#

11989

# If the context is set but:

11990

#

11991

# 1. there is no record present when transforming a given value or

11992

# 1. the field is not present when transforming a given value,

11993

#

11994

# a default tweak will be used.

11995

#

11996

# Note that case (1) is expected when an `InfoTypeTransformation` is

11997

# applied to both structured and non-structured `ContentItem`s.

11998

# Currently, the referenced field may be of value type integer or string.

11999

#

12000

# The tweak is constructed as a sequence of bytes in big endian byte order

12001

# such that:

12002

#

12003

# - a 64 bit integer is encoded followed by a single byte of value 1

12004

# - a string is encoded in UTF-8 format followed by a single byte of value 2

12005

"name": "A String", # Name describing the field.

12006

},

12007

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

12008

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

12009

# a key encryption key (KEK) stored by KMS).

12010

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

12011

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

12012

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

12013

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

12014

# leaking the key. Choose another type of key if possible.

12015

"key": "A String", # Required. A 128/192/256 bit key.

12016

},

12017

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

12018

# It will be discarded after the request finishes.

12019

"name": "A String", # Required. Name of the key.

12020

# This is an arbitrary string used to differentiate different keys.

12021

# A unique key is generated per name: two separate `TransientCryptoKey`

12022

# protos share the same generated key if their names are the same.

12023

# When the data crypto key is generated, this name is not used in any way

12024

# (repeating the api call will result in a different key being generated).

12025

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

12026

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

12027

# The wrapped key must be a 128/192/256 bit key.

12028

# Authorization requires the following IAM permissions when sending a request

12029

# to perform a crypto transformation using a kms-wrapped crypto key:

12030

# dlp.kms.encrypt

12031

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

12032

"wrappedKey": "A String", # Required. The wrapped data crypto key.

12033

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

12034

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

12035

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

12036

# that the FFX mode natively supports. This happens before/after

12037

# encryption/decryption.

12038

# Each character listed must appear only once.

12039

# Number of characters must be in the range [2, 95].

12040

# This must be encoded as ASCII.

12041

# The order of characters does not matter.

12042

"commonAlphabet": "A String", # Common alphabets.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

12043

},

12044

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

12045

# input. Outputs a base64 encoded representation of the encrypted output.

12046

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

12047

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

12048

# This annotation will be applied to the surrogate by prefixing it with

12049

# the name of the custom info type followed by the number of

12050

# characters comprising the surrogate. The following scheme defines the

12051

# format: {info type name}({surrogate character count}):{surrogate}

12052

#

12053

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

12054

# the surrogate is 'abc', the full replacement value

12055

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

12056

#

12057

# This annotation identifies the surrogate when inspecting content using the

12058

# custom info type 'Surrogate'. This facilitates reversal of the

12059

# surrogate when it occurs in free text.

12060

#

12061

# Note: For record transformations where the entire cell in a table is being

12062

# transformed, surrogates are not mandatory. Surrogates are used to denote

12063

# the location of the token and are necessary for re-identification in free

12064

# form text.

12065

#

12066

# In order for inspection to work properly, the name of this info type must

12067

# not occur naturally anywhere in your data; otherwise, inspection may either

12068

#

12069

# - reverse a surrogate that does not correspond to an actual identifier

12070

# - be unable to parse the surrogate and result in an error

12071

#

12072

# Therefore, choose your custom info type name carefully after considering

12073

# what your data looks like. One way to select a name that has a high chance

12074

# of yielding reliable detection is to include one or more unicode characters

12075

# that are highly improbable to exist in your data.

12076

# For example, assuming your data is entered from a regular ASCII keyboard,

12077

# the symbol with the hex code point 29DD might be used like so:

12078

# ⧝MY_TOKEN_TYPE.

12079

"name": "A String", # Name of the information type. Either a name of your choosing when

12080

# creating a CustomInfoType, or one of the names listed

12081

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

12082

# a built-in type. InfoType names should conform to the pattern

12083

# `[a-zA-Z0-9_]{1,64}`.

12084

},

12085

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

12086

# referential integrity such that the same identifier in two different

12087

# contexts will be given a distinct surrogate. The context is appended to

12088

# plaintext value being encrypted. On decryption the provided context is

12089

# validated against the value used during encryption. If a context was

12090

# provided during encryption, same context must be provided during decryption

12091

# as well.

12092

#

12093

# If the context is not set, plaintext would be used as is for encryption.

12094

# If the context is set but:

12095

#

12096

# 1. there is no record present when transforming a given value or

12097

# 2. the field is not present when transforming a given value,

12098

#

12099

# plaintext would be used as is for encryption.

12100

#

12101

# Note that case (1) is expected when an `InfoTypeTransformation` is

12102

# applied to both structured and non-structured `ContentItem`s.

12103

"name": "A String", # Name describing the field.

12104

},

12105

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

12106

# a key encryption key (KEK) stored by KMS).

12107

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

12108

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

12109

# unwrap the data crypto key.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

12110

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

12111

# leaking the key. Choose another type of key if possible.

12112

"key": "A String", # Required. A 128/192/256 bit key.

12113

},

12114

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

12115

# It will be discarded after the request finishes.

12116

"name": "A String", # Required. Name of the key.

12117

# This is an arbitrary string used to differentiate different keys.

12118

# A unique key is generated per name: two separate `TransientCryptoKey`

12119

# protos share the same generated key if their names are the same.

12120

# When the data crypto key is generated, this name is not used in any way

12121

# (repeating the api call will result in a different key being generated).

12122

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

12123

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

12124

# The wrapped key must be a 128/192/256 bit key.

12125

# Authorization requires the following IAM permissions when sending a request

12126

# to perform a crypto transformation using a kms-wrapped crypto key:

12127

# dlp.kms.encrypt

12128

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

12129

"wrappedKey": "A String", # Required. The wrapped data crypto key.

12130

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

12131

},

12132

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

12133

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

12134

# replacement values are dynamically provided by the user for custom behavior,

12135

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

12136

# This can be used on

12137

# data of type: number, long, string, timestamp.

12138

# If the bound `Value` type differs from the type of data being transformed, we

12139

# will first attempt converting the type of the data to be transformed to match

12140

# the type of the bound before comparing.

12141

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

12142

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

12143

{ # Bucket is represented as a range, along with replacement values.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

12144

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

12145

# the default behavior will be to hyphenate the min-max range.

12146

# Note that for the purposes of inspection or transformation, the number

12147

# of bytes considered to comprise a 'Value' is based on its representation

12148

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

12149

# 123456789, the number of bytes would be counted as 9, even though an

12150

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

12151

"timestampValue": "A String", # timestamp

12152

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

12153

# and time zone are either specified elsewhere or are not significant. The date

12154

# is relative to the Proleptic Gregorian Calendar. This can represent:

12155

#

12156

# * A full date, with non-zero year, month and day values

12157

# * A month and day value, with a zero year, e.g. an anniversary

12158

# * A year on its own, with zero month and day values

12159

# * A year and month value, with a zero day, e.g. a credit card expiration date

12160

#

12161

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

12162

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

12163

# a year.

12164

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

12165

# month and day.

12166

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

12167

# if specifying a year by itself or a year and month where the day is not

12168

# significant.

12169

},

12170

"stringValue": "A String", # string

12171

"integerValue": "A String", # integer

12172

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

12173

# or are specified elsewhere. An API may choose to allow leap seconds. Related

12174

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

12175

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

12176

# to allow the value "24:00:00" for scenarios like business closing time.

12177

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

12178

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

12179

# allow the value 60 if it allows leap-seconds.

12180

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

12181

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

12182

"booleanValue": True or False, # boolean

12183

"floatValue": 3.14, # float

12184

"dayOfWeekValue": "A String", # day of week

12185

},

12186

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

12187

# used.

12188

# Note that for the purposes of inspection or transformation, the number

12189

# of bytes considered to comprise a 'Value' is based on its representation

12190

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

12191

# 123456789, the number of bytes would be counted as 9, even though an

12192

# int64 only holds up to 8 bytes of data.

12193

"timestampValue": "A String", # timestamp

12194

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

12195

# and time zone are either specified elsewhere or are not significant. The date

12196

# is relative to the Proleptic Gregorian Calendar. This can represent:

12197

#

12198

# * A full date, with non-zero year, month and day values

12199

# * A month and day value, with a zero year, e.g. an anniversary

12200

# * A year on its own, with zero month and day values

12201

# * A year and month value, with a zero day, e.g. a credit card expiration date

12202

#

12203

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

12204

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

12205

# a year.

12206

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

12207

# month and day.

12208

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

12209

# if specifying a year by itself or a year and month where the day is not

12210

# significant.

12211

},

12212

"stringValue": "A String", # string

12213

"integerValue": "A String", # integer

12214

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

12215

# or are specified elsewhere. An API may choose to allow leap seconds. Related

12216

# types are google.type.Date and `google.protobuf.Timestamp`.

12217

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

12218

# to allow the value "24:00:00" for scenarios like business closing time.

12219

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

12220

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

12221

# allow the value 60 if it allows leap-seconds.

12222

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

12223

},

12224

"booleanValue": True or False, # boolean

12225

"floatValue": 3.14, # float

12226

"dayOfWeekValue": "A String", # day of week

12227

},

12228

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

12229

# Note that for the purposes of inspection or transformation, the number

12230

# of bytes considered to comprise a 'Value' is based on its representation

12231

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

12232

# 123456789, the number of bytes would be counted as 9, even though an

12233

# int64 only holds up to 8 bytes of data.

12234

"timestampValue": "A String", # timestamp

12235

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

12236

# and time zone are either specified elsewhere or are not significant. The date

12237

# is relative to the Proleptic Gregorian Calendar. This can represent:

12238

#

12239

# * A full date, with non-zero year, month and day values

12240

# * A month and day value, with a zero year, e.g. an anniversary

12241

# * A year on its own, with zero month and day values

12242

# * A year and month value, with a zero day, e.g. a credit card expiration date

12243

#

12244

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

12245

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

12246

# a year.

12247

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

12248

# month and day.

12249

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

12250

# if specifying a year by itself or a year and month where the day is not

12251

# significant.

12252

},

12253

"stringValue": "A String", # string

12254

"integerValue": "A String", # integer

12255

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

12256

# or are specified elsewhere. An API may choose to allow leap seconds. Related

12257

# types are google.type.Date and `google.protobuf.Timestamp`.

12258

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

12259

# to allow the value "24:00:00" for scenarios like business closing time.

12260

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

12261

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

12262

# allow the value 60 if it allows leap-seconds.

12263

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

12264

},

12265

"booleanValue": True or False, # boolean

12266

"floatValue": 3.14, # float

12267

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

12268

},

12269

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

12270

],

12271

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

12272

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

12273

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

12274

# output would be 'My phone number is '.

12275

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

12276

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

12277

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

12278

# Note that for the purposes of inspection or transformation, the number

12279

# of bytes considered to comprise a 'Value' is based on its representation

12280

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

12281

# 123456789, the number of bytes would be counted as 9, even though an

12282

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

12283

"timestampValue": "A String", # timestamp

12284

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

12285

# and time zone are either specified elsewhere or are not significant. The date

12286

# is relative to the Proleptic Gregorian Calendar. This can represent:

12287

#

12288

# * A full date, with non-zero year, month and day values

12289

# * A month and day value, with a zero year, e.g. an anniversary

12290

# * A year on its own, with zero month and day values

12291

# * A year and month value, with a zero day, e.g. a credit card expiration date

12292

#

12293

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

12294

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

12295

# a year.

12296

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

12297

# month and day.

12298

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

12299

# if specifying a year by itself or a year and month where the day is not

12300

# significant.

12301

},

12302

"stringValue": "A String", # string

12303

"integerValue": "A String", # integer

12304

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

12305

# or are specified elsewhere. An API may choose to allow leap seconds. Related

12306

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

12307

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

12308

# to allow the value "24:00:00" for scenarios like business closing time.

12309

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

12310

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

12311

# allow the value 60 if it allows leap-seconds.

12312

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

12313

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

12314

"booleanValue": True or False, # boolean

12315

"floatValue": 3.14, # float

12316

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

12317

},

12318

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

12319

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

12320

# Bucketing transformation can provide all of this functionality,

12321

# but requires more configuration. This message is provided as a convenience to

12322

# the user for simple bucketing strategies.

12323

#

12324

# The transformed value will be a hyphenated string of

12325

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

12326

# all values that are within this bucket will be replaced with "10-20".

12327

#

12328

# This can be used on data of type: double, long.

12329

#

12330

# If the bound Value type differs from the type of data

12331

# being transformed, we will first attempt converting the type of the data to

12332

# be transformed to match the type of the bound before comparing.

12333

#

12334

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

12335

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

12336

# grouped together into a single bucket; for example if `upper_bound` = 89,

12337

# then all values greater than 89 are replaced with the value "89+".

12338

# Note that for the purposes of inspection or transformation, the number

12339

# of bytes considered to comprise a 'Value' is based on its representation

12340

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

12341

# 123456789, the number of bytes would be counted as 9, even though an

12342

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

12343

"timestampValue": "A String", # timestamp

12344

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

12345

# and time zone are either specified elsewhere or are not significant. The date

12346

# is relative to the Proleptic Gregorian Calendar. This can represent:

12347

#

12348

# * A full date, with non-zero year, month and day values

12349

# * A month and day value, with a zero year, e.g. an anniversary

12350

# * A year on its own, with zero month and day values

12351

# * A year and month value, with a zero day, e.g. a credit card expiration date

12352

#

12353

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

12354

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

12355

# a year.

12356

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

12357

# month and day.

12358

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

12359

# if specifying a year by itself or a year and month where the day is not

12360

# significant.

12361

},

12362

"stringValue": "A String", # string

12363

"integerValue": "A String", # integer

12364

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

12365

# or are specified elsewhere. An API may choose to allow leap seconds. Related

12366

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

12367

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

12368

# to allow the value "24:00:00" for scenarios like business closing time.

12369

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

12370

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

12371

# allow the value 60 if it allows leap-seconds.

12372

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

12373

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

12374

"booleanValue": True or False, # boolean

12375

"floatValue": 3.14, # float

12376

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

12377

},

12378

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

12379

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

12380

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

12381

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

12382

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

12383

# grouped together into a single bucket; for example if `lower_bound` = 10,

12384

# then all values less than 10 are replaced with the value "-10".

12385

# Note that for the purposes of inspection or transformation, the number

12386

# of bytes considered to comprise a 'Value' is based on its representation

12387

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

12388

# 123456789, the number of bytes would be counted as 9, even though an

12389

# int64 only holds up to 8 bytes of data.

12390

"timestampValue": "A String", # timestamp

12391

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

12392

# and time zone are either specified elsewhere or are not significant. The date

12393

# is relative to the Proleptic Gregorian Calendar. This can represent:

12394

#

12395

# * A full date, with non-zero year, month and day values

12396

# * A month and day value, with a zero year, e.g. an anniversary

12397

# * A year on its own, with zero month and day values

12398

# * A year and month value, with a zero day, e.g. a credit card expiration date

12399

#

12400

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

12401

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

12402

# a year.

12403

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

12404

# month and day.

12405

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

12406

# if specifying a year by itself or a year and month where the day is not

12407

# significant.

12408

},

12409

"stringValue": "A String", # string

12410

"integerValue": "A String", # integer

12411

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

12412

# or are specified elsewhere. An API may choose to allow leap seconds. Related

12413

# types are google.type.Date and `google.protobuf.Timestamp`.

12414

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

12415

# to allow the value "24:00:00" for scenarios like business closing time.

12416

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

12417

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

12418

# allow the value 60 if it allows leap-seconds.

12419

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

12420

},

12421

"booleanValue": True or False, # boolean

12422

"floatValue": 3.14, # float

12423

"dayOfWeekValue": "A String", # day of week

12424

},

12425

},

12426

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

12427

# fixed character. Masking can start from the beginning or end of the string.

12428

# This can be used on data of any type (numbers, longs, and so on) and when

12429

# de-identifying structured data we'll attempt to preserve the original data's

12430

# type. (This allows you to take a long like 123 and modify it to a string like

12431

# **3.

12432

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

12433

# characters. For example, if the input string is `555-555-5555` and you

12434

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

12435

# returns `***-**5-5555`.

12436

{ # Characters to skip when doing deidentification of a value. These will be left

12437

# alone and skipped.

12438

"charactersToSkip": "A String", # Characters to not transform when masking.

12439

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

12444

# masked. Skipped characters do not count towards this tally.

12445

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

12446

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

12447

# code or credit card number. This string must have a length of 1. If not

12448

# supplied, this value defaults to `*` for strings, and `0` for digits.

12449

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

12450

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

12451

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

12452

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

12453

# is `true`, then the string `12345` is masked as `12***`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

12454

},

12455

},

12456

"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the

12457

# given `RecordCondition`. The conditions are allowed to reference fields

12458

# that are not used in the actual transformation.

#

# Example Use Cases:

#

# - Apply a different bucket transformation to an age column if the zip code

12463

# column for the same record is within a specific range.

12464

# - Redact a field if the date of birth field is greater than 85.

12465

# a field.

12466

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

12467

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

12468

# only supported value is `AND`.

12469

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

12470

"conditions": [ # A collection of conditions.

12471

{ # The field type of `value` and `field` do not need to match to be

12472

# considered equal, but not all comparisons are possible.

12473

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

12474

# but all other comparisons are invalid with incompatible types.

12475

# A `value` of type:

12476

#

12477

# - `string` can be compared against all other types

12478

# - `boolean` can only be compared against other booleans

12479

# - `integer` can be compared against doubles or a string if the string value

12480

# can be parsed as an integer.

12481

# - `double` can be compared against integers or a string if the string can

12482

# be parsed as a double.

12483

# - `Timestamp` can be compared against strings in RFC 3339 date string

12484

# format.

12485

# - `TimeOfDay` can be compared against timestamps and strings in the format

12486

# of 'HH:mm:ss'.

12487

#

12488

# If we fail to compare do to type mismatch, a warning will be given and

12489

# the condition will evaluate to false.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

12490

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

12491

# Note that for the purposes of inspection or transformation, the number

12492

# of bytes considered to comprise a 'Value' is based on its representation

12493

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

12494

# 123456789, the number of bytes would be counted as 9, even though an

12495

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

12496

"timestampValue": "A String", # timestamp

12497

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

12498

# and time zone are either specified elsewhere or are not significant. The date

12499

# is relative to the Proleptic Gregorian Calendar. This can represent:

12500

#

12501

# * A full date, with non-zero year, month and day values

12502

# * A month and day value, with a zero year, e.g. an anniversary

12503

# * A year on its own, with zero month and day values

12504

# * A year and month value, with a zero day, e.g. a credit card expiration date

12505

#

12506

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

12507

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

12508

# a year.

12509

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

12510

# month and day.

12511

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

12512

# if specifying a year by itself or a year and month where the day is not

12513

# significant.

12514

},

12515

"stringValue": "A String", # string

12516

"integerValue": "A String", # integer

12517

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

12518

# or are specified elsewhere. An API may choose to allow leap seconds. Related

12519

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

12520

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

12521

# to allow the value "24:00:00" for scenarios like business closing time.

12522

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

12523

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

12524

# allow the value 60 if it allows leap-seconds.

12525

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

12526

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

12527

"booleanValue": True or False, # boolean

12528

"floatValue": 3.14, # float

12529

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

12530

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

12531

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

12532

"name": "A String", # Name describing the field.

12533

},

12534

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

12535

},

12536

],

12537

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

12538

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

12539

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

12540

},

12541

],

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

12542

"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that

12543

# match any suppression rule are omitted from the output.

12544

{ # Configuration to suppress records whose suppression conditions evaluate to

12545

# true.

12546

"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being

12547

# evaluated to be suppressed from the transformed content.

12548

# a field.

12549

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

12550

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

12551

# only supported value is `AND`.

12552

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

12553

"conditions": [ # A collection of conditions.

12554

{ # The field type of `value` and `field` do not need to match to be

12555

# considered equal, but not all comparisons are possible.

12556

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

12557

# but all other comparisons are invalid with incompatible types.

12558

# A `value` of type:

12559

#

12560

# - `string` can be compared against all other types

12561

# - `boolean` can only be compared against other booleans

12562

# - `integer` can be compared against doubles or a string if the string value

12563

# can be parsed as an integer.

12564

# - `double` can be compared against integers or a string if the string can

12565

# be parsed as a double.

12566

# - `Timestamp` can be compared against strings in RFC 3339 date string

12567

# format.

12568

# - `TimeOfDay` can be compared against timestamps and strings in the format

12569

# of 'HH:mm:ss'.

12570

#

12571

# If we fail to compare do to type mismatch, a warning will be given and

12572

# the condition will evaluate to false.

12573

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

12574

# Note that for the purposes of inspection or transformation, the number

12575

# of bytes considered to comprise a 'Value' is based on its representation

12576

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

12577

# 123456789, the number of bytes would be counted as 9, even though an

12578

# int64 only holds up to 8 bytes of data.

12579

"timestampValue": "A String", # timestamp

12580

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

12581

# and time zone are either specified elsewhere or are not significant. The date

12582

# is relative to the Proleptic Gregorian Calendar. This can represent:

12583

#

12584

# * A full date, with non-zero year, month and day values

12585

# * A month and day value, with a zero year, e.g. an anniversary

12586

# * A year on its own, with zero month and day values

12587

# * A year and month value, with a zero day, e.g. a credit card expiration date

12588

#

12589

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

12590

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

12591

# a year.

12592

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

12593

# month and day.

12594

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

12595

# if specifying a year by itself or a year and month where the day is not

12596

# significant.

12597

},

12598

"stringValue": "A String", # string

12599

"integerValue": "A String", # integer

12600

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

12601

# or are specified elsewhere. An API may choose to allow leap seconds. Related

12602

# types are google.type.Date and `google.protobuf.Timestamp`.

12603

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

12604

# to allow the value "24:00:00" for scenarios like business closing time.

12605

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

12606

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

12607

# allow the value 60 if it allows leap-seconds.

12608

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

12609

},

12610

"booleanValue": True or False, # boolean

12611

"floatValue": 3.14, # float

12612

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

12613

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

12614

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

12615

"name": "A String", # Name describing the field.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

12616

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

12617

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

12618

},

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

12619

],

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

12620

},

12621

},

Bu Sun Kim

2020-05-20 12:08:20 -0700

[diff] [blame]

12622

},

12623

},

12624

],

Dan O'Meara

2020-05-01 07:42:23 -0700

[diff] [blame]

12625

},

Bu Sun Kim

2019-06-14 16:50:42 -0700

[diff] [blame]

12626

},

Bu Sun Kim