Blame - docs/dyn/dlp_v2.projects.locations.deidentifyTemplates.html - platform/external/python/google-api-python-client

<h1><a href="dlp_v2.html">Cloud Data Loss Prevention (DLP) API</a> . <a href="dlp_v2.projects.html">projects</a> . <a href="dlp_v2.projects.locations.html">locations</a> . <a href="dlp_v2.projects.locations.deidentifyTemplates.html">deidentifyTemplates</a></h1>

76

<h2>Instance Methods</h2>

77

78

<code><a href="#create">create(parent, locationId, body=None, x__xgafv=None)</a></code></p>

79

<p class="firstline">Creates a DeidentifyTemplate for re-using frequently used configuration</p>

80

81

<code><a href="#delete">delete(name, x__xgafv=None)</a></code></p>

82

<p class="firstline">Deletes a DeidentifyTemplate.</p>

83

84

<code><a href="#get">get(name, x__xgafv=None)</a></code></p>

85

<p class="firstline">Gets a DeidentifyTemplate.</p>

86

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

87

<code><a href="#list">list(parent, locationId, pageSize=None, orderBy=None, pageToken=None, x__xgafv=None)</a></code></p>

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

88

<p class="firstline">Lists DeidentifyTemplates.</p>

89

90

<code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p>

91

<p class="firstline">Retrieves the next page of results.</p>

92

93

<code><a href="#patch">patch(name, body=None, x__xgafv=None)</a></code></p>

94

<p class="firstline">Updates the DeidentifyTemplate.</p>

95

<h3>Method Details</h3>

96

97

<code class="details" id="create">create(parent, locationId, body=None, x__xgafv=None)</code>

98

<pre>Creates a DeidentifyTemplate for re-using frequently used configuration

99

for de-identifying content, images, and storage.

100

See https://cloud.google.com/dlp/docs/creating-templates-deid to learn

more.

Args:

parent: string, Required. The parent resource name, for example projects/my-project-id or

105

organizations/my-org-id. (required)

106

locationId: string, The geographic location to store the deidentification template. Reserved

107

for future extensions. (required)

108

body: object, The request body.

109

The object takes the form of:

110

111

{ # Request message for CreateDeidentifyTemplate.

112

"templateId": "A String", # The template id can contain uppercase and lowercase letters,

113

# numbers, and hyphens; that is, it must match the regular

114

# expression: `[a-zA-Z\\d-_]+`. The maximum length is 100

115

# characters. Can be empty to allow the system to generate one.

116

"deidentifyTemplate": { # DeidentifyTemplates contains instructions on how to de-identify content. # Required. The DeidentifyTemplate to create.

117

# See https://cloud.google.com/dlp/docs/concepts-templates to learn more.

118

"name": "A String", # Output only. The template name.

119

#

120

# The template will have one of the following formats:

121

# `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR

122

# `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`

123

"description": "A String", # Short description (max 256 chars).

124

"displayName": "A String", # Display name (max 256 chars).

125

"createTime": "A String", # Output only. The creation timestamp of an inspectTemplate.

126

"updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate.

127

"deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

128

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text

129

# transformation everywhere.

130

# apply various `PrimitiveTransformation`s to each finding, where the

131

# transformation is applied to only values that were identified as a specific

132

# info_type.

133

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

134

# for a given infoType.

135

{ # A transformation to apply to text that is identified as a specific

136

# info_type.

137

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

138

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

139

# portion of the value.

140

"partToExtract": "A String", # The part of the time to keep.

141

},

142

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

143

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

144

# to learn more.

145

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

146

# If set, must also set cryptoKey. If set, shift will be consistent for the

147

# given context.

148

"name": "A String", # Name describing the field.

149

},

150

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

151

# range (inclusive ends). Negative means shift to earlier in time. Must not

152

# be more than 365250 days (1000 years) each direction.

153

#

154

# For example, 3 means shift date to at most 3 days into the future.

155

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

156

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

157

# results in the same shift for the same context and crypto_key. If

158

# set, must also set context. Can only be applied to table items.

159

# a key encryption key (KEK) stored by KMS).

160

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

161

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

162

# unwrap the data crypto key.

163

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

164

# leaking the key. Choose another type of key if possible.

165

"key": "A String", # Required. A 128/192/256 bit key.

166

},

167

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

168

# It will be discarded after the request finishes.

169

"name": "A String", # Required. Name of the key.

170

# This is an arbitrary string used to differentiate different keys.

171

# A unique key is generated per name: two separate `TransientCryptoKey`

172

# protos share the same generated key if their names are the same.

173

# When the data crypto key is generated, this name is not used in any way

174

# (repeating the api call will result in a different key being generated).

175

},

176

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

177

# The wrapped key must be a 128/192/256 bit key.

178

# Authorization requires the following IAM permissions when sending a request

179

# to perform a crypto transformation using a kms-wrapped crypto key:

180

# dlp.kms.encrypt

181

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

182

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

187

},

188

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

189

# Uses SHA-256.

190

# The key size must be either 32 or 64 bytes.

191

# Outputs a base64 encoded representation of the hashed output

192

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

193

# Currently, only string and integer values can be hashed.

194

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

195

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

196

# a key encryption key (KEK) stored by KMS).

197

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

198

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

199

# unwrap the data crypto key.

200

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

201

# leaking the key. Choose another type of key if possible.

202

"key": "A String", # Required. A 128/192/256 bit key.

203

},

204

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

205

# It will be discarded after the request finishes.

206

"name": "A String", # Required. Name of the key.

207

# This is an arbitrary string used to differentiate different keys.

208

# A unique key is generated per name: two separate `TransientCryptoKey`

209

# protos share the same generated key if their names are the same.

210

# When the data crypto key is generated, this name is not used in any way

211

# (repeating the api call will result in a different key being generated).

212

},

213

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

214

# The wrapped key must be a 128/192/256 bit key.

215

# Authorization requires the following IAM permissions when sending a request

216

# to perform a crypto transformation using a kms-wrapped crypto key:

217

# dlp.kms.encrypt

218

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

219

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

224

# (FPE) with the FFX mode of operation; however when used in the

225

# `ReidentifyContent` API method, it serves the opposite function by reversing

226

# the surrogate back into the original identifier. The identifier must be

227

# encoded as ASCII. For a given crypto key and context, the same identifier

228

# will be replaced with the same surrogate. Identifiers must be at least two

229

# characters long. In the case that the identifier is the empty string, it will

230

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

231

# more.

232

#

233

# Note: We recommend using CryptoDeterministicConfig for all use cases which

234

# do not require preserving the input alphabet space and size, plus warrant

235

# referential integrity.

236

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

237

# This annotation will be applied to the surrogate by prefixing it with

238

# the name of the custom infoType followed by the number of

239

# characters comprising the surrogate. The following scheme defines the

240

# format: info_type_name(surrogate_character_count):surrogate

241

#

242

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

243

# the surrogate is 'abc', the full replacement value

244

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

245

#

246

# This annotation identifies the surrogate when inspecting content using the

247

# custom infoType

248

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

249

# This facilitates reversal of the surrogate when it occurs in free text.

250

#

251

# In order for inspection to work properly, the name of this infoType must

252

# not occur naturally anywhere in your data; otherwise, inspection may

253

# find a surrogate that does not correspond to an actual identifier.

254

# Therefore, choose your custom infoType name carefully after considering

255

# what your data looks like. One way to select a name that has a high chance

256

# of yielding reliable detection is to include one or more unicode characters

257

# that are highly improbable to exist in your data.

258

# For example, assuming your data is entered from a regular ASCII keyboard,

259

# the symbol with the hex code point 29DD might be used like so:

260

# ⧝MY_TOKEN_TYPE

261

"name": "A String", # Name of the information type. Either a name of your choosing when

262

# creating a CustomInfoType, or one of the names listed

263

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

264

# a built-in type. InfoType names should conform to the pattern

265

# `[a-zA-Z0-9_]{1,64}`.

266

},

267

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

268

# identifier in two different contexts won't be given the same surrogate. If

269

# the context is not set, a default tweak will be used.

270

#

271

# If the context is set but:

272

#

273

# 1. there is no record present when transforming a given value or

274

# 1. the field is not present when transforming a given value,

275

#

276

# a default tweak will be used.

277

#

278

# Note that case (1) is expected when an `InfoTypeTransformation` is

279

# applied to both structured and non-structured `ContentItem`s.

280

# Currently, the referenced field may be of value type integer or string.

281

#

282

# The tweak is constructed as a sequence of bytes in big endian byte order

283

# such that:

284

#

285

# - a 64 bit integer is encoded followed by a single byte of value 1

286

# - a string is encoded in UTF-8 format followed by a single byte of value 2

287

"name": "A String", # Name describing the field.

288

},

289

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

290

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

291

# a key encryption key (KEK) stored by KMS).

292

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

293

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

294

# unwrap the data crypto key.

295

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

296

# leaking the key. Choose another type of key if possible.

297

"key": "A String", # Required. A 128/192/256 bit key.

298

},

299

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

300

# It will be discarded after the request finishes.

301

"name": "A String", # Required. Name of the key.

302

# This is an arbitrary string used to differentiate different keys.

303

# A unique key is generated per name: two separate `TransientCryptoKey`

304

# protos share the same generated key if their names are the same.

305

# When the data crypto key is generated, this name is not used in any way

306

# (repeating the api call will result in a different key being generated).

307

},

308

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

309

# The wrapped key must be a 128/192/256 bit key.

310

# Authorization requires the following IAM permissions when sending a request

311

# to perform a crypto transformation using a kms-wrapped crypto key:

312

# dlp.kms.encrypt

313

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

314

"wrappedKey": "A String", # Required. The wrapped data crypto key.

315

},

316

},

317

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

318

# that the FFX mode natively supports. This happens before/after

319

# encryption/decryption.

320

# Each character listed must appear only once.

321

# Number of characters must be in the range [2, 95].

322

# This must be encoded as ASCII.

323

# The order of characters does not matter.

324

"commonAlphabet": "A String", # Common alphabets.

325

},

326

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

327

# input. Outputs a base64 encoded representation of the encrypted output.

328

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

329

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

330

# This annotation will be applied to the surrogate by prefixing it with

331

# the name of the custom info type followed by the number of

332

# characters comprising the surrogate. The following scheme defines the

333

# format: {info type name}({surrogate character count}):{surrogate}

334

#

335

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

336

# the surrogate is 'abc', the full replacement value

337

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

338

#

339

# This annotation identifies the surrogate when inspecting content using the

340

# custom info type 'Surrogate'. This facilitates reversal of the

341

# surrogate when it occurs in free text.

342

#

343

# Note: For record transformations where the entire cell in a table is being

344

# transformed, surrogates are not mandatory. Surrogates are used to denote

345

# the location of the token and are necessary for re-identification in free

346

# form text.

347

#

348

# In order for inspection to work properly, the name of this info type must

349

# not occur naturally anywhere in your data; otherwise, inspection may either

350

#

351

# - reverse a surrogate that does not correspond to an actual identifier

352

# - be unable to parse the surrogate and result in an error

353

#

354

# Therefore, choose your custom info type name carefully after considering

355

# what your data looks like. One way to select a name that has a high chance

356

# of yielding reliable detection is to include one or more unicode characters

357

# that are highly improbable to exist in your data.

358

# For example, assuming your data is entered from a regular ASCII keyboard,

359

# the symbol with the hex code point 29DD might be used like so:

360

# ⧝MY_TOKEN_TYPE.

361

"name": "A String", # Name of the information type. Either a name of your choosing when

362

# creating a CustomInfoType, or one of the names listed

363

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

364

# a built-in type. InfoType names should conform to the pattern

365

# `[a-zA-Z0-9_]{1,64}`.

366

},

367

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

368

# referential integrity such that the same identifier in two different

369

# contexts will be given a distinct surrogate. The context is appended to

370

# plaintext value being encrypted. On decryption the provided context is

371

# validated against the value used during encryption. If a context was

372

# provided during encryption, same context must be provided during decryption

373

# as well.

374

#

375

# If the context is not set, plaintext would be used as is for encryption.

376

# If the context is set but:

377

#

378

# 1. there is no record present when transforming a given value or

379

# 2. the field is not present when transforming a given value,

380

#

381

# plaintext would be used as is for encryption.

382

#

383

# Note that case (1) is expected when an `InfoTypeTransformation` is

384

# applied to both structured and non-structured `ContentItem`s.

385

"name": "A String", # Name describing the field.

386

},

387

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

388

# a key encryption key (KEK) stored by KMS).

389

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

390

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

391

# unwrap the data crypto key.

392

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

393

# leaking the key. Choose another type of key if possible.

394

"key": "A String", # Required. A 128/192/256 bit key.

395

},

396

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

397

# It will be discarded after the request finishes.

398

"name": "A String", # Required. Name of the key.

399

# This is an arbitrary string used to differentiate different keys.

400

# A unique key is generated per name: two separate `TransientCryptoKey`

401

# protos share the same generated key if their names are the same.

402

# When the data crypto key is generated, this name is not used in any way

403

# (repeating the api call will result in a different key being generated).

404

},

405

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

406

# The wrapped key must be a 128/192/256 bit key.

407

# Authorization requires the following IAM permissions when sending a request

408

# to perform a crypto transformation using a kms-wrapped crypto key:

409

# dlp.kms.encrypt

410

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

411

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

416

# replacement values are dynamically provided by the user for custom behavior,

417

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

418

# This can be used on

419

# data of type: number, long, string, timestamp.

420

# If the bound `Value` type differs from the type of data being transformed, we

421

# will first attempt converting the type of the data to be transformed to match

422

# the type of the bound before comparing.

423

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

424

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

425

{ # Bucket is represented as a range, along with replacement values.

426

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

427

# the default behavior will be to hyphenate the min-max range.

428

# Note that for the purposes of inspection or transformation, the number

429

# of bytes considered to comprise a 'Value' is based on its representation

430

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

431

# 123456789, the number of bytes would be counted as 9, even though an

432

# int64 only holds up to 8 bytes of data.

433

"timestampValue": "A String", # timestamp

434

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

435

# and time zone are either specified elsewhere or are not significant. The date

436

# is relative to the Proleptic Gregorian Calendar. This can represent:

437

#

438

# * A full date, with non-zero year, month and day values

439

# * A month and day value, with a zero year, e.g. an anniversary

440

# * A year on its own, with zero month and day values

441

# * A year and month value, with a zero day, e.g. a credit card expiration date

442

#

443

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

444

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

445

# a year.

446

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

447

# month and day.

448

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

449

# if specifying a year by itself or a year and month where the day is not

450

# significant.

451

},

452

"stringValue": "A String", # string

453

"integerValue": "A String", # integer

454

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

455

# or are specified elsewhere. An API may choose to allow leap seconds. Related

456

# types are google.type.Date and `google.protobuf.Timestamp`.

457

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

458

# to allow the value "24:00:00" for scenarios like business closing time.

459

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

460

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

461

# allow the value 60 if it allows leap-seconds.

462

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

463

},

464

"booleanValue": True or False, # boolean

465

"floatValue": 3.14, # float

466

"dayOfWeekValue": "A String", # day of week

467

},

468

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

469

# used.

470

# Note that for the purposes of inspection or transformation, the number

471

# of bytes considered to comprise a 'Value' is based on its representation

472

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

473

# 123456789, the number of bytes would be counted as 9, even though an

474

# int64 only holds up to 8 bytes of data.

475

"timestampValue": "A String", # timestamp

476

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

477

# and time zone are either specified elsewhere or are not significant. The date

478

# is relative to the Proleptic Gregorian Calendar. This can represent:

479

#

480

# * A full date, with non-zero year, month and day values

481

# * A month and day value, with a zero year, e.g. an anniversary

482

# * A year on its own, with zero month and day values

483

# * A year and month value, with a zero day, e.g. a credit card expiration date

484

#

485

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

486

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

487

# a year.

488

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

489

# month and day.

490

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

491

# if specifying a year by itself or a year and month where the day is not

492

# significant.

493

},

494

"stringValue": "A String", # string

495

"integerValue": "A String", # integer

496

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

497

# or are specified elsewhere. An API may choose to allow leap seconds. Related

498

# types are google.type.Date and `google.protobuf.Timestamp`.

499

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

500

# to allow the value "24:00:00" for scenarios like business closing time.

501

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

502

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

503

# allow the value 60 if it allows leap-seconds.

504

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

505

},

506

"booleanValue": True or False, # boolean

507

"floatValue": 3.14, # float

508

"dayOfWeekValue": "A String", # day of week

509

},

510

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

511

# Note that for the purposes of inspection or transformation, the number

512

# of bytes considered to comprise a 'Value' is based on its representation

513

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

514

# 123456789, the number of bytes would be counted as 9, even though an

515

# int64 only holds up to 8 bytes of data.

516

"timestampValue": "A String", # timestamp

517

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

518

# and time zone are either specified elsewhere or are not significant. The date

519

# is relative to the Proleptic Gregorian Calendar. This can represent:

520

#

521

# * A full date, with non-zero year, month and day values

522

# * A month and day value, with a zero year, e.g. an anniversary

523

# * A year on its own, with zero month and day values

524

# * A year and month value, with a zero day, e.g. a credit card expiration date

525

#

526

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

527

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

528

# a year.

529

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

530

# month and day.

531

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

532

# if specifying a year by itself or a year and month where the day is not

533

# significant.

534

},

535

"stringValue": "A String", # string

536

"integerValue": "A String", # integer

537

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

538

# or are specified elsewhere. An API may choose to allow leap seconds. Related

539

# types are google.type.Date and `google.protobuf.Timestamp`.

540

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

541

# to allow the value "24:00:00" for scenarios like business closing time.

542

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

543

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

544

# allow the value 60 if it allows leap-seconds.

545

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

546

},

547

"booleanValue": True or False, # boolean

548

"floatValue": 3.14, # float

549

"dayOfWeekValue": "A String", # day of week

},

},

],

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

555

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

556

# output would be 'My phone number is '.

557

},

558

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

559

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

560

# Note that for the purposes of inspection or transformation, the number

561

# of bytes considered to comprise a 'Value' is based on its representation

562

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

563

# 123456789, the number of bytes would be counted as 9, even though an

564

# int64 only holds up to 8 bytes of data.

565

"timestampValue": "A String", # timestamp

566

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

567

# and time zone are either specified elsewhere or are not significant. The date

568

# is relative to the Proleptic Gregorian Calendar. This can represent:

569

#

570

# * A full date, with non-zero year, month and day values

571

# * A month and day value, with a zero year, e.g. an anniversary

572

# * A year on its own, with zero month and day values

573

# * A year and month value, with a zero day, e.g. a credit card expiration date

574

#

575

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

576

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

577

# a year.

578

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

579

# month and day.

580

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

581

# if specifying a year by itself or a year and month where the day is not

582

# significant.

583

},

584

"stringValue": "A String", # string

585

"integerValue": "A String", # integer

586

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

587

# or are specified elsewhere. An API may choose to allow leap seconds. Related

588

# types are google.type.Date and `google.protobuf.Timestamp`.

589

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

590

# to allow the value "24:00:00" for scenarios like business closing time.

591

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

592

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

593

# allow the value 60 if it allows leap-seconds.

594

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

595

},

596

"booleanValue": True or False, # boolean

597

"floatValue": 3.14, # float

598

"dayOfWeekValue": "A String", # day of week

599

},

600

},

601

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

602

# Bucketing transformation can provide all of this functionality,

603

# but requires more configuration. This message is provided as a convenience to

604

# the user for simple bucketing strategies.

605

#

606

# The transformed value will be a hyphenated string of

607

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

608

# all values that are within this bucket will be replaced with "10-20".

609

#

610

# This can be used on data of type: double, long.

611

#

612

# If the bound Value type differs from the type of data

613

# being transformed, we will first attempt converting the type of the data to

614

# be transformed to match the type of the bound before comparing.

615

#

616

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

617

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

618

# grouped together into a single bucket; for example if `upper_bound` = 89,

619

# then all values greater than 89 are replaced with the value "89+".

620

# Note that for the purposes of inspection or transformation, the number

621

# of bytes considered to comprise a 'Value' is based on its representation

622

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

623

# 123456789, the number of bytes would be counted as 9, even though an

624

# int64 only holds up to 8 bytes of data.

625

"timestampValue": "A String", # timestamp

626

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

627

# and time zone are either specified elsewhere or are not significant. The date

628

# is relative to the Proleptic Gregorian Calendar. This can represent:

629

#

630

# * A full date, with non-zero year, month and day values

631

# * A month and day value, with a zero year, e.g. an anniversary

632

# * A year on its own, with zero month and day values

633

# * A year and month value, with a zero day, e.g. a credit card expiration date

634

#

635

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

636

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

637

# a year.

638

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

639

# month and day.

640

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

641

# if specifying a year by itself or a year and month where the day is not

642

# significant.

643

},

644

"stringValue": "A String", # string

645

"integerValue": "A String", # integer

646

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

647

# or are specified elsewhere. An API may choose to allow leap seconds. Related

648

# types are google.type.Date and `google.protobuf.Timestamp`.

649

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

650

# to allow the value "24:00:00" for scenarios like business closing time.

651

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

652

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

653

# allow the value 60 if it allows leap-seconds.

654

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

655

},

656

"booleanValue": True or False, # boolean

657

"floatValue": 3.14, # float

658

"dayOfWeekValue": "A String", # day of week

659

},

660

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

661

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

662

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

663

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

664

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

665

# grouped together into a single bucket; for example if `lower_bound` = 10,

666

# then all values less than 10 are replaced with the value "-10".

667

# Note that for the purposes of inspection or transformation, the number

668

# of bytes considered to comprise a 'Value' is based on its representation

669

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

670

# 123456789, the number of bytes would be counted as 9, even though an

671

# int64 only holds up to 8 bytes of data.

672

"timestampValue": "A String", # timestamp

673

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

674

# and time zone are either specified elsewhere or are not significant. The date

675

# is relative to the Proleptic Gregorian Calendar. This can represent:

676

#

677

# * A full date, with non-zero year, month and day values

678

# * A month and day value, with a zero year, e.g. an anniversary

679

# * A year on its own, with zero month and day values

680

# * A year and month value, with a zero day, e.g. a credit card expiration date

681

#

682

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

683

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

684

# a year.

685

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

686

# month and day.

687

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

688

# if specifying a year by itself or a year and month where the day is not

689

# significant.

690

},

691

"stringValue": "A String", # string

692

"integerValue": "A String", # integer

693

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

694

# or are specified elsewhere. An API may choose to allow leap seconds. Related

695

# types are google.type.Date and `google.protobuf.Timestamp`.

696

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

697

# to allow the value "24:00:00" for scenarios like business closing time.

698

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

699

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

700

# allow the value 60 if it allows leap-seconds.

701

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

702

},

703

"booleanValue": True or False, # boolean

704

"floatValue": 3.14, # float

705

"dayOfWeekValue": "A String", # day of week

706

},

707

},

708

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

709

# fixed character. Masking can start from the beginning or end of the string.

710

# This can be used on data of any type (numbers, longs, and so on) and when

711

# de-identifying structured data we'll attempt to preserve the original data's

712

# type. (This allows you to take a long like 123 and modify it to a string like

713

# **3.

714

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

715

# characters. For example, if the input string is `555-555-5555` and you

716

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

717

# returns `***-**5-5555`.

718

{ # Characters to skip when doing deidentification of a value. These will be left

719

# alone and skipped.

720

"charactersToSkip": "A String", # Characters to not transform when masking.

721

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

726

# masked. Skipped characters do not count towards this tally.

727

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

728

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

729

# code or credit card number. This string must have a length of 1. If not

730

# supplied, this value defaults to `*` for strings, and `0` for digits.

731

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

732

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

733

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

734

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

735

# is `true`, then the string `12345` is masked as `12***`.

736

},

737

},

738

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

739

# this transformation to apply to all findings that correspond to

740

# infoTypes that were requested in `InspectConfig`.

741

{ # Type of information detected by the API.

742

"name": "A String", # Name of the information type. Either a name of your choosing when

743

# creating a CustomInfoType, or one of the names listed

744

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

745

# a built-in type. InfoType names should conform to the pattern

746

# `[a-zA-Z0-9_]{1,64}`.

},

],

},

],

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

752

"transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default

753

# mode is `TransformationErrorHandling.ThrowError`.

754

# transformation error occurs when the requested transformation is incompatible

755

# with the data. For example, trying to de-identify an IP address using a

756

# `DateShift` transformation would result in a transformation error, since date

757

# info cannot be extracted from an IP address.

758

# Information about any incompatible transformations, and how they were

759

# handled, is returned in the response as part of the

760

# `TransformationOverviews`.

761

"throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error

762

},

763

"leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors

764

# cause an error. For example, if a `DateShift` transformation were applied

765

# an an IP address, this mode would leave the IP address unchanged in the

# response.

},

},

"recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to

770

# specific locations within structured datasets, such as transforming

771

# a column within a table.

772

# table.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

773

"fieldTransformations": [ # Transform the record by applying various field transformations.

774

{ # The transformation to apply to the field.

775

"fields": [ # Required. Input field(s) to apply the transformation to.

776

{ # General identifier of a data field in a storage service.

777

"name": "A String", # Name describing the field.

778

},

779

],

780

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively

781

# transform content that matches an `InfoType`.

782

# apply various `PrimitiveTransformation`s to each finding, where the

783

# transformation is applied to only values that were identified as a specific

784

# info_type.

785

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

786

# for a given infoType.

787

{ # A transformation to apply to text that is identified as a specific

788

# info_type.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

789

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

790

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

791

# portion of the value.

792

"partToExtract": "A String", # The part of the time to keep.

793

},

794

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

795

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

796

# to learn more.

797

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

798

# If set, must also set cryptoKey. If set, shift will be consistent for the

799

# given context.

800

"name": "A String", # Name describing the field.

801

},

802

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

803

# range (inclusive ends). Negative means shift to earlier in time. Must not

804

# be more than 365250 days (1000 years) each direction.

805

#

806

# For example, 3 means shift date to at most 3 days into the future.

807

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

808

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

809

# results in the same shift for the same context and crypto_key. If

810

# set, must also set context. Can only be applied to table items.

811

# a key encryption key (KEK) stored by KMS).

812

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

813

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

814

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

815

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

816

# leaking the key. Choose another type of key if possible.

817

"key": "A String", # Required. A 128/192/256 bit key.

818

},

819

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

820

# It will be discarded after the request finishes.

821

"name": "A String", # Required. Name of the key.

822

# This is an arbitrary string used to differentiate different keys.

823

# A unique key is generated per name: two separate `TransientCryptoKey`

824

# protos share the same generated key if their names are the same.

825

# When the data crypto key is generated, this name is not used in any way

826

# (repeating the api call will result in a different key being generated).

827

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

828

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

829

# The wrapped key must be a 128/192/256 bit key.

830

# Authorization requires the following IAM permissions when sending a request

831

# to perform a crypto transformation using a kms-wrapped crypto key:

832

# dlp.kms.encrypt

833

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

834

"wrappedKey": "A String", # Required. The wrapped data crypto key.

835

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

836

},

837

},

838

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

839

},

840

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

841

# Uses SHA-256.

842

# The key size must be either 32 or 64 bytes.

843

# Outputs a base64 encoded representation of the hashed output

844

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

845

# Currently, only string and integer values can be hashed.

846

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

847

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

848

# a key encryption key (KEK) stored by KMS).

849

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

850

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

851

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

852

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

853

# leaking the key. Choose another type of key if possible.

854

"key": "A String", # Required. A 128/192/256 bit key.

855

},

856

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

857

# It will be discarded after the request finishes.

858

"name": "A String", # Required. Name of the key.

859

# This is an arbitrary string used to differentiate different keys.

860

# A unique key is generated per name: two separate `TransientCryptoKey`

861

# protos share the same generated key if their names are the same.

862

# When the data crypto key is generated, this name is not used in any way

863

# (repeating the api call will result in a different key being generated).

864

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

865

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

866

# The wrapped key must be a 128/192/256 bit key.

867

# Authorization requires the following IAM permissions when sending a request

868

# to perform a crypto transformation using a kms-wrapped crypto key:

869

# dlp.kms.encrypt

870

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

871

"wrappedKey": "A String", # Required. The wrapped data crypto key.

872

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

873

},

874

},

875

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

876

# (FPE) with the FFX mode of operation; however when used in the

877

# `ReidentifyContent` API method, it serves the opposite function by reversing

878

# the surrogate back into the original identifier. The identifier must be

879

# encoded as ASCII. For a given crypto key and context, the same identifier

880

# will be replaced with the same surrogate. Identifiers must be at least two

881

# characters long. In the case that the identifier is the empty string, it will

882

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

883

# more.

884

#

885

# Note: We recommend using CryptoDeterministicConfig for all use cases which

886

# do not require preserving the input alphabet space and size, plus warrant

887

# referential integrity.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

888

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

889

# This annotation will be applied to the surrogate by prefixing it with

890

# the name of the custom infoType followed by the number of

891

# characters comprising the surrogate. The following scheme defines the

892

# format: info_type_name(surrogate_character_count):surrogate

893

#

894

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

895

# the surrogate is 'abc', the full replacement value

896

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

897

#

898

# This annotation identifies the surrogate when inspecting content using the

899

# custom infoType

900

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

901

# This facilitates reversal of the surrogate when it occurs in free text.

902

#

903

# In order for inspection to work properly, the name of this infoType must

904

# not occur naturally anywhere in your data; otherwise, inspection may

905

# find a surrogate that does not correspond to an actual identifier.

906

# Therefore, choose your custom infoType name carefully after considering

907

# what your data looks like. One way to select a name that has a high chance

908

# of yielding reliable detection is to include one or more unicode characters

909

# that are highly improbable to exist in your data.

910

# For example, assuming your data is entered from a regular ASCII keyboard,

911

# the symbol with the hex code point 29DD might be used like so:

912

# ⧝MY_TOKEN_TYPE

913

"name": "A String", # Name of the information type. Either a name of your choosing when

914

# creating a CustomInfoType, or one of the names listed

915

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

916

# a built-in type. InfoType names should conform to the pattern

917

# `[a-zA-Z0-9_]{1,64}`.

918

},

919

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

920

# identifier in two different contexts won't be given the same surrogate. If

921

# the context is not set, a default tweak will be used.

922

#

923

# If the context is set but:

924

#

925

# 1. there is no record present when transforming a given value or

926

# 1. the field is not present when transforming a given value,

927

#

928

# a default tweak will be used.

929

#

930

# Note that case (1) is expected when an `InfoTypeTransformation` is

931

# applied to both structured and non-structured `ContentItem`s.

932

# Currently, the referenced field may be of value type integer or string.

933

#

934

# The tweak is constructed as a sequence of bytes in big endian byte order

935

# such that:

936

#

937

# - a 64 bit integer is encoded followed by a single byte of value 1

938

# - a string is encoded in UTF-8 format followed by a single byte of value 2

939

"name": "A String", # Name describing the field.

940

},

941

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

942

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

943

# a key encryption key (KEK) stored by KMS).

944

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

945

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

946

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

947

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

948

# leaking the key. Choose another type of key if possible.

949

"key": "A String", # Required. A 128/192/256 bit key.

950

},

951

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

952

# It will be discarded after the request finishes.

953

"name": "A String", # Required. Name of the key.

954

# This is an arbitrary string used to differentiate different keys.

955

# A unique key is generated per name: two separate `TransientCryptoKey`

956

# protos share the same generated key if their names are the same.

957

# When the data crypto key is generated, this name is not used in any way

958

# (repeating the api call will result in a different key being generated).

959

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

960

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

961

# The wrapped key must be a 128/192/256 bit key.

962

# Authorization requires the following IAM permissions when sending a request

963

# to perform a crypto transformation using a kms-wrapped crypto key:

964

# dlp.kms.encrypt

965

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

966

"wrappedKey": "A String", # Required. The wrapped data crypto key.

967

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

968

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

969

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

970

# that the FFX mode natively supports. This happens before/after

971

# encryption/decryption.

972

# Each character listed must appear only once.

973

# Number of characters must be in the range [2, 95].

974

# This must be encoded as ASCII.

975

# The order of characters does not matter.

976

"commonAlphabet": "A String", # Common alphabets.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

977

},

978

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

979

# input. Outputs a base64 encoded representation of the encrypted output.

980

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

981

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

982

# This annotation will be applied to the surrogate by prefixing it with

983

# the name of the custom info type followed by the number of

984

# characters comprising the surrogate. The following scheme defines the

985

# format: {info type name}({surrogate character count}):{surrogate}

986

#

987

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

988

# the surrogate is 'abc', the full replacement value

989

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

990

#

991

# This annotation identifies the surrogate when inspecting content using the

992

# custom info type 'Surrogate'. This facilitates reversal of the

993

# surrogate when it occurs in free text.

994

#

995

# Note: For record transformations where the entire cell in a table is being

996

# transformed, surrogates are not mandatory. Surrogates are used to denote

997

# the location of the token and are necessary for re-identification in free

998

# form text.

999

#

1000

# In order for inspection to work properly, the name of this info type must

1001

# not occur naturally anywhere in your data; otherwise, inspection may either

1002

#

1003

# - reverse a surrogate that does not correspond to an actual identifier

1004

# - be unable to parse the surrogate and result in an error

1005

#

1006

# Therefore, choose your custom info type name carefully after considering

1007

# what your data looks like. One way to select a name that has a high chance

1008

# of yielding reliable detection is to include one or more unicode characters

1009

# that are highly improbable to exist in your data.

1010

# For example, assuming your data is entered from a regular ASCII keyboard,

1011

# the symbol with the hex code point 29DD might be used like so:

1012

# ⧝MY_TOKEN_TYPE.

1013

"name": "A String", # Name of the information type. Either a name of your choosing when

1014

# creating a CustomInfoType, or one of the names listed

1015

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

1016

# a built-in type. InfoType names should conform to the pattern

1017

# `[a-zA-Z0-9_]{1,64}`.

1018

},

1019

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

1020

# referential integrity such that the same identifier in two different

1021

# contexts will be given a distinct surrogate. The context is appended to

1022

# plaintext value being encrypted. On decryption the provided context is

1023

# validated against the value used during encryption. If a context was

1024

# provided during encryption, same context must be provided during decryption

1025

# as well.

1026

#

1027

# If the context is not set, plaintext would be used as is for encryption.

1028

# If the context is set but:

1029

#

1030

# 1. there is no record present when transforming a given value or

1031

# 2. the field is not present when transforming a given value,

1032

#

1033

# plaintext would be used as is for encryption.

1034

#

1035

# Note that case (1) is expected when an `InfoTypeTransformation` is

1036

# applied to both structured and non-structured `ContentItem`s.

1037

"name": "A String", # Name describing the field.

1038

},

1039

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

1040

# a key encryption key (KEK) stored by KMS).

1041

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

1042

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

1043

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1044

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

1045

# leaking the key. Choose another type of key if possible.

1046

"key": "A String", # Required. A 128/192/256 bit key.

1047

},

1048

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

1049

# It will be discarded after the request finishes.

1050

"name": "A String", # Required. Name of the key.

1051

# This is an arbitrary string used to differentiate different keys.

1052

# A unique key is generated per name: two separate `TransientCryptoKey`

1053

# protos share the same generated key if their names are the same.

1054

# When the data crypto key is generated, this name is not used in any way

1055

# (repeating the api call will result in a different key being generated).

1056

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

1057

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

1058

# The wrapped key must be a 128/192/256 bit key.

1059

# Authorization requires the following IAM permissions when sending a request

1060

# to perform a crypto transformation using a kms-wrapped crypto key:

1061

# dlp.kms.encrypt

1062

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1063

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1064

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1065

},

1066

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1067

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

1068

# replacement values are dynamically provided by the user for custom behavior,

1069

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

1070

# This can be used on

1071

# data of type: number, long, string, timestamp.

1072

# If the bound `Value` type differs from the type of data being transformed, we

1073

# will first attempt converting the type of the data to be transformed to match

1074

# the type of the bound before comparing.

1075

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

1076

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

1077

{ # Bucket is represented as a range, along with replacement values.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1078

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

1079

# the default behavior will be to hyphenate the min-max range.

1080

# Note that for the purposes of inspection or transformation, the number

1081

# of bytes considered to comprise a 'Value' is based on its representation

1082

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1083

# 123456789, the number of bytes would be counted as 9, even though an

1084

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1085

"timestampValue": "A String", # timestamp

1086

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1087

# and time zone are either specified elsewhere or are not significant. The date

1088

# is relative to the Proleptic Gregorian Calendar. This can represent:

1089

#

1090

# * A full date, with non-zero year, month and day values

1091

# * A month and day value, with a zero year, e.g. an anniversary

1092

# * A year on its own, with zero month and day values

1093

# * A year and month value, with a zero day, e.g. a credit card expiration date

1094

#

1095

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1096

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1097

# a year.

1098

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1099

# month and day.

1100

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1101

# if specifying a year by itself or a year and month where the day is not

1102

# significant.

1103

},

1104

"stringValue": "A String", # string

1105

"integerValue": "A String", # integer

1106

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1107

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1108

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1109

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1110

# to allow the value "24:00:00" for scenarios like business closing time.

1111

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

1112

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1113

# allow the value 60 if it allows leap-seconds.

1114

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1115

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

1116

"booleanValue": True or False, # boolean

1117

"floatValue": 3.14, # float

1118

"dayOfWeekValue": "A String", # day of week

1119

},

1120

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

1121

# used.

1122

# Note that for the purposes of inspection or transformation, the number

1123

# of bytes considered to comprise a 'Value' is based on its representation

1124

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1125

# 123456789, the number of bytes would be counted as 9, even though an

1126

# int64 only holds up to 8 bytes of data.

1127

"timestampValue": "A String", # timestamp

1128

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1129

# and time zone are either specified elsewhere or are not significant. The date

1130

# is relative to the Proleptic Gregorian Calendar. This can represent:

1131

#

1132

# * A full date, with non-zero year, month and day values

1133

# * A month and day value, with a zero year, e.g. an anniversary

1134

# * A year on its own, with zero month and day values

1135

# * A year and month value, with a zero day, e.g. a credit card expiration date

1136

#

1137

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1138

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1139

# a year.

1140

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1141

# month and day.

1142

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1143

# if specifying a year by itself or a year and month where the day is not

1144

# significant.

1145

},

1146

"stringValue": "A String", # string

1147

"integerValue": "A String", # integer

1148

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1149

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1150

# types are google.type.Date and `google.protobuf.Timestamp`.

1151

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1152

# to allow the value "24:00:00" for scenarios like business closing time.

1153

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1154

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1155

# allow the value 60 if it allows leap-seconds.

1156

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1157

},

1158

"booleanValue": True or False, # boolean

1159

"floatValue": 3.14, # float

1160

"dayOfWeekValue": "A String", # day of week

1161

},

1162

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

1163

# Note that for the purposes of inspection or transformation, the number

1164

# of bytes considered to comprise a 'Value' is based on its representation

1165

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1166

# 123456789, the number of bytes would be counted as 9, even though an

1167

# int64 only holds up to 8 bytes of data.

1168

"timestampValue": "A String", # timestamp

1169

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1170

# and time zone are either specified elsewhere or are not significant. The date

1171

# is relative to the Proleptic Gregorian Calendar. This can represent:

1172

#

1173

# * A full date, with non-zero year, month and day values

1174

# * A month and day value, with a zero year, e.g. an anniversary

1175

# * A year on its own, with zero month and day values

1176

# * A year and month value, with a zero day, e.g. a credit card expiration date

1177

#

1178

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1179

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1180

# a year.

1181

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1182

# month and day.

1183

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1184

# if specifying a year by itself or a year and month where the day is not

1185

# significant.

1186

},

1187

"stringValue": "A String", # string

1188

"integerValue": "A String", # integer

1189

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1190

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1191

# types are google.type.Date and `google.protobuf.Timestamp`.

1192

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1193

# to allow the value "24:00:00" for scenarios like business closing time.

1194

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1195

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1196

# allow the value 60 if it allows leap-seconds.

1197

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1198

},

1199

"booleanValue": True or False, # boolean

1200

"floatValue": 3.14, # float

1201

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

},

},

],

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

1206

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

1207

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

1208

# output would be 'My phone number is '.

1209

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1210

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

1211

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

1212

# Note that for the purposes of inspection or transformation, the number

1213

# of bytes considered to comprise a 'Value' is based on its representation

1214

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1215

# 123456789, the number of bytes would be counted as 9, even though an

1216

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1217

"timestampValue": "A String", # timestamp

1218

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1219

# and time zone are either specified elsewhere or are not significant. The date

1220

# is relative to the Proleptic Gregorian Calendar. This can represent:

1221

#

1222

# * A full date, with non-zero year, month and day values

1223

# * A month and day value, with a zero year, e.g. an anniversary

1224

# * A year on its own, with zero month and day values

1225

# * A year and month value, with a zero day, e.g. a credit card expiration date

1226

#

1227

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1228

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1229

# a year.

1230

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1231

# month and day.

1232

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1233

# if specifying a year by itself or a year and month where the day is not

1234

# significant.

1235

},

1236

"stringValue": "A String", # string

1237

"integerValue": "A String", # integer

1238

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1239

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1240

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1241

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1242

# to allow the value "24:00:00" for scenarios like business closing time.

1243

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

1244

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1245

# allow the value 60 if it allows leap-seconds.

1246

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1247

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

1248

"booleanValue": True or False, # boolean

1249

"floatValue": 3.14, # float

1250

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1251

},

1252

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1253

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

1254

# Bucketing transformation can provide all of this functionality,

1255

# but requires more configuration. This message is provided as a convenience to

1256

# the user for simple bucketing strategies.

1257

#

1258

# The transformed value will be a hyphenated string of

1259

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

1260

# all values that are within this bucket will be replaced with "10-20".

1261

#

1262

# This can be used on data of type: double, long.

1263

#

1264

# If the bound Value type differs from the type of data

1265

# being transformed, we will first attempt converting the type of the data to

1266

# be transformed to match the type of the bound before comparing.

1267

#

1268

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1269

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

1270

# grouped together into a single bucket; for example if `upper_bound` = 89,

1271

# then all values greater than 89 are replaced with the value "89+".

1272

# Note that for the purposes of inspection or transformation, the number

1273

# of bytes considered to comprise a 'Value' is based on its representation

1274

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1275

# 123456789, the number of bytes would be counted as 9, even though an

1276

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1277

"timestampValue": "A String", # timestamp

1278

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1279

# and time zone are either specified elsewhere or are not significant. The date

1280

# is relative to the Proleptic Gregorian Calendar. This can represent:

1281

#

1282

# * A full date, with non-zero year, month and day values

1283

# * A month and day value, with a zero year, e.g. an anniversary

1284

# * A year on its own, with zero month and day values

1285

# * A year and month value, with a zero day, e.g. a credit card expiration date

1286

#

1287

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1288

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1289

# a year.

1290

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1291

# month and day.

1292

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1293

# if specifying a year by itself or a year and month where the day is not

1294

# significant.

1295

},

1296

"stringValue": "A String", # string

1297

"integerValue": "A String", # integer

1298

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1299

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1300

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1301

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1302

# to allow the value "24:00:00" for scenarios like business closing time.

1303

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

1304

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1305

# allow the value 60 if it allows leap-seconds.

1306

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1307

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

1308

"booleanValue": True or False, # boolean

1309

"floatValue": 3.14, # float

1310

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1311

},

1312

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

1313

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

1314

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

1315

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

1316

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

1317

# grouped together into a single bucket; for example if `lower_bound` = 10,

1318

# then all values less than 10 are replaced with the value "-10".

1319

# Note that for the purposes of inspection or transformation, the number

1320

# of bytes considered to comprise a 'Value' is based on its representation

1321

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1322

# 123456789, the number of bytes would be counted as 9, even though an

1323

# int64 only holds up to 8 bytes of data.

1324

"timestampValue": "A String", # timestamp

1325

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1326

# and time zone are either specified elsewhere or are not significant. The date

1327

# is relative to the Proleptic Gregorian Calendar. This can represent:

1328

#

1329

# * A full date, with non-zero year, month and day values

1330

# * A month and day value, with a zero year, e.g. an anniversary

1331

# * A year on its own, with zero month and day values

1332

# * A year and month value, with a zero day, e.g. a credit card expiration date

1333

#

1334

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1335

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1336

# a year.

1337

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1338

# month and day.

1339

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1340

# if specifying a year by itself or a year and month where the day is not

1341

# significant.

1342

},

1343

"stringValue": "A String", # string

1344

"integerValue": "A String", # integer

1345

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1346

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1347

# types are google.type.Date and `google.protobuf.Timestamp`.

1348

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1349

# to allow the value "24:00:00" for scenarios like business closing time.

1350

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1351

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1352

# allow the value 60 if it allows leap-seconds.

1353

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1354

},

1355

"booleanValue": True or False, # boolean

1356

"floatValue": 3.14, # float

1357

"dayOfWeekValue": "A String", # day of week

1358

},

1359

},

1360

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

1361

# fixed character. Masking can start from the beginning or end of the string.

1362

# This can be used on data of any type (numbers, longs, and so on) and when

1363

# de-identifying structured data we'll attempt to preserve the original data's

1364

# type. (This allows you to take a long like 123 and modify it to a string like

1365

# **3.

1366

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

1367

# characters. For example, if the input string is `555-555-5555` and you

1368

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

1369

# returns `***-**5-5555`.

1370

{ # Characters to skip when doing deidentification of a value. These will be left

1371

# alone and skipped.

1372

"charactersToSkip": "A String", # Characters to not transform when masking.

1373

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

1378

# masked. Skipped characters do not count towards this tally.

1379

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

1380

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

1381

# code or credit card number. This string must have a length of 1. If not

1382

# supplied, this value defaults to `*` for strings, and `0` for digits.

1383

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

1384

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

1385

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

1386

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

1387

# is `true`, then the string `12345` is masked as `12***`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1388

},

1389

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

1390

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

1391

# this transformation to apply to all findings that correspond to

1392

# infoTypes that were requested in `InspectConfig`.

1393

{ # Type of information detected by the API.

1394

"name": "A String", # Name of the information type. Either a name of your choosing when

1395

# creating a CustomInfoType, or one of the names listed

1396

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

1397

# a built-in type. InfoType names should conform to the pattern

1398

# `[a-zA-Z0-9_]{1,64}`.

1399

},

1400

],

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

},

],

},

"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.

1405

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

1406

# portion of the value.

1407

"partToExtract": "A String", # The part of the time to keep.

1408

},

1409

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

1410

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

1411

# to learn more.

1412

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

1413

# If set, must also set cryptoKey. If set, shift will be consistent for the

1414

# given context.

1415

"name": "A String", # Name describing the field.

1416

},

1417

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

1418

# range (inclusive ends). Negative means shift to earlier in time. Must not

1419

# be more than 365250 days (1000 years) each direction.

1420

#

1421

# For example, 3 means shift date to at most 3 days into the future.

1422

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

1423

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

1424

# results in the same shift for the same context and crypto_key. If

1425

# set, must also set context. Can only be applied to table items.

1426

# a key encryption key (KEK) stored by KMS).

1427

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

1428

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

1429

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1430

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

1431

# leaking the key. Choose another type of key if possible.

1432

"key": "A String", # Required. A 128/192/256 bit key.

1433

},

1434

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

1435

# It will be discarded after the request finishes.

1436

"name": "A String", # Required. Name of the key.

1437

# This is an arbitrary string used to differentiate different keys.

1438

# A unique key is generated per name: two separate `TransientCryptoKey`

1439

# protos share the same generated key if their names are the same.

1440

# When the data crypto key is generated, this name is not used in any way

1441

# (repeating the api call will result in a different key being generated).

1442

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

1443

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

1444

# The wrapped key must be a 128/192/256 bit key.

1445

# Authorization requires the following IAM permissions when sending a request

1446

# to perform a crypto transformation using a kms-wrapped crypto key:

1447

# dlp.kms.encrypt

1448

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1449

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1450

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1451

},

1452

},

1453

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

1454

},

1455

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

1456

# Uses SHA-256.

1457

# The key size must be either 32 or 64 bytes.

1458

# Outputs a base64 encoded representation of the hashed output

1459

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

1460

# Currently, only string and integer values can be hashed.

1461

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

1462

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

1463

# a key encryption key (KEK) stored by KMS).

1464

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

1465

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

1466

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1467

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

1468

# leaking the key. Choose another type of key if possible.

1469

"key": "A String", # Required. A 128/192/256 bit key.

1470

},

1471

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

1472

# It will be discarded after the request finishes.

1473

"name": "A String", # Required. Name of the key.

1474

# This is an arbitrary string used to differentiate different keys.

1475

# A unique key is generated per name: two separate `TransientCryptoKey`

1476

# protos share the same generated key if their names are the same.

1477

# When the data crypto key is generated, this name is not used in any way

1478

# (repeating the api call will result in a different key being generated).

1479

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

1480

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

1481

# The wrapped key must be a 128/192/256 bit key.

1482

# Authorization requires the following IAM permissions when sending a request

1483

# to perform a crypto transformation using a kms-wrapped crypto key:

1484

# dlp.kms.encrypt

1485

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1486

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1487

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1488

},

1489

},

1490

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

1491

# (FPE) with the FFX mode of operation; however when used in the

1492

# `ReidentifyContent` API method, it serves the opposite function by reversing

1493

# the surrogate back into the original identifier. The identifier must be

1494

# encoded as ASCII. For a given crypto key and context, the same identifier

1495

# will be replaced with the same surrogate. Identifiers must be at least two

1496

# characters long. In the case that the identifier is the empty string, it will

1497

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

1498

# more.

1499

#

1500

# Note: We recommend using CryptoDeterministicConfig for all use cases which

1501

# do not require preserving the input alphabet space and size, plus warrant

1502

# referential integrity.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1503

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

1504

# This annotation will be applied to the surrogate by prefixing it with

1505

# the name of the custom infoType followed by the number of

1506

# characters comprising the surrogate. The following scheme defines the

1507

# format: info_type_name(surrogate_character_count):surrogate

1508

#

1509

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

1510

# the surrogate is 'abc', the full replacement value

1511

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

1512

#

1513

# This annotation identifies the surrogate when inspecting content using the

1514

# custom infoType

1515

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

1516

# This facilitates reversal of the surrogate when it occurs in free text.

1517

#

1518

# In order for inspection to work properly, the name of this infoType must

1519

# not occur naturally anywhere in your data; otherwise, inspection may

1520

# find a surrogate that does not correspond to an actual identifier.

1521

# Therefore, choose your custom infoType name carefully after considering

1522

# what your data looks like. One way to select a name that has a high chance

1523

# of yielding reliable detection is to include one or more unicode characters

1524

# that are highly improbable to exist in your data.

1525

# For example, assuming your data is entered from a regular ASCII keyboard,

1526

# the symbol with the hex code point 29DD might be used like so:

1527

# ⧝MY_TOKEN_TYPE

1528

"name": "A String", # Name of the information type. Either a name of your choosing when

1529

# creating a CustomInfoType, or one of the names listed

1530

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

1531

# a built-in type. InfoType names should conform to the pattern

1532

# `[a-zA-Z0-9_]{1,64}`.

1533

},

1534

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

1535

# identifier in two different contexts won't be given the same surrogate. If

1536

# the context is not set, a default tweak will be used.

1537

#

1538

# If the context is set but:

1539

#

1540

# 1. there is no record present when transforming a given value or

1541

# 1. the field is not present when transforming a given value,

1542

#

1543

# a default tweak will be used.

1544

#

1545

# Note that case (1) is expected when an `InfoTypeTransformation` is

1546

# applied to both structured and non-structured `ContentItem`s.

1547

# Currently, the referenced field may be of value type integer or string.

1548

#

1549

# The tweak is constructed as a sequence of bytes in big endian byte order

1550

# such that:

1551

#

1552

# - a 64 bit integer is encoded followed by a single byte of value 1

1553

# - a string is encoded in UTF-8 format followed by a single byte of value 2

1554

"name": "A String", # Name describing the field.

1555

},

1556

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

1557

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

1558

# a key encryption key (KEK) stored by KMS).

1559

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

1560

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

1561

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1562

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

1563

# leaking the key. Choose another type of key if possible.

1564

"key": "A String", # Required. A 128/192/256 bit key.

1565

},

1566

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

1567

# It will be discarded after the request finishes.

1568

"name": "A String", # Required. Name of the key.

1569

# This is an arbitrary string used to differentiate different keys.

1570

# A unique key is generated per name: two separate `TransientCryptoKey`

1571

# protos share the same generated key if their names are the same.

1572

# When the data crypto key is generated, this name is not used in any way

1573

# (repeating the api call will result in a different key being generated).

1574

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

1575

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

1576

# The wrapped key must be a 128/192/256 bit key.

1577

# Authorization requires the following IAM permissions when sending a request

1578

# to perform a crypto transformation using a kms-wrapped crypto key:

1579

# dlp.kms.encrypt

1580

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1581

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1582

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1583

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

1584

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

1585

# that the FFX mode natively supports. This happens before/after

1586

# encryption/decryption.

1587

# Each character listed must appear only once.

1588

# Number of characters must be in the range [2, 95].

1589

# This must be encoded as ASCII.

1590

# The order of characters does not matter.

1591

"commonAlphabet": "A String", # Common alphabets.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1592

},

1593

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

1594

# input. Outputs a base64 encoded representation of the encrypted output.

1595

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

1596

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

1597

# This annotation will be applied to the surrogate by prefixing it with

1598

# the name of the custom info type followed by the number of

1599

# characters comprising the surrogate. The following scheme defines the

1600

# format: {info type name}({surrogate character count}):{surrogate}

1601

#

1602

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

1603

# the surrogate is 'abc', the full replacement value

1604

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

1605

#

1606

# This annotation identifies the surrogate when inspecting content using the

1607

# custom info type 'Surrogate'. This facilitates reversal of the

1608

# surrogate when it occurs in free text.

1609

#

1610

# Note: For record transformations where the entire cell in a table is being

1611

# transformed, surrogates are not mandatory. Surrogates are used to denote

1612

# the location of the token and are necessary for re-identification in free

1613

# form text.

1614

#

1615

# In order for inspection to work properly, the name of this info type must

1616

# not occur naturally anywhere in your data; otherwise, inspection may either

1617

#

1618

# - reverse a surrogate that does not correspond to an actual identifier

1619

# - be unable to parse the surrogate and result in an error

1620

#

1621

# Therefore, choose your custom info type name carefully after considering

1622

# what your data looks like. One way to select a name that has a high chance

1623

# of yielding reliable detection is to include one or more unicode characters

1624

# that are highly improbable to exist in your data.

1625

# For example, assuming your data is entered from a regular ASCII keyboard,

1626

# the symbol with the hex code point 29DD might be used like so:

1627

# ⧝MY_TOKEN_TYPE.

1628

"name": "A String", # Name of the information type. Either a name of your choosing when

1629

# creating a CustomInfoType, or one of the names listed

1630

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

1631

# a built-in type. InfoType names should conform to the pattern

1632

# `[a-zA-Z0-9_]{1,64}`.

1633

},

1634

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

1635

# referential integrity such that the same identifier in two different

1636

# contexts will be given a distinct surrogate. The context is appended to

1637

# plaintext value being encrypted. On decryption the provided context is

1638

# validated against the value used during encryption. If a context was

1639

# provided during encryption, same context must be provided during decryption

1640

# as well.

1641

#

1642

# If the context is not set, plaintext would be used as is for encryption.

1643

# If the context is set but:

1644

#

1645

# 1. there is no record present when transforming a given value or

1646

# 2. the field is not present when transforming a given value,

1647

#

1648

# plaintext would be used as is for encryption.

1649

#

1650

# Note that case (1) is expected when an `InfoTypeTransformation` is

1651

# applied to both structured and non-structured `ContentItem`s.

1652

"name": "A String", # Name describing the field.

1653

},

1654

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

1655

# a key encryption key (KEK) stored by KMS).

1656

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

1657

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

1658

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1659

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

1660

# leaking the key. Choose another type of key if possible.

1661

"key": "A String", # Required. A 128/192/256 bit key.

1662

},

1663

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

1664

# It will be discarded after the request finishes.

1665

"name": "A String", # Required. Name of the key.

1666

# This is an arbitrary string used to differentiate different keys.

1667

# A unique key is generated per name: two separate `TransientCryptoKey`

1668

# protos share the same generated key if their names are the same.

1669

# When the data crypto key is generated, this name is not used in any way

1670

# (repeating the api call will result in a different key being generated).

1671

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

1672

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

1673

# The wrapped key must be a 128/192/256 bit key.

1674

# Authorization requires the following IAM permissions when sending a request

1675

# to perform a crypto transformation using a kms-wrapped crypto key:

1676

# dlp.kms.encrypt

1677

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

1678

"wrappedKey": "A String", # Required. The wrapped data crypto key.

1679

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1680

},

1681

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1682

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

1683

# replacement values are dynamically provided by the user for custom behavior,

1684

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

1685

# This can be used on

1686

# data of type: number, long, string, timestamp.

1687

# If the bound `Value` type differs from the type of data being transformed, we

1688

# will first attempt converting the type of the data to be transformed to match

1689

# the type of the bound before comparing.

1690

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

1691

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

1692

{ # Bucket is represented as a range, along with replacement values.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1693

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

1694

# the default behavior will be to hyphenate the min-max range.

1695

# Note that for the purposes of inspection or transformation, the number

1696

# of bytes considered to comprise a 'Value' is based on its representation

1697

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1698

# 123456789, the number of bytes would be counted as 9, even though an

1699

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1700

"timestampValue": "A String", # timestamp

1701

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1702

# and time zone are either specified elsewhere or are not significant. The date

1703

# is relative to the Proleptic Gregorian Calendar. This can represent:

1704

#

1705

# * A full date, with non-zero year, month and day values

1706

# * A month and day value, with a zero year, e.g. an anniversary

1707

# * A year on its own, with zero month and day values

1708

# * A year and month value, with a zero day, e.g. a credit card expiration date

1709

#

1710

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1711

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1712

# a year.

1713

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1714

# month and day.

1715

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1716

# if specifying a year by itself or a year and month where the day is not

1717

# significant.

1718

},

1719

"stringValue": "A String", # string

1720

"integerValue": "A String", # integer

1721

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1722

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1723

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1724

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1725

# to allow the value "24:00:00" for scenarios like business closing time.

1726

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

1727

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1728

# allow the value 60 if it allows leap-seconds.

1729

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1730

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

1731

"booleanValue": True or False, # boolean

1732

"floatValue": 3.14, # float

1733

"dayOfWeekValue": "A String", # day of week

1734

},

1735

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

1736

# used.

1737

# Note that for the purposes of inspection or transformation, the number

1738

# of bytes considered to comprise a 'Value' is based on its representation

1739

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1740

# 123456789, the number of bytes would be counted as 9, even though an

1741

# int64 only holds up to 8 bytes of data.

1742

"timestampValue": "A String", # timestamp

1743

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1744

# and time zone are either specified elsewhere or are not significant. The date

1745

# is relative to the Proleptic Gregorian Calendar. This can represent:

1746

#

1747

# * A full date, with non-zero year, month and day values

1748

# * A month and day value, with a zero year, e.g. an anniversary

1749

# * A year on its own, with zero month and day values

1750

# * A year and month value, with a zero day, e.g. a credit card expiration date

1751

#

1752

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1753

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1754

# a year.

1755

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1756

# month and day.

1757

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1758

# if specifying a year by itself or a year and month where the day is not

1759

# significant.

1760

},

1761

"stringValue": "A String", # string

1762

"integerValue": "A String", # integer

1763

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1764

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1765

# types are google.type.Date and `google.protobuf.Timestamp`.

1766

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1767

# to allow the value "24:00:00" for scenarios like business closing time.

1768

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1769

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1770

# allow the value 60 if it allows leap-seconds.

1771

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1772

},

1773

"booleanValue": True or False, # boolean

1774

"floatValue": 3.14, # float

1775

"dayOfWeekValue": "A String", # day of week

1776

},

1777

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

1778

# Note that for the purposes of inspection or transformation, the number

1779

# of bytes considered to comprise a 'Value' is based on its representation

1780

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1781

# 123456789, the number of bytes would be counted as 9, even though an

1782

# int64 only holds up to 8 bytes of data.

1783

"timestampValue": "A String", # timestamp

1784

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1785

# and time zone are either specified elsewhere or are not significant. The date

1786

# is relative to the Proleptic Gregorian Calendar. This can represent:

1787

#

1788

# * A full date, with non-zero year, month and day values

1789

# * A month and day value, with a zero year, e.g. an anniversary

1790

# * A year on its own, with zero month and day values

1791

# * A year and month value, with a zero day, e.g. a credit card expiration date

1792

#

1793

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1794

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1795

# a year.

1796

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1797

# month and day.

1798

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1799

# if specifying a year by itself or a year and month where the day is not

1800

# significant.

1801

},

1802

"stringValue": "A String", # string

1803

"integerValue": "A String", # integer

1804

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1805

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1806

# types are google.type.Date and `google.protobuf.Timestamp`.

1807

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1808

# to allow the value "24:00:00" for scenarios like business closing time.

1809

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1810

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1811

# allow the value 60 if it allows leap-seconds.

1812

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1813

},

1814

"booleanValue": True or False, # boolean

1815

"floatValue": 3.14, # float

1816

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

},

},

],

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

1821

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

1822

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

1823

# output would be 'My phone number is '.

1824

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1825

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

1826

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

1827

# Note that for the purposes of inspection or transformation, the number

1828

# of bytes considered to comprise a 'Value' is based on its representation

1829

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1830

# 123456789, the number of bytes would be counted as 9, even though an

1831

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1832

"timestampValue": "A String", # timestamp

1833

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1834

# and time zone are either specified elsewhere or are not significant. The date

1835

# is relative to the Proleptic Gregorian Calendar. This can represent:

1836

#

1837

# * A full date, with non-zero year, month and day values

1838

# * A month and day value, with a zero year, e.g. an anniversary

1839

# * A year on its own, with zero month and day values

1840

# * A year and month value, with a zero day, e.g. a credit card expiration date

1841

#

1842

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1843

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1844

# a year.

1845

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1846

# month and day.

1847

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1848

# if specifying a year by itself or a year and month where the day is not

1849

# significant.

1850

},

1851

"stringValue": "A String", # string

1852

"integerValue": "A String", # integer

1853

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1854

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1855

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1856

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1857

# to allow the value "24:00:00" for scenarios like business closing time.

1858

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

1859

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1860

# allow the value 60 if it allows leap-seconds.

1861

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1862

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

1863

"booleanValue": True or False, # boolean

1864

"floatValue": 3.14, # float

1865

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1866

},

1867

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1868

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

1869

# Bucketing transformation can provide all of this functionality,

1870

# but requires more configuration. This message is provided as a convenience to

1871

# the user for simple bucketing strategies.

1872

#

1873

# The transformed value will be a hyphenated string of

1874

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

1875

# all values that are within this bucket will be replaced with "10-20".

1876

#

1877

# This can be used on data of type: double, long.

1878

#

1879

# If the bound Value type differs from the type of data

1880

# being transformed, we will first attempt converting the type of the data to

1881

# be transformed to match the type of the bound before comparing.

1882

#

1883

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1884

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

1885

# grouped together into a single bucket; for example if `upper_bound` = 89,

1886

# then all values greater than 89 are replaced with the value "89+".

1887

# Note that for the purposes of inspection or transformation, the number

1888

# of bytes considered to comprise a 'Value' is based on its representation

1889

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1890

# 123456789, the number of bytes would be counted as 9, even though an

1891

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1892

"timestampValue": "A String", # timestamp

1893

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1894

# and time zone are either specified elsewhere or are not significant. The date

1895

# is relative to the Proleptic Gregorian Calendar. This can represent:

1896

#

1897

# * A full date, with non-zero year, month and day values

1898

# * A month and day value, with a zero year, e.g. an anniversary

1899

# * A year on its own, with zero month and day values

1900

# * A year and month value, with a zero day, e.g. a credit card expiration date

1901

#

1902

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1903

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1904

# a year.

1905

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1906

# month and day.

1907

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1908

# if specifying a year by itself or a year and month where the day is not

1909

# significant.

1910

},

1911

"stringValue": "A String", # string

1912

"integerValue": "A String", # integer

1913

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1914

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1915

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1916

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1917

# to allow the value "24:00:00" for scenarios like business closing time.

1918

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

1919

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1920

# allow the value 60 if it allows leap-seconds.

1921

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1922

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

1923

"booleanValue": True or False, # boolean

1924

"floatValue": 3.14, # float

1925

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

1926

},

1927

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

1928

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

1929

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

1930

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

1931

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

1932

# grouped together into a single bucket; for example if `lower_bound` = 10,

1933

# then all values less than 10 are replaced with the value "-10".

1934

# Note that for the purposes of inspection or transformation, the number

1935

# of bytes considered to comprise a 'Value' is based on its representation

1936

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

1937

# 123456789, the number of bytes would be counted as 9, even though an

1938

# int64 only holds up to 8 bytes of data.

1939

"timestampValue": "A String", # timestamp

1940

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

1941

# and time zone are either specified elsewhere or are not significant. The date

1942

# is relative to the Proleptic Gregorian Calendar. This can represent:

1943

#

1944

# * A full date, with non-zero year, month and day values

1945

# * A month and day value, with a zero year, e.g. an anniversary

1946

# * A year on its own, with zero month and day values

1947

# * A year and month value, with a zero day, e.g. a credit card expiration date

1948

#

1949

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

1950

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

1951

# a year.

1952

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

1953

# month and day.

1954

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

1955

# if specifying a year by itself or a year and month where the day is not

1956

# significant.

1957

},

1958

"stringValue": "A String", # string

1959

"integerValue": "A String", # integer

1960

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

1961

# or are specified elsewhere. An API may choose to allow leap seconds. Related

1962

# types are google.type.Date and `google.protobuf.Timestamp`.

1963

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

1964

# to allow the value "24:00:00" for scenarios like business closing time.

1965

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

1966

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

1967

# allow the value 60 if it allows leap-seconds.

1968

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

1969

},

1970

"booleanValue": True or False, # boolean

1971

"floatValue": 3.14, # float

1972

"dayOfWeekValue": "A String", # day of week

1973

},

1974

},

1975

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

1976

# fixed character. Masking can start from the beginning or end of the string.

1977

# This can be used on data of any type (numbers, longs, and so on) and when

1978

# de-identifying structured data we'll attempt to preserve the original data's

1979

# type. (This allows you to take a long like 123 and modify it to a string like

1980

# **3.

1981

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

1982

# characters. For example, if the input string is `555-555-5555` and you

1983

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

1984

# returns `***-**5-5555`.

1985

{ # Characters to skip when doing deidentification of a value. These will be left

1986

# alone and skipped.

1987

"charactersToSkip": "A String", # Characters to not transform when masking.

1988

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

1993

# masked. Skipped characters do not count towards this tally.

1994

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

1995

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

1996

# code or credit card number. This string must have a length of 1. If not

1997

# supplied, this value defaults to `*` for strings, and `0` for digits.

1998

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

1999

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

2000

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

2001

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

2002

# is `true`, then the string `12345` is masked as `12***`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

2003

},

2004

},

2005

"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the

2006

# given `RecordCondition`. The conditions are allowed to reference fields

2007

# that are not used in the actual transformation.

#

# Example Use Cases:

#

# - Apply a different bucket transformation to an age column if the zip code

2012

# column for the same record is within a specific range.

2013

# - Redact a field if the date of birth field is greater than 85.

2014

# a field.

2015

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

2016

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

2017

# only supported value is `AND`.

2018

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

2019

"conditions": [ # A collection of conditions.

2020

{ # The field type of `value` and `field` do not need to match to be

2021

# considered equal, but not all comparisons are possible.

2022

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

2023

# but all other comparisons are invalid with incompatible types.

2024

# A `value` of type:

2025

#

2026

# - `string` can be compared against all other types

2027

# - `boolean` can only be compared against other booleans

2028

# - `integer` can be compared against doubles or a string if the string value

2029

# can be parsed as an integer.

2030

# - `double` can be compared against integers or a string if the string can

2031

# be parsed as a double.

2032

# - `Timestamp` can be compared against strings in RFC 3339 date string

2033

# format.

2034

# - `TimeOfDay` can be compared against timestamps and strings in the format

2035

# of 'HH:mm:ss'.

2036

#

2037

# If we fail to compare do to type mismatch, a warning will be given and

2038

# the condition will evaluate to false.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

2039

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

2040

# Note that for the purposes of inspection or transformation, the number

2041

# of bytes considered to comprise a 'Value' is based on its representation

2042

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2043

# 123456789, the number of bytes would be counted as 9, even though an

2044

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

2045

"timestampValue": "A String", # timestamp

2046

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2047

# and time zone are either specified elsewhere or are not significant. The date

2048

# is relative to the Proleptic Gregorian Calendar. This can represent:

2049

#

2050

# * A full date, with non-zero year, month and day values

2051

# * A month and day value, with a zero year, e.g. an anniversary

2052

# * A year on its own, with zero month and day values

2053

# * A year and month value, with a zero day, e.g. a credit card expiration date

2054

#

2055

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2056

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2057

# a year.

2058

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2059

# month and day.

2060

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2061

# if specifying a year by itself or a year and month where the day is not

2062

# significant.

2063

},

2064

"stringValue": "A String", # string

2065

"integerValue": "A String", # integer

2066

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2067

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2068

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

2069

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2070

# to allow the value "24:00:00" for scenarios like business closing time.

2071

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

2072

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2073

# allow the value 60 if it allows leap-seconds.

2074

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

2075

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

2076

"booleanValue": True or False, # boolean

2077

"floatValue": 3.14, # float

2078

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

2079

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

2080

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

2081

"name": "A String", # Name describing the field.

2082

},

2083

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

},

],

},

},

},

},

],

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

2091

"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that

2092

# match any suppression rule are omitted from the output.

2093

{ # Configuration to suppress records whose suppression conditions evaluate to

2094

# true.

2095

"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being

2096

# evaluated to be suppressed from the transformed content.

2097

# a field.

2098

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

2099

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

2100

# only supported value is `AND`.

2101

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

2102

"conditions": [ # A collection of conditions.

2103

{ # The field type of `value` and `field` do not need to match to be

2104

# considered equal, but not all comparisons are possible.

2105

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

2106

# but all other comparisons are invalid with incompatible types.

2107

# A `value` of type:

2108

#

2109

# - `string` can be compared against all other types

2110

# - `boolean` can only be compared against other booleans

2111

# - `integer` can be compared against doubles or a string if the string value

2112

# can be parsed as an integer.

2113

# - `double` can be compared against integers or a string if the string can

2114

# be parsed as a double.

2115

# - `Timestamp` can be compared against strings in RFC 3339 date string

2116

# format.

2117

# - `TimeOfDay` can be compared against timestamps and strings in the format

2118

# of 'HH:mm:ss'.

2119

#

2120

# If we fail to compare do to type mismatch, a warning will be given and

2121

# the condition will evaluate to false.

2122

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

2123

# Note that for the purposes of inspection or transformation, the number

2124

# of bytes considered to comprise a 'Value' is based on its representation

2125

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2126

# 123456789, the number of bytes would be counted as 9, even though an

2127

# int64 only holds up to 8 bytes of data.

2128

"timestampValue": "A String", # timestamp

2129

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2130

# and time zone are either specified elsewhere or are not significant. The date

2131

# is relative to the Proleptic Gregorian Calendar. This can represent:

2132

#

2133

# * A full date, with non-zero year, month and day values

2134

# * A month and day value, with a zero year, e.g. an anniversary

2135

# * A year on its own, with zero month and day values

2136

# * A year and month value, with a zero day, e.g. a credit card expiration date

2137

#

2138

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2139

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2140

# a year.

2141

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2142

# month and day.

2143

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2144

# if specifying a year by itself or a year and month where the day is not

2145

# significant.

2146

},

2147

"stringValue": "A String", # string

2148

"integerValue": "A String", # integer

2149

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2150

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2151

# types are google.type.Date and `google.protobuf.Timestamp`.

2152

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2153

# to allow the value "24:00:00" for scenarios like business closing time.

2154

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2155

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2156

# allow the value 60 if it allows leap-seconds.

2157

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2158

},

2159

"booleanValue": True or False, # boolean

2160

"floatValue": 3.14, # float

2161

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

2162

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

2163

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

2164

"name": "A String", # Name describing the field.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

2165

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

2166

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

2167

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

2168

],

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

2169

},

2170

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

},

},

],

},

},

},

"locationId": "A String", # The geographic location to store the deidentification template. Reserved

2178

# for future extensions.

2179

}

2180

2181

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

2188

2189

{ # DeidentifyTemplates contains instructions on how to de-identify content.

2190

# See https://cloud.google.com/dlp/docs/concepts-templates to learn more.

2191

"name": "A String", # Output only. The template name.

2192

#

2193

# The template will have one of the following formats:

2194

# `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR

2195

# `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`

2196

"description": "A String", # Short description (max 256 chars).

2197

"displayName": "A String", # Display name (max 256 chars).

2198

"createTime": "A String", # Output only. The creation timestamp of an inspectTemplate.

2199

"updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate.

2200

"deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

2201

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text

2202

# transformation everywhere.

2203

# apply various `PrimitiveTransformation`s to each finding, where the

2204

# transformation is applied to only values that were identified as a specific

2205

# info_type.

2206

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

2207

# for a given infoType.

2208

{ # A transformation to apply to text that is identified as a specific

2209

# info_type.

2210

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

2211

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

2212

# portion of the value.

2213

"partToExtract": "A String", # The part of the time to keep.

2214

},

2215

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

2216

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

2217

# to learn more.

2218

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

2219

# If set, must also set cryptoKey. If set, shift will be consistent for the

2220

# given context.

2221

"name": "A String", # Name describing the field.

2222

},

2223

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

2224

# range (inclusive ends). Negative means shift to earlier in time. Must not

2225

# be more than 365250 days (1000 years) each direction.

2226

#

2227

# For example, 3 means shift date to at most 3 days into the future.

2228

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

2229

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

2230

# results in the same shift for the same context and crypto_key. If

2231

# set, must also set context. Can only be applied to table items.

2232

# a key encryption key (KEK) stored by KMS).

2233

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

2234

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

2235

# unwrap the data crypto key.

2236

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

2237

# leaking the key. Choose another type of key if possible.

2238

"key": "A String", # Required. A 128/192/256 bit key.

2239

},

2240

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

2241

# It will be discarded after the request finishes.

2242

"name": "A String", # Required. Name of the key.

2243

# This is an arbitrary string used to differentiate different keys.

2244

# A unique key is generated per name: two separate `TransientCryptoKey`

2245

# protos share the same generated key if their names are the same.

2246

# When the data crypto key is generated, this name is not used in any way

2247

# (repeating the api call will result in a different key being generated).

2248

},

2249

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

2250

# The wrapped key must be a 128/192/256 bit key.

2251

# Authorization requires the following IAM permissions when sending a request

2252

# to perform a crypto transformation using a kms-wrapped crypto key:

2253

# dlp.kms.encrypt

2254

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2255

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

2260

},

2261

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

2262

# Uses SHA-256.

2263

# The key size must be either 32 or 64 bytes.

2264

# Outputs a base64 encoded representation of the hashed output

2265

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

2266

# Currently, only string and integer values can be hashed.

2267

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

2268

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

2269

# a key encryption key (KEK) stored by KMS).

2270

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

2271

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

2272

# unwrap the data crypto key.

2273

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

2274

# leaking the key. Choose another type of key if possible.

2275

"key": "A String", # Required. A 128/192/256 bit key.

2276

},

2277

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

2278

# It will be discarded after the request finishes.

2279

"name": "A String", # Required. Name of the key.

2280

# This is an arbitrary string used to differentiate different keys.

2281

# A unique key is generated per name: two separate `TransientCryptoKey`

2282

# protos share the same generated key if their names are the same.

2283

# When the data crypto key is generated, this name is not used in any way

2284

# (repeating the api call will result in a different key being generated).

2285

},

2286

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

2287

# The wrapped key must be a 128/192/256 bit key.

2288

# Authorization requires the following IAM permissions when sending a request

2289

# to perform a crypto transformation using a kms-wrapped crypto key:

2290

# dlp.kms.encrypt

2291

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2292

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

2297

# (FPE) with the FFX mode of operation; however when used in the

2298

# `ReidentifyContent` API method, it serves the opposite function by reversing

2299

# the surrogate back into the original identifier. The identifier must be

2300

# encoded as ASCII. For a given crypto key and context, the same identifier

2301

# will be replaced with the same surrogate. Identifiers must be at least two

2302

# characters long. In the case that the identifier is the empty string, it will

2303

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

2304

# more.

2305

#

2306

# Note: We recommend using CryptoDeterministicConfig for all use cases which

2307

# do not require preserving the input alphabet space and size, plus warrant

2308

# referential integrity.

2309

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

2310

# This annotation will be applied to the surrogate by prefixing it with

2311

# the name of the custom infoType followed by the number of

2312

# characters comprising the surrogate. The following scheme defines the

2313

# format: info_type_name(surrogate_character_count):surrogate

2314

#

2315

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

2316

# the surrogate is 'abc', the full replacement value

2317

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

2318

#

2319

# This annotation identifies the surrogate when inspecting content using the

2320

# custom infoType

2321

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

2322

# This facilitates reversal of the surrogate when it occurs in free text.

2323

#

2324

# In order for inspection to work properly, the name of this infoType must

2325

# not occur naturally anywhere in your data; otherwise, inspection may

2326

# find a surrogate that does not correspond to an actual identifier.

2327

# Therefore, choose your custom infoType name carefully after considering

2328

# what your data looks like. One way to select a name that has a high chance

2329

# of yielding reliable detection is to include one or more unicode characters

2330

# that are highly improbable to exist in your data.

2331

# For example, assuming your data is entered from a regular ASCII keyboard,

2332

# the symbol with the hex code point 29DD might be used like so:

2333

# ⧝MY_TOKEN_TYPE

2334

"name": "A String", # Name of the information type. Either a name of your choosing when

2335

# creating a CustomInfoType, or one of the names listed

2336

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

2337

# a built-in type. InfoType names should conform to the pattern

2338

# `[a-zA-Z0-9_]{1,64}`.

2339

},

2340

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

2341

# identifier in two different contexts won't be given the same surrogate. If

2342

# the context is not set, a default tweak will be used.

2343

#

2344

# If the context is set but:

2345

#

2346

# 1. there is no record present when transforming a given value or

2347

# 1. the field is not present when transforming a given value,

2348

#

2349

# a default tweak will be used.

2350

#

2351

# Note that case (1) is expected when an `InfoTypeTransformation` is

2352

# applied to both structured and non-structured `ContentItem`s.

2353

# Currently, the referenced field may be of value type integer or string.

2354

#

2355

# The tweak is constructed as a sequence of bytes in big endian byte order

2356

# such that:

2357

#

2358

# - a 64 bit integer is encoded followed by a single byte of value 1

2359

# - a string is encoded in UTF-8 format followed by a single byte of value 2

2360

"name": "A String", # Name describing the field.

2361

},

2362

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

2363

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

2364

# a key encryption key (KEK) stored by KMS).

2365

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

2366

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

2367

# unwrap the data crypto key.

2368

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

2369

# leaking the key. Choose another type of key if possible.

2370

"key": "A String", # Required. A 128/192/256 bit key.

2371

},

2372

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

2373

# It will be discarded after the request finishes.

2374

"name": "A String", # Required. Name of the key.

2375

# This is an arbitrary string used to differentiate different keys.

2376

# A unique key is generated per name: two separate `TransientCryptoKey`

2377

# protos share the same generated key if their names are the same.

2378

# When the data crypto key is generated, this name is not used in any way

2379

# (repeating the api call will result in a different key being generated).

2380

},

2381

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

2382

# The wrapped key must be a 128/192/256 bit key.

2383

# Authorization requires the following IAM permissions when sending a request

2384

# to perform a crypto transformation using a kms-wrapped crypto key:

2385

# dlp.kms.encrypt

2386

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2387

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2388

},

2389

},

2390

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

2391

# that the FFX mode natively supports. This happens before/after

2392

# encryption/decryption.

2393

# Each character listed must appear only once.

2394

# Number of characters must be in the range [2, 95].

2395

# This must be encoded as ASCII.

2396

# The order of characters does not matter.

2397

"commonAlphabet": "A String", # Common alphabets.

2398

},

2399

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

2400

# input. Outputs a base64 encoded representation of the encrypted output.

2401

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

2402

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

2403

# This annotation will be applied to the surrogate by prefixing it with

2404

# the name of the custom info type followed by the number of

2405

# characters comprising the surrogate. The following scheme defines the

2406

# format: {info type name}({surrogate character count}):{surrogate}

2407

#

2408

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

2409

# the surrogate is 'abc', the full replacement value

2410

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

2411

#

2412

# This annotation identifies the surrogate when inspecting content using the

2413

# custom info type 'Surrogate'. This facilitates reversal of the

2414

# surrogate when it occurs in free text.

2415

#

2416

# Note: For record transformations where the entire cell in a table is being

2417

# transformed, surrogates are not mandatory. Surrogates are used to denote

2418

# the location of the token and are necessary for re-identification in free

2419

# form text.

2420

#

2421

# In order for inspection to work properly, the name of this info type must

2422

# not occur naturally anywhere in your data; otherwise, inspection may either

2423

#

2424

# - reverse a surrogate that does not correspond to an actual identifier

2425

# - be unable to parse the surrogate and result in an error

2426

#

2427

# Therefore, choose your custom info type name carefully after considering

2428

# what your data looks like. One way to select a name that has a high chance

2429

# of yielding reliable detection is to include one or more unicode characters

2430

# that are highly improbable to exist in your data.

2431

# For example, assuming your data is entered from a regular ASCII keyboard,

2432

# the symbol with the hex code point 29DD might be used like so:

2433

# ⧝MY_TOKEN_TYPE.

2434

"name": "A String", # Name of the information type. Either a name of your choosing when

2435

# creating a CustomInfoType, or one of the names listed

2436

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

2437

# a built-in type. InfoType names should conform to the pattern

2438

# `[a-zA-Z0-9_]{1,64}`.

2439

},

2440

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

2441

# referential integrity such that the same identifier in two different

2442

# contexts will be given a distinct surrogate. The context is appended to

2443

# plaintext value being encrypted. On decryption the provided context is

2444

# validated against the value used during encryption. If a context was

2445

# provided during encryption, same context must be provided during decryption

2446

# as well.

2447

#

2448

# If the context is not set, plaintext would be used as is for encryption.

2449

# If the context is set but:

2450

#

2451

# 1. there is no record present when transforming a given value or

2452

# 2. the field is not present when transforming a given value,

2453

#

2454

# plaintext would be used as is for encryption.

2455

#

2456

# Note that case (1) is expected when an `InfoTypeTransformation` is

2457

# applied to both structured and non-structured `ContentItem`s.

2458

"name": "A String", # Name describing the field.

2459

},

2460

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

2461

# a key encryption key (KEK) stored by KMS).

2462

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

2463

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

2464

# unwrap the data crypto key.

2465

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

2466

# leaking the key. Choose another type of key if possible.

2467

"key": "A String", # Required. A 128/192/256 bit key.

2468

},

2469

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

2470

# It will be discarded after the request finishes.

2471

"name": "A String", # Required. Name of the key.

2472

# This is an arbitrary string used to differentiate different keys.

2473

# A unique key is generated per name: two separate `TransientCryptoKey`

2474

# protos share the same generated key if their names are the same.

2475

# When the data crypto key is generated, this name is not used in any way

2476

# (repeating the api call will result in a different key being generated).

2477

},

2478

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

2479

# The wrapped key must be a 128/192/256 bit key.

2480

# Authorization requires the following IAM permissions when sending a request

2481

# to perform a crypto transformation using a kms-wrapped crypto key:

2482

# dlp.kms.encrypt

2483

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2484

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

2489

# replacement values are dynamically provided by the user for custom behavior,

2490

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

2491

# This can be used on

2492

# data of type: number, long, string, timestamp.

2493

# If the bound `Value` type differs from the type of data being transformed, we

2494

# will first attempt converting the type of the data to be transformed to match

2495

# the type of the bound before comparing.

2496

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

2497

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

2498

{ # Bucket is represented as a range, along with replacement values.

2499

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

2500

# the default behavior will be to hyphenate the min-max range.

2501

# Note that for the purposes of inspection or transformation, the number

2502

# of bytes considered to comprise a 'Value' is based on its representation

2503

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2504

# 123456789, the number of bytes would be counted as 9, even though an

2505

# int64 only holds up to 8 bytes of data.

2506

"timestampValue": "A String", # timestamp

2507

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2508

# and time zone are either specified elsewhere or are not significant. The date

2509

# is relative to the Proleptic Gregorian Calendar. This can represent:

2510

#

2511

# * A full date, with non-zero year, month and day values

2512

# * A month and day value, with a zero year, e.g. an anniversary

2513

# * A year on its own, with zero month and day values

2514

# * A year and month value, with a zero day, e.g. a credit card expiration date

2515

#

2516

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2517

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2518

# a year.

2519

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2520

# month and day.

2521

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2522

# if specifying a year by itself or a year and month where the day is not

2523

# significant.

2524

},

2525

"stringValue": "A String", # string

2526

"integerValue": "A String", # integer

2527

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2528

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2529

# types are google.type.Date and `google.protobuf.Timestamp`.

2530

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2531

# to allow the value "24:00:00" for scenarios like business closing time.

2532

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2533

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2534

# allow the value 60 if it allows leap-seconds.

2535

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2536

},

2537

"booleanValue": True or False, # boolean

2538

"floatValue": 3.14, # float

2539

"dayOfWeekValue": "A String", # day of week

2540

},

2541

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

2542

# used.

2543

# Note that for the purposes of inspection or transformation, the number

2544

# of bytes considered to comprise a 'Value' is based on its representation

2545

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2546

# 123456789, the number of bytes would be counted as 9, even though an

2547

# int64 only holds up to 8 bytes of data.

2548

"timestampValue": "A String", # timestamp

2549

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2550

# and time zone are either specified elsewhere or are not significant. The date

2551

# is relative to the Proleptic Gregorian Calendar. This can represent:

2552

#

2553

# * A full date, with non-zero year, month and day values

2554

# * A month and day value, with a zero year, e.g. an anniversary

2555

# * A year on its own, with zero month and day values

2556

# * A year and month value, with a zero day, e.g. a credit card expiration date

2557

#

2558

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2559

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2560

# a year.

2561

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2562

# month and day.

2563

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2564

# if specifying a year by itself or a year and month where the day is not

2565

# significant.

2566

},

2567

"stringValue": "A String", # string

2568

"integerValue": "A String", # integer

2569

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2570

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2571

# types are google.type.Date and `google.protobuf.Timestamp`.

2572

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2573

# to allow the value "24:00:00" for scenarios like business closing time.

2574

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2575

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2576

# allow the value 60 if it allows leap-seconds.

2577

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2578

},

2579

"booleanValue": True or False, # boolean

2580

"floatValue": 3.14, # float

2581

"dayOfWeekValue": "A String", # day of week

2582

},

2583

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

2584

# Note that for the purposes of inspection or transformation, the number

2585

# of bytes considered to comprise a 'Value' is based on its representation

2586

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2587

# 123456789, the number of bytes would be counted as 9, even though an

2588

# int64 only holds up to 8 bytes of data.

2589

"timestampValue": "A String", # timestamp

2590

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2591

# and time zone are either specified elsewhere or are not significant. The date

2592

# is relative to the Proleptic Gregorian Calendar. This can represent:

2593

#

2594

# * A full date, with non-zero year, month and day values

2595

# * A month and day value, with a zero year, e.g. an anniversary

2596

# * A year on its own, with zero month and day values

2597

# * A year and month value, with a zero day, e.g. a credit card expiration date

2598

#

2599

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2600

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2601

# a year.

2602

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2603

# month and day.

2604

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2605

# if specifying a year by itself or a year and month where the day is not

2606

# significant.

2607

},

2608

"stringValue": "A String", # string

2609

"integerValue": "A String", # integer

2610

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2611

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2612

# types are google.type.Date and `google.protobuf.Timestamp`.

2613

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2614

# to allow the value "24:00:00" for scenarios like business closing time.

2615

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2616

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2617

# allow the value 60 if it allows leap-seconds.

2618

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2619

},

2620

"booleanValue": True or False, # boolean

2621

"floatValue": 3.14, # float

2622

"dayOfWeekValue": "A String", # day of week

},

},

],

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

2628

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

2629

# output would be 'My phone number is '.

2630

},

2631

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

2632

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

2633

# Note that for the purposes of inspection or transformation, the number

2634

# of bytes considered to comprise a 'Value' is based on its representation

2635

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2636

# 123456789, the number of bytes would be counted as 9, even though an

2637

# int64 only holds up to 8 bytes of data.

2638

"timestampValue": "A String", # timestamp

2639

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2640

# and time zone are either specified elsewhere or are not significant. The date

2641

# is relative to the Proleptic Gregorian Calendar. This can represent:

2642

#

2643

# * A full date, with non-zero year, month and day values

2644

# * A month and day value, with a zero year, e.g. an anniversary

2645

# * A year on its own, with zero month and day values

2646

# * A year and month value, with a zero day, e.g. a credit card expiration date

2647

#

2648

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2649

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2650

# a year.

2651

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2652

# month and day.

2653

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2654

# if specifying a year by itself or a year and month where the day is not

2655

# significant.

2656

},

2657

"stringValue": "A String", # string

2658

"integerValue": "A String", # integer

2659

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2660

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2661

# types are google.type.Date and `google.protobuf.Timestamp`.

2662

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2663

# to allow the value "24:00:00" for scenarios like business closing time.

2664

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2665

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2666

# allow the value 60 if it allows leap-seconds.

2667

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2668

},

2669

"booleanValue": True or False, # boolean

2670

"floatValue": 3.14, # float

2671

"dayOfWeekValue": "A String", # day of week

2672

},

2673

},

2674

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

2675

# Bucketing transformation can provide all of this functionality,

2676

# but requires more configuration. This message is provided as a convenience to

2677

# the user for simple bucketing strategies.

2678

#

2679

# The transformed value will be a hyphenated string of

2680

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

2681

# all values that are within this bucket will be replaced with "10-20".

2682

#

2683

# This can be used on data of type: double, long.

2684

#

2685

# If the bound Value type differs from the type of data

2686

# being transformed, we will first attempt converting the type of the data to

2687

# be transformed to match the type of the bound before comparing.

2688

#

2689

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

2690

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

2691

# grouped together into a single bucket; for example if `upper_bound` = 89,

2692

# then all values greater than 89 are replaced with the value "89+".

2693

# Note that for the purposes of inspection or transformation, the number

2694

# of bytes considered to comprise a 'Value' is based on its representation

2695

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2696

# 123456789, the number of bytes would be counted as 9, even though an

2697

# int64 only holds up to 8 bytes of data.

2698

"timestampValue": "A String", # timestamp

2699

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2700

# and time zone are either specified elsewhere or are not significant. The date

2701

# is relative to the Proleptic Gregorian Calendar. This can represent:

2702

#

2703

# * A full date, with non-zero year, month and day values

2704

# * A month and day value, with a zero year, e.g. an anniversary

2705

# * A year on its own, with zero month and day values

2706

# * A year and month value, with a zero day, e.g. a credit card expiration date

2707

#

2708

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2709

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2710

# a year.

2711

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2712

# month and day.

2713

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2714

# if specifying a year by itself or a year and month where the day is not

2715

# significant.

2716

},

2717

"stringValue": "A String", # string

2718

"integerValue": "A String", # integer

2719

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2720

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2721

# types are google.type.Date and `google.protobuf.Timestamp`.

2722

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2723

# to allow the value "24:00:00" for scenarios like business closing time.

2724

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2725

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2726

# allow the value 60 if it allows leap-seconds.

2727

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2728

},

2729

"booleanValue": True or False, # boolean

2730

"floatValue": 3.14, # float

2731

"dayOfWeekValue": "A String", # day of week

2732

},

2733

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

2734

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

2735

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

2736

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

2737

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

2738

# grouped together into a single bucket; for example if `lower_bound` = 10,

2739

# then all values less than 10 are replaced with the value "-10".

2740

# Note that for the purposes of inspection or transformation, the number

2741

# of bytes considered to comprise a 'Value' is based on its representation

2742

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

2743

# 123456789, the number of bytes would be counted as 9, even though an

2744

# int64 only holds up to 8 bytes of data.

2745

"timestampValue": "A String", # timestamp

2746

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

2747

# and time zone are either specified elsewhere or are not significant. The date

2748

# is relative to the Proleptic Gregorian Calendar. This can represent:

2749

#

2750

# * A full date, with non-zero year, month and day values

2751

# * A month and day value, with a zero year, e.g. an anniversary

2752

# * A year on its own, with zero month and day values

2753

# * A year and month value, with a zero day, e.g. a credit card expiration date

2754

#

2755

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

2756

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

2757

# a year.

2758

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

2759

# month and day.

2760

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

2761

# if specifying a year by itself or a year and month where the day is not

2762

# significant.

2763

},

2764

"stringValue": "A String", # string

2765

"integerValue": "A String", # integer

2766

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

2767

# or are specified elsewhere. An API may choose to allow leap seconds. Related

2768

# types are google.type.Date and `google.protobuf.Timestamp`.

2769

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

2770

# to allow the value "24:00:00" for scenarios like business closing time.

2771

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

2772

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

2773

# allow the value 60 if it allows leap-seconds.

2774

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

2775

},

2776

"booleanValue": True or False, # boolean

2777

"floatValue": 3.14, # float

2778

"dayOfWeekValue": "A String", # day of week

2779

},

2780

},

2781

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

2782

# fixed character. Masking can start from the beginning or end of the string.

2783

# This can be used on data of any type (numbers, longs, and so on) and when

2784

# de-identifying structured data we'll attempt to preserve the original data's

2785

# type. (This allows you to take a long like 123 and modify it to a string like

2786

# **3.

2787

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

2788

# characters. For example, if the input string is `555-555-5555` and you

2789

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

2790

# returns `***-**5-5555`.

2791

{ # Characters to skip when doing deidentification of a value. These will be left

2792

# alone and skipped.

2793

"charactersToSkip": "A String", # Characters to not transform when masking.

2794

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

2799

# masked. Skipped characters do not count towards this tally.

2800

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

2801

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

2802

# code or credit card number. This string must have a length of 1. If not

2803

# supplied, this value defaults to `*` for strings, and `0` for digits.

2804

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

2805

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

2806

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

2807

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

2808

# is `true`, then the string `12345` is masked as `12***`.

2809

},

2810

},

2811

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

2812

# this transformation to apply to all findings that correspond to

2813

# infoTypes that were requested in `InspectConfig`.

2814

{ # Type of information detected by the API.

2815

"name": "A String", # Name of the information type. Either a name of your choosing when

2816

# creating a CustomInfoType, or one of the names listed

2817

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

2818

# a built-in type. InfoType names should conform to the pattern

2819

# `[a-zA-Z0-9_]{1,64}`.

},

],

},

],

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

2825

"transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default

2826

# mode is `TransformationErrorHandling.ThrowError`.

2827

# transformation error occurs when the requested transformation is incompatible

2828

# with the data. For example, trying to de-identify an IP address using a

2829

# `DateShift` transformation would result in a transformation error, since date

2830

# info cannot be extracted from an IP address.

2831

# Information about any incompatible transformations, and how they were

2832

# handled, is returned in the response as part of the

2833

# `TransformationOverviews`.

2834

"throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error

2835

},

2836

"leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors

2837

# cause an error. For example, if a `DateShift` transformation were applied

2838

# an an IP address, this mode would leave the IP address unchanged in the

# response.

},

},

"recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to

2843

# specific locations within structured datasets, such as transforming

2844

# a column within a table.

2845

# table.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

2846

"fieldTransformations": [ # Transform the record by applying various field transformations.

2847

{ # The transformation to apply to the field.

2848

"fields": [ # Required. Input field(s) to apply the transformation to.

2849

{ # General identifier of a data field in a storage service.

2850

"name": "A String", # Name describing the field.

2851

},

2852

],

2853

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively

2854

# transform content that matches an `InfoType`.

2855

# apply various `PrimitiveTransformation`s to each finding, where the

2856

# transformation is applied to only values that were identified as a specific

2857

# info_type.

2858

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

2859

# for a given infoType.

2860

{ # A transformation to apply to text that is identified as a specific

2861

# info_type.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

2862

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

2863

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

2864

# portion of the value.

2865

"partToExtract": "A String", # The part of the time to keep.

2866

},

2867

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

2868

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

2869

# to learn more.

2870

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

2871

# If set, must also set cryptoKey. If set, shift will be consistent for the

2872

# given context.

2873

"name": "A String", # Name describing the field.

2874

},

2875

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

2876

# range (inclusive ends). Negative means shift to earlier in time. Must not

2877

# be more than 365250 days (1000 years) each direction.

2878

#

2879

# For example, 3 means shift date to at most 3 days into the future.

2880

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

2881

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

2882

# results in the same shift for the same context and crypto_key. If

2883

# set, must also set context. Can only be applied to table items.

2884

# a key encryption key (KEK) stored by KMS).

2885

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

2886

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

2887

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

2888

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

2889

# leaking the key. Choose another type of key if possible.

2890

"key": "A String", # Required. A 128/192/256 bit key.

2891

},

2892

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

2893

# It will be discarded after the request finishes.

2894

"name": "A String", # Required. Name of the key.

2895

# This is an arbitrary string used to differentiate different keys.

2896

# A unique key is generated per name: two separate `TransientCryptoKey`

2897

# protos share the same generated key if their names are the same.

2898

# When the data crypto key is generated, this name is not used in any way

2899

# (repeating the api call will result in a different key being generated).

2900

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

2901

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

2902

# The wrapped key must be a 128/192/256 bit key.

2903

# Authorization requires the following IAM permissions when sending a request

2904

# to perform a crypto transformation using a kms-wrapped crypto key:

2905

# dlp.kms.encrypt

2906

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2907

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2908

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

2909

},

2910

},

2911

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

2912

},

2913

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

2914

# Uses SHA-256.

2915

# The key size must be either 32 or 64 bytes.

2916

# Outputs a base64 encoded representation of the hashed output

2917

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

2918

# Currently, only string and integer values can be hashed.

2919

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

2920

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

2921

# a key encryption key (KEK) stored by KMS).

2922

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

2923

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

2924

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

2925

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

2926

# leaking the key. Choose another type of key if possible.

2927

"key": "A String", # Required. A 128/192/256 bit key.

2928

},

2929

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

2930

# It will be discarded after the request finishes.

2931

"name": "A String", # Required. Name of the key.

2932

# This is an arbitrary string used to differentiate different keys.

2933

# A unique key is generated per name: two separate `TransientCryptoKey`

2934

# protos share the same generated key if their names are the same.

2935

# When the data crypto key is generated, this name is not used in any way

2936

# (repeating the api call will result in a different key being generated).

2937

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

2938

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

2939

# The wrapped key must be a 128/192/256 bit key.

2940

# Authorization requires the following IAM permissions when sending a request

2941

# to perform a crypto transformation using a kms-wrapped crypto key:

2942

# dlp.kms.encrypt

2943

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

2944

"wrappedKey": "A String", # Required. The wrapped data crypto key.

2945

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

2946

},

2947

},

2948

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

2949

# (FPE) with the FFX mode of operation; however when used in the

2950

# `ReidentifyContent` API method, it serves the opposite function by reversing

2951

# the surrogate back into the original identifier. The identifier must be

2952

# encoded as ASCII. For a given crypto key and context, the same identifier

2953

# will be replaced with the same surrogate. Identifiers must be at least two

2954

# characters long. In the case that the identifier is the empty string, it will

2955

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

2956

# more.

2957

#

2958

# Note: We recommend using CryptoDeterministicConfig for all use cases which

2959

# do not require preserving the input alphabet space and size, plus warrant

2960

# referential integrity.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

2961

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

2962

# This annotation will be applied to the surrogate by prefixing it with

2963

# the name of the custom infoType followed by the number of

2964

# characters comprising the surrogate. The following scheme defines the

2965

# format: info_type_name(surrogate_character_count):surrogate

2966

#

2967

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

2968

# the surrogate is 'abc', the full replacement value

2969

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

2970

#

2971

# This annotation identifies the surrogate when inspecting content using the

2972

# custom infoType

2973

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

2974

# This facilitates reversal of the surrogate when it occurs in free text.

2975

#

2976

# In order for inspection to work properly, the name of this infoType must

2977

# not occur naturally anywhere in your data; otherwise, inspection may

2978

# find a surrogate that does not correspond to an actual identifier.

2979

# Therefore, choose your custom infoType name carefully after considering

2980

# what your data looks like. One way to select a name that has a high chance

2981

# of yielding reliable detection is to include one or more unicode characters

2982

# that are highly improbable to exist in your data.

2983

# For example, assuming your data is entered from a regular ASCII keyboard,

2984

# the symbol with the hex code point 29DD might be used like so:

2985

# ⧝MY_TOKEN_TYPE

2986

"name": "A String", # Name of the information type. Either a name of your choosing when

2987

# creating a CustomInfoType, or one of the names listed

2988

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

2989

# a built-in type. InfoType names should conform to the pattern

2990

# `[a-zA-Z0-9_]{1,64}`.

2991

},

2992

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

2993

# identifier in two different contexts won't be given the same surrogate. If

2994

# the context is not set, a default tweak will be used.

2995

#

2996

# If the context is set but:

2997

#

2998

# 1. there is no record present when transforming a given value or

2999

# 1. the field is not present when transforming a given value,

3000

#

3001

# a default tweak will be used.

3002

#

3003

# Note that case (1) is expected when an `InfoTypeTransformation` is

3004

# applied to both structured and non-structured `ContentItem`s.

3005

# Currently, the referenced field may be of value type integer or string.

3006

#

3007

# The tweak is constructed as a sequence of bytes in big endian byte order

3008

# such that:

3009

#

3010

# - a 64 bit integer is encoded followed by a single byte of value 1

3011

# - a string is encoded in UTF-8 format followed by a single byte of value 2

3012

"name": "A String", # Name describing the field.

3013

},

3014

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

3015

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

3016

# a key encryption key (KEK) stored by KMS).

3017

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

3018

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

3019

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3020

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

3021

# leaking the key. Choose another type of key if possible.

3022

"key": "A String", # Required. A 128/192/256 bit key.

3023

},

3024

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

3025

# It will be discarded after the request finishes.

3026

"name": "A String", # Required. Name of the key.

3027

# This is an arbitrary string used to differentiate different keys.

3028

# A unique key is generated per name: two separate `TransientCryptoKey`

3029

# protos share the same generated key if their names are the same.

3030

# When the data crypto key is generated, this name is not used in any way

3031

# (repeating the api call will result in a different key being generated).

3032

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

3033

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

3034

# The wrapped key must be a 128/192/256 bit key.

3035

# Authorization requires the following IAM permissions when sending a request

3036

# to perform a crypto transformation using a kms-wrapped crypto key:

3037

# dlp.kms.encrypt

3038

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3039

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3040

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3041

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

3042

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

3043

# that the FFX mode natively supports. This happens before/after

3044

# encryption/decryption.

3045

# Each character listed must appear only once.

3046

# Number of characters must be in the range [2, 95].

3047

# This must be encoded as ASCII.

3048

# The order of characters does not matter.

3049

"commonAlphabet": "A String", # Common alphabets.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3050

},

3051

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

3052

# input. Outputs a base64 encoded representation of the encrypted output.

3053

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

3054

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

3055

# This annotation will be applied to the surrogate by prefixing it with

3056

# the name of the custom info type followed by the number of

3057

# characters comprising the surrogate. The following scheme defines the

3058

# format: {info type name}({surrogate character count}):{surrogate}

3059

#

3060

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

3061

# the surrogate is 'abc', the full replacement value

3062

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

3063

#

3064

# This annotation identifies the surrogate when inspecting content using the

3065

# custom info type 'Surrogate'. This facilitates reversal of the

3066

# surrogate when it occurs in free text.

3067

#

3068

# Note: For record transformations where the entire cell in a table is being

3069

# transformed, surrogates are not mandatory. Surrogates are used to denote

3070

# the location of the token and are necessary for re-identification in free

3071

# form text.

3072

#

3073

# In order for inspection to work properly, the name of this info type must

3074

# not occur naturally anywhere in your data; otherwise, inspection may either

3075

#

3076

# - reverse a surrogate that does not correspond to an actual identifier

3077

# - be unable to parse the surrogate and result in an error

3078

#

3079

# Therefore, choose your custom info type name carefully after considering

3080

# what your data looks like. One way to select a name that has a high chance

3081

# of yielding reliable detection is to include one or more unicode characters

3082

# that are highly improbable to exist in your data.

3083

# For example, assuming your data is entered from a regular ASCII keyboard,

3084

# the symbol with the hex code point 29DD might be used like so:

3085

# ⧝MY_TOKEN_TYPE.

3086

"name": "A String", # Name of the information type. Either a name of your choosing when

3087

# creating a CustomInfoType, or one of the names listed

3088

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

3089

# a built-in type. InfoType names should conform to the pattern

3090

# `[a-zA-Z0-9_]{1,64}`.

3091

},

3092

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

3093

# referential integrity such that the same identifier in two different

3094

# contexts will be given a distinct surrogate. The context is appended to

3095

# plaintext value being encrypted. On decryption the provided context is

3096

# validated against the value used during encryption. If a context was

3097

# provided during encryption, same context must be provided during decryption

3098

# as well.

3099

#

3100

# If the context is not set, plaintext would be used as is for encryption.

3101

# If the context is set but:

3102

#

3103

# 1. there is no record present when transforming a given value or

3104

# 2. the field is not present when transforming a given value,

3105

#

3106

# plaintext would be used as is for encryption.

3107

#

3108

# Note that case (1) is expected when an `InfoTypeTransformation` is

3109

# applied to both structured and non-structured `ContentItem`s.

3110

"name": "A String", # Name describing the field.

3111

},

3112

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

3113

# a key encryption key (KEK) stored by KMS).

3114

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

3115

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

3116

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3117

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

3118

# leaking the key. Choose another type of key if possible.

3119

"key": "A String", # Required. A 128/192/256 bit key.

3120

},

3121

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

3122

# It will be discarded after the request finishes.

3123

"name": "A String", # Required. Name of the key.

3124

# This is an arbitrary string used to differentiate different keys.

3125

# A unique key is generated per name: two separate `TransientCryptoKey`

3126

# protos share the same generated key if their names are the same.

3127

# When the data crypto key is generated, this name is not used in any way

3128

# (repeating the api call will result in a different key being generated).

3129

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

3130

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

3131

# The wrapped key must be a 128/192/256 bit key.

3132

# Authorization requires the following IAM permissions when sending a request

3133

# to perform a crypto transformation using a kms-wrapped crypto key:

3134

# dlp.kms.encrypt

3135

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3136

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3137

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3138

},

3139

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3140

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

3141

# replacement values are dynamically provided by the user for custom behavior,

3142

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

3143

# This can be used on

3144

# data of type: number, long, string, timestamp.

3145

# If the bound `Value` type differs from the type of data being transformed, we

3146

# will first attempt converting the type of the data to be transformed to match

3147

# the type of the bound before comparing.

3148

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

3149

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

3150

{ # Bucket is represented as a range, along with replacement values.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3151

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

3152

# the default behavior will be to hyphenate the min-max range.

3153

# Note that for the purposes of inspection or transformation, the number

3154

# of bytes considered to comprise a 'Value' is based on its representation

3155

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3156

# 123456789, the number of bytes would be counted as 9, even though an

3157

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3158

"timestampValue": "A String", # timestamp

3159

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3160

# and time zone are either specified elsewhere or are not significant. The date

3161

# is relative to the Proleptic Gregorian Calendar. This can represent:

3162

#

3163

# * A full date, with non-zero year, month and day values

3164

# * A month and day value, with a zero year, e.g. an anniversary

3165

# * A year on its own, with zero month and day values

3166

# * A year and month value, with a zero day, e.g. a credit card expiration date

3167

#

3168

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3169

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3170

# a year.

3171

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3172

# month and day.

3173

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3174

# if specifying a year by itself or a year and month where the day is not

3175

# significant.

3176

},

3177

"stringValue": "A String", # string

3178

"integerValue": "A String", # integer

3179

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3180

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3181

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3182

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3183

# to allow the value "24:00:00" for scenarios like business closing time.

3184

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

3185

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3186

# allow the value 60 if it allows leap-seconds.

3187

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3188

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

3189

"booleanValue": True or False, # boolean

3190

"floatValue": 3.14, # float

3191

"dayOfWeekValue": "A String", # day of week

3192

},

3193

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

3194

# used.

3195

# Note that for the purposes of inspection or transformation, the number

3196

# of bytes considered to comprise a 'Value' is based on its representation

3197

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3198

# 123456789, the number of bytes would be counted as 9, even though an

3199

# int64 only holds up to 8 bytes of data.

3200

"timestampValue": "A String", # timestamp

3201

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3202

# and time zone are either specified elsewhere or are not significant. The date

3203

# is relative to the Proleptic Gregorian Calendar. This can represent:

3204

#

3205

# * A full date, with non-zero year, month and day values

3206

# * A month and day value, with a zero year, e.g. an anniversary

3207

# * A year on its own, with zero month and day values

3208

# * A year and month value, with a zero day, e.g. a credit card expiration date

3209

#

3210

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3211

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3212

# a year.

3213

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3214

# month and day.

3215

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3216

# if specifying a year by itself or a year and month where the day is not

3217

# significant.

3218

},

3219

"stringValue": "A String", # string

3220

"integerValue": "A String", # integer

3221

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3222

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3223

# types are google.type.Date and `google.protobuf.Timestamp`.

3224

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3225

# to allow the value "24:00:00" for scenarios like business closing time.

3226

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3227

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3228

# allow the value 60 if it allows leap-seconds.

3229

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3230

},

3231

"booleanValue": True or False, # boolean

3232

"floatValue": 3.14, # float

3233

"dayOfWeekValue": "A String", # day of week

3234

},

3235

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

3236

# Note that for the purposes of inspection or transformation, the number

3237

# of bytes considered to comprise a 'Value' is based on its representation

3238

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3239

# 123456789, the number of bytes would be counted as 9, even though an

3240

# int64 only holds up to 8 bytes of data.

3241

"timestampValue": "A String", # timestamp

3242

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3243

# and time zone are either specified elsewhere or are not significant. The date

3244

# is relative to the Proleptic Gregorian Calendar. This can represent:

3245

#

3246

# * A full date, with non-zero year, month and day values

3247

# * A month and day value, with a zero year, e.g. an anniversary

3248

# * A year on its own, with zero month and day values

3249

# * A year and month value, with a zero day, e.g. a credit card expiration date

3250

#

3251

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3252

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3253

# a year.

3254

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3255

# month and day.

3256

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3257

# if specifying a year by itself or a year and month where the day is not

3258

# significant.

3259

},

3260

"stringValue": "A String", # string

3261

"integerValue": "A String", # integer

3262

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3263

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3264

# types are google.type.Date and `google.protobuf.Timestamp`.

3265

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3266

# to allow the value "24:00:00" for scenarios like business closing time.

3267

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3268

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3269

# allow the value 60 if it allows leap-seconds.

3270

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3271

},

3272

"booleanValue": True or False, # boolean

3273

"floatValue": 3.14, # float

3274

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

},

},

],

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

3279

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

3280

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

3281

# output would be 'My phone number is '.

3282

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3283

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

3284

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

3285

# Note that for the purposes of inspection or transformation, the number

3286

# of bytes considered to comprise a 'Value' is based on its representation

3287

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3288

# 123456789, the number of bytes would be counted as 9, even though an

3289

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3290

"timestampValue": "A String", # timestamp

3291

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3292

# and time zone are either specified elsewhere or are not significant. The date

3293

# is relative to the Proleptic Gregorian Calendar. This can represent:

3294

#

3295

# * A full date, with non-zero year, month and day values

3296

# * A month and day value, with a zero year, e.g. an anniversary

3297

# * A year on its own, with zero month and day values

3298

# * A year and month value, with a zero day, e.g. a credit card expiration date

3299

#

3300

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3301

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3302

# a year.

3303

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3304

# month and day.

3305

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3306

# if specifying a year by itself or a year and month where the day is not

3307

# significant.

3308

},

3309

"stringValue": "A String", # string

3310

"integerValue": "A String", # integer

3311

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3312

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3313

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3314

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3315

# to allow the value "24:00:00" for scenarios like business closing time.

3316

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

3317

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3318

# allow the value 60 if it allows leap-seconds.

3319

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3320

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

3321

"booleanValue": True or False, # boolean

3322

"floatValue": 3.14, # float

3323

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3324

},

3325

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3326

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

3327

# Bucketing transformation can provide all of this functionality,

3328

# but requires more configuration. This message is provided as a convenience to

3329

# the user for simple bucketing strategies.

3330

#

3331

# The transformed value will be a hyphenated string of

3332

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

3333

# all values that are within this bucket will be replaced with "10-20".

3334

#

3335

# This can be used on data of type: double, long.

3336

#

3337

# If the bound Value type differs from the type of data

3338

# being transformed, we will first attempt converting the type of the data to

3339

# be transformed to match the type of the bound before comparing.

3340

#

3341

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3342

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

3343

# grouped together into a single bucket; for example if `upper_bound` = 89,

3344

# then all values greater than 89 are replaced with the value "89+".

3345

# Note that for the purposes of inspection or transformation, the number

3346

# of bytes considered to comprise a 'Value' is based on its representation

3347

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3348

# 123456789, the number of bytes would be counted as 9, even though an

3349

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3350

"timestampValue": "A String", # timestamp

3351

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3352

# and time zone are either specified elsewhere or are not significant. The date

3353

# is relative to the Proleptic Gregorian Calendar. This can represent:

3354

#

3355

# * A full date, with non-zero year, month and day values

3356

# * A month and day value, with a zero year, e.g. an anniversary

3357

# * A year on its own, with zero month and day values

3358

# * A year and month value, with a zero day, e.g. a credit card expiration date

3359

#

3360

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3361

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3362

# a year.

3363

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3364

# month and day.

3365

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3366

# if specifying a year by itself or a year and month where the day is not

3367

# significant.

3368

},

3369

"stringValue": "A String", # string

3370

"integerValue": "A String", # integer

3371

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3372

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3373

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3374

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3375

# to allow the value "24:00:00" for scenarios like business closing time.

3376

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

3377

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3378

# allow the value 60 if it allows leap-seconds.

3379

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3380

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

3381

"booleanValue": True or False, # boolean

3382

"floatValue": 3.14, # float

3383

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3384

},

3385

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

3386

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

3387

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

3388

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

3389

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

3390

# grouped together into a single bucket; for example if `lower_bound` = 10,

3391

# then all values less than 10 are replaced with the value "-10".

3392

# Note that for the purposes of inspection or transformation, the number

3393

# of bytes considered to comprise a 'Value' is based on its representation

3394

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3395

# 123456789, the number of bytes would be counted as 9, even though an

3396

# int64 only holds up to 8 bytes of data.

3397

"timestampValue": "A String", # timestamp

3398

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3399

# and time zone are either specified elsewhere or are not significant. The date

3400

# is relative to the Proleptic Gregorian Calendar. This can represent:

3401

#

3402

# * A full date, with non-zero year, month and day values

3403

# * A month and day value, with a zero year, e.g. an anniversary

3404

# * A year on its own, with zero month and day values

3405

# * A year and month value, with a zero day, e.g. a credit card expiration date

3406

#

3407

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3408

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3409

# a year.

3410

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3411

# month and day.

3412

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3413

# if specifying a year by itself or a year and month where the day is not

3414

# significant.

3415

},

3416

"stringValue": "A String", # string

3417

"integerValue": "A String", # integer

3418

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3419

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3420

# types are google.type.Date and `google.protobuf.Timestamp`.

3421

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3422

# to allow the value "24:00:00" for scenarios like business closing time.

3423

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3424

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3425

# allow the value 60 if it allows leap-seconds.

3426

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3427

},

3428

"booleanValue": True or False, # boolean

3429

"floatValue": 3.14, # float

3430

"dayOfWeekValue": "A String", # day of week

3431

},

3432

},

3433

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

3434

# fixed character. Masking can start from the beginning or end of the string.

3435

# This can be used on data of any type (numbers, longs, and so on) and when

3436

# de-identifying structured data we'll attempt to preserve the original data's

3437

# type. (This allows you to take a long like 123 and modify it to a string like

3438

# **3.

3439

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

3440

# characters. For example, if the input string is `555-555-5555` and you

3441

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

3442

# returns `***-**5-5555`.

3443

{ # Characters to skip when doing deidentification of a value. These will be left

3444

# alone and skipped.

3445

"charactersToSkip": "A String", # Characters to not transform when masking.

3446

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

3451

# masked. Skipped characters do not count towards this tally.

3452

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

3453

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

3454

# code or credit card number. This string must have a length of 1. If not

3455

# supplied, this value defaults to `*` for strings, and `0` for digits.

3456

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

3457

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

3458

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

3459

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

3460

# is `true`, then the string `12345` is masked as `12***`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3461

},

3462

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

3463

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

3464

# this transformation to apply to all findings that correspond to

3465

# infoTypes that were requested in `InspectConfig`.

3466

{ # Type of information detected by the API.

3467

"name": "A String", # Name of the information type. Either a name of your choosing when

3468

# creating a CustomInfoType, or one of the names listed

3469

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

3470

# a built-in type. InfoType names should conform to the pattern

3471

# `[a-zA-Z0-9_]{1,64}`.

3472

},

3473

],

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

},

],

},

"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.

3478

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

3479

# portion of the value.

3480

"partToExtract": "A String", # The part of the time to keep.

3481

},

3482

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

3483

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

3484

# to learn more.

3485

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

3486

# If set, must also set cryptoKey. If set, shift will be consistent for the

3487

# given context.

3488

"name": "A String", # Name describing the field.

3489

},

3490

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

3491

# range (inclusive ends). Negative means shift to earlier in time. Must not

3492

# be more than 365250 days (1000 years) each direction.

3493

#

3494

# For example, 3 means shift date to at most 3 days into the future.

3495

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

3496

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

3497

# results in the same shift for the same context and crypto_key. If

3498

# set, must also set context. Can only be applied to table items.

3499

# a key encryption key (KEK) stored by KMS).

3500

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

3501

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

3502

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3503

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

3504

# leaking the key. Choose another type of key if possible.

3505

"key": "A String", # Required. A 128/192/256 bit key.

3506

},

3507

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

3508

# It will be discarded after the request finishes.

3509

"name": "A String", # Required. Name of the key.

3510

# This is an arbitrary string used to differentiate different keys.

3511

# A unique key is generated per name: two separate `TransientCryptoKey`

3512

# protos share the same generated key if their names are the same.

3513

# When the data crypto key is generated, this name is not used in any way

3514

# (repeating the api call will result in a different key being generated).

3515

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

3516

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

3517

# The wrapped key must be a 128/192/256 bit key.

3518

# Authorization requires the following IAM permissions when sending a request

3519

# to perform a crypto transformation using a kms-wrapped crypto key:

3520

# dlp.kms.encrypt

3521

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3522

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3523

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3524

},

3525

},

3526

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

3527

},

3528

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

3529

# Uses SHA-256.

3530

# The key size must be either 32 or 64 bytes.

3531

# Outputs a base64 encoded representation of the hashed output

3532

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

3533

# Currently, only string and integer values can be hashed.

3534

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

3535

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

3536

# a key encryption key (KEK) stored by KMS).

3537

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

3538

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

3539

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3540

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

3541

# leaking the key. Choose another type of key if possible.

3542

"key": "A String", # Required. A 128/192/256 bit key.

3543

},

3544

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

3545

# It will be discarded after the request finishes.

3546

"name": "A String", # Required. Name of the key.

3547

# This is an arbitrary string used to differentiate different keys.

3548

# A unique key is generated per name: two separate `TransientCryptoKey`

3549

# protos share the same generated key if their names are the same.

3550

# When the data crypto key is generated, this name is not used in any way

3551

# (repeating the api call will result in a different key being generated).

3552

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

3553

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

3554

# The wrapped key must be a 128/192/256 bit key.

3555

# Authorization requires the following IAM permissions when sending a request

3556

# to perform a crypto transformation using a kms-wrapped crypto key:

3557

# dlp.kms.encrypt

3558

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3559

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3560

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3561

},

3562

},

3563

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

3564

# (FPE) with the FFX mode of operation; however when used in the

3565

# `ReidentifyContent` API method, it serves the opposite function by reversing

3566

# the surrogate back into the original identifier. The identifier must be

3567

# encoded as ASCII. For a given crypto key and context, the same identifier

3568

# will be replaced with the same surrogate. Identifiers must be at least two

3569

# characters long. In the case that the identifier is the empty string, it will

3570

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

3571

# more.

3572

#

3573

# Note: We recommend using CryptoDeterministicConfig for all use cases which

3574

# do not require preserving the input alphabet space and size, plus warrant

3575

# referential integrity.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3576

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

3577

# This annotation will be applied to the surrogate by prefixing it with

3578

# the name of the custom infoType followed by the number of

3579

# characters comprising the surrogate. The following scheme defines the

3580

# format: info_type_name(surrogate_character_count):surrogate

3581

#

3582

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

3583

# the surrogate is 'abc', the full replacement value

3584

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

3585

#

3586

# This annotation identifies the surrogate when inspecting content using the

3587

# custom infoType

3588

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

3589

# This facilitates reversal of the surrogate when it occurs in free text.

3590

#

3591

# In order for inspection to work properly, the name of this infoType must

3592

# not occur naturally anywhere in your data; otherwise, inspection may

3593

# find a surrogate that does not correspond to an actual identifier.

3594

# Therefore, choose your custom infoType name carefully after considering

3595

# what your data looks like. One way to select a name that has a high chance

3596

# of yielding reliable detection is to include one or more unicode characters

3597

# that are highly improbable to exist in your data.

3598

# For example, assuming your data is entered from a regular ASCII keyboard,

3599

# the symbol with the hex code point 29DD might be used like so:

3600

# ⧝MY_TOKEN_TYPE

3601

"name": "A String", # Name of the information type. Either a name of your choosing when

3602

# creating a CustomInfoType, or one of the names listed

3603

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

3604

# a built-in type. InfoType names should conform to the pattern

3605

# `[a-zA-Z0-9_]{1,64}`.

3606

},

3607

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

3608

# identifier in two different contexts won't be given the same surrogate. If

3609

# the context is not set, a default tweak will be used.

3610

#

3611

# If the context is set but:

3612

#

3613

# 1. there is no record present when transforming a given value or

3614

# 1. the field is not present when transforming a given value,

3615

#

3616

# a default tweak will be used.

3617

#

3618

# Note that case (1) is expected when an `InfoTypeTransformation` is

3619

# applied to both structured and non-structured `ContentItem`s.

3620

# Currently, the referenced field may be of value type integer or string.

3621

#

3622

# The tweak is constructed as a sequence of bytes in big endian byte order

3623

# such that:

3624

#

3625

# - a 64 bit integer is encoded followed by a single byte of value 1

3626

# - a string is encoded in UTF-8 format followed by a single byte of value 2

3627

"name": "A String", # Name describing the field.

3628

},

3629

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

3630

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

3631

# a key encryption key (KEK) stored by KMS).

3632

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

3633

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

3634

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3635

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

3636

# leaking the key. Choose another type of key if possible.

3637

"key": "A String", # Required. A 128/192/256 bit key.

3638

},

3639

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

3640

# It will be discarded after the request finishes.

3641

"name": "A String", # Required. Name of the key.

3642

# This is an arbitrary string used to differentiate different keys.

3643

# A unique key is generated per name: two separate `TransientCryptoKey`

3644

# protos share the same generated key if their names are the same.

3645

# When the data crypto key is generated, this name is not used in any way

3646

# (repeating the api call will result in a different key being generated).

3647

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

3648

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

3649

# The wrapped key must be a 128/192/256 bit key.

3650

# Authorization requires the following IAM permissions when sending a request

3651

# to perform a crypto transformation using a kms-wrapped crypto key:

3652

# dlp.kms.encrypt

3653

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3654

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3655

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3656

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

3657

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

3658

# that the FFX mode natively supports. This happens before/after

3659

# encryption/decryption.

3660

# Each character listed must appear only once.

3661

# Number of characters must be in the range [2, 95].

3662

# This must be encoded as ASCII.

3663

# The order of characters does not matter.

3664

"commonAlphabet": "A String", # Common alphabets.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3665

},

3666

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

3667

# input. Outputs a base64 encoded representation of the encrypted output.

3668

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

3669

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

3670

# This annotation will be applied to the surrogate by prefixing it with

3671

# the name of the custom info type followed by the number of

3672

# characters comprising the surrogate. The following scheme defines the

3673

# format: {info type name}({surrogate character count}):{surrogate}

3674

#

3675

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

3676

# the surrogate is 'abc', the full replacement value

3677

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

3678

#

3679

# This annotation identifies the surrogate when inspecting content using the

3680

# custom info type 'Surrogate'. This facilitates reversal of the

3681

# surrogate when it occurs in free text.

3682

#

3683

# Note: For record transformations where the entire cell in a table is being

3684

# transformed, surrogates are not mandatory. Surrogates are used to denote

3685

# the location of the token and are necessary for re-identification in free

3686

# form text.

3687

#

3688

# In order for inspection to work properly, the name of this info type must

3689

# not occur naturally anywhere in your data; otherwise, inspection may either

3690

#

3691

# - reverse a surrogate that does not correspond to an actual identifier

3692

# - be unable to parse the surrogate and result in an error

3693

#

3694

# Therefore, choose your custom info type name carefully after considering

3695

# what your data looks like. One way to select a name that has a high chance

3696

# of yielding reliable detection is to include one or more unicode characters

3697

# that are highly improbable to exist in your data.

3698

# For example, assuming your data is entered from a regular ASCII keyboard,

3699

# the symbol with the hex code point 29DD might be used like so:

3700

# ⧝MY_TOKEN_TYPE.

3701

"name": "A String", # Name of the information type. Either a name of your choosing when

3702

# creating a CustomInfoType, or one of the names listed

3703

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

3704

# a built-in type. InfoType names should conform to the pattern

3705

# `[a-zA-Z0-9_]{1,64}`.

3706

},

3707

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

3708

# referential integrity such that the same identifier in two different

3709

# contexts will be given a distinct surrogate. The context is appended to

3710

# plaintext value being encrypted. On decryption the provided context is

3711

# validated against the value used during encryption. If a context was

3712

# provided during encryption, same context must be provided during decryption

3713

# as well.

3714

#

3715

# If the context is not set, plaintext would be used as is for encryption.

3716

# If the context is set but:

3717

#

3718

# 1. there is no record present when transforming a given value or

3719

# 2. the field is not present when transforming a given value,

3720

#

3721

# plaintext would be used as is for encryption.

3722

#

3723

# Note that case (1) is expected when an `InfoTypeTransformation` is

3724

# applied to both structured and non-structured `ContentItem`s.

3725

"name": "A String", # Name describing the field.

3726

},

3727

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

3728

# a key encryption key (KEK) stored by KMS).

3729

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

3730

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

3731

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3732

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

3733

# leaking the key. Choose another type of key if possible.

3734

"key": "A String", # Required. A 128/192/256 bit key.

3735

},

3736

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

3737

# It will be discarded after the request finishes.

3738

"name": "A String", # Required. Name of the key.

3739

# This is an arbitrary string used to differentiate different keys.

3740

# A unique key is generated per name: two separate `TransientCryptoKey`

3741

# protos share the same generated key if their names are the same.

3742

# When the data crypto key is generated, this name is not used in any way

3743

# (repeating the api call will result in a different key being generated).

3744

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

3745

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

3746

# The wrapped key must be a 128/192/256 bit key.

3747

# Authorization requires the following IAM permissions when sending a request

3748

# to perform a crypto transformation using a kms-wrapped crypto key:

3749

# dlp.kms.encrypt

3750

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

3751

"wrappedKey": "A String", # Required. The wrapped data crypto key.

3752

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3753

},

3754

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3755

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

3756

# replacement values are dynamically provided by the user for custom behavior,

3757

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

3758

# This can be used on

3759

# data of type: number, long, string, timestamp.

3760

# If the bound `Value` type differs from the type of data being transformed, we

3761

# will first attempt converting the type of the data to be transformed to match

3762

# the type of the bound before comparing.

3763

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

3764

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

3765

{ # Bucket is represented as a range, along with replacement values.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3766

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

3767

# the default behavior will be to hyphenate the min-max range.

3768

# Note that for the purposes of inspection or transformation, the number

3769

# of bytes considered to comprise a 'Value' is based on its representation

3770

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3771

# 123456789, the number of bytes would be counted as 9, even though an

3772

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3773

"timestampValue": "A String", # timestamp

3774

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3775

# and time zone are either specified elsewhere or are not significant. The date

3776

# is relative to the Proleptic Gregorian Calendar. This can represent:

3777

#

3778

# * A full date, with non-zero year, month and day values

3779

# * A month and day value, with a zero year, e.g. an anniversary

3780

# * A year on its own, with zero month and day values

3781

# * A year and month value, with a zero day, e.g. a credit card expiration date

3782

#

3783

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3784

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3785

# a year.

3786

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3787

# month and day.

3788

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3789

# if specifying a year by itself or a year and month where the day is not

3790

# significant.

3791

},

3792

"stringValue": "A String", # string

3793

"integerValue": "A String", # integer

3794

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3795

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3796

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3797

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3798

# to allow the value "24:00:00" for scenarios like business closing time.

3799

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

3800

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3801

# allow the value 60 if it allows leap-seconds.

3802

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3803

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

3804

"booleanValue": True or False, # boolean

3805

"floatValue": 3.14, # float

3806

"dayOfWeekValue": "A String", # day of week

3807

},

3808

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

3809

# used.

3810

# Note that for the purposes of inspection or transformation, the number

3811

# of bytes considered to comprise a 'Value' is based on its representation

3812

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3813

# 123456789, the number of bytes would be counted as 9, even though an

3814

# int64 only holds up to 8 bytes of data.

3815

"timestampValue": "A String", # timestamp

3816

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3817

# and time zone are either specified elsewhere or are not significant. The date

3818

# is relative to the Proleptic Gregorian Calendar. This can represent:

3819

#

3820

# * A full date, with non-zero year, month and day values

3821

# * A month and day value, with a zero year, e.g. an anniversary

3822

# * A year on its own, with zero month and day values

3823

# * A year and month value, with a zero day, e.g. a credit card expiration date

3824

#

3825

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3826

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3827

# a year.

3828

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3829

# month and day.

3830

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3831

# if specifying a year by itself or a year and month where the day is not

3832

# significant.

3833

},

3834

"stringValue": "A String", # string

3835

"integerValue": "A String", # integer

3836

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3837

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3838

# types are google.type.Date and `google.protobuf.Timestamp`.

3839

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3840

# to allow the value "24:00:00" for scenarios like business closing time.

3841

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3842

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3843

# allow the value 60 if it allows leap-seconds.

3844

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3845

},

3846

"booleanValue": True or False, # boolean

3847

"floatValue": 3.14, # float

3848

"dayOfWeekValue": "A String", # day of week

3849

},

3850

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

3851

# Note that for the purposes of inspection or transformation, the number

3852

# of bytes considered to comprise a 'Value' is based on its representation

3853

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3854

# 123456789, the number of bytes would be counted as 9, even though an

3855

# int64 only holds up to 8 bytes of data.

3856

"timestampValue": "A String", # timestamp

3857

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3858

# and time zone are either specified elsewhere or are not significant. The date

3859

# is relative to the Proleptic Gregorian Calendar. This can represent:

3860

#

3861

# * A full date, with non-zero year, month and day values

3862

# * A month and day value, with a zero year, e.g. an anniversary

3863

# * A year on its own, with zero month and day values

3864

# * A year and month value, with a zero day, e.g. a credit card expiration date

3865

#

3866

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3867

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3868

# a year.

3869

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3870

# month and day.

3871

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3872

# if specifying a year by itself or a year and month where the day is not

3873

# significant.

3874

},

3875

"stringValue": "A String", # string

3876

"integerValue": "A String", # integer

3877

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3878

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3879

# types are google.type.Date and `google.protobuf.Timestamp`.

3880

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3881

# to allow the value "24:00:00" for scenarios like business closing time.

3882

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

3883

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3884

# allow the value 60 if it allows leap-seconds.

3885

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

3886

},

3887

"booleanValue": True or False, # boolean

3888

"floatValue": 3.14, # float

3889

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

},

},

],

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

3894

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

3895

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

3896

# output would be 'My phone number is '.

3897

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3898

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

3899

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

3900

# Note that for the purposes of inspection or transformation, the number

3901

# of bytes considered to comprise a 'Value' is based on its representation

3902

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3903

# 123456789, the number of bytes would be counted as 9, even though an

3904

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3905

"timestampValue": "A String", # timestamp

3906

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3907

# and time zone are either specified elsewhere or are not significant. The date

3908

# is relative to the Proleptic Gregorian Calendar. This can represent:

3909

#

3910

# * A full date, with non-zero year, month and day values

3911

# * A month and day value, with a zero year, e.g. an anniversary

3912

# * A year on its own, with zero month and day values

3913

# * A year and month value, with a zero day, e.g. a credit card expiration date

3914

#

3915

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3916

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3917

# a year.

3918

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3919

# month and day.

3920

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3921

# if specifying a year by itself or a year and month where the day is not

3922

# significant.

3923

},

3924

"stringValue": "A String", # string

3925

"integerValue": "A String", # integer

3926

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3927

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3928

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3929

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3930

# to allow the value "24:00:00" for scenarios like business closing time.

3931

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

3932

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3933

# allow the value 60 if it allows leap-seconds.

3934

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3935

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

3936

"booleanValue": True or False, # boolean

3937

"floatValue": 3.14, # float

3938

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3939

},

3940

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3941

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

3942

# Bucketing transformation can provide all of this functionality,

3943

# but requires more configuration. This message is provided as a convenience to

3944

# the user for simple bucketing strategies.

3945

#

3946

# The transformed value will be a hyphenated string of

3947

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

3948

# all values that are within this bucket will be replaced with "10-20".

3949

#

3950

# This can be used on data of type: double, long.

3951

#

3952

# If the bound Value type differs from the type of data

3953

# being transformed, we will first attempt converting the type of the data to

3954

# be transformed to match the type of the bound before comparing.

3955

#

3956

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3957

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

3958

# grouped together into a single bucket; for example if `upper_bound` = 89,

3959

# then all values greater than 89 are replaced with the value "89+".

3960

# Note that for the purposes of inspection or transformation, the number

3961

# of bytes considered to comprise a 'Value' is based on its representation

3962

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

3963

# 123456789, the number of bytes would be counted as 9, even though an

3964

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3965

"timestampValue": "A String", # timestamp

3966

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

3967

# and time zone are either specified elsewhere or are not significant. The date

3968

# is relative to the Proleptic Gregorian Calendar. This can represent:

3969

#

3970

# * A full date, with non-zero year, month and day values

3971

# * A month and day value, with a zero year, e.g. an anniversary

3972

# * A year on its own, with zero month and day values

3973

# * A year and month value, with a zero day, e.g. a credit card expiration date

3974

#

3975

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

3976

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

3977

# a year.

3978

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

3979

# month and day.

3980

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

3981

# if specifying a year by itself or a year and month where the day is not

3982

# significant.

3983

},

3984

"stringValue": "A String", # string

3985

"integerValue": "A String", # integer

3986

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

3987

# or are specified elsewhere. An API may choose to allow leap seconds. Related

3988

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3989

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

3990

# to allow the value "24:00:00" for scenarios like business closing time.

3991

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

3992

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

3993

# allow the value 60 if it allows leap-seconds.

3994

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3995

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

3996

"booleanValue": True or False, # boolean

3997

"floatValue": 3.14, # float

3998

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

3999

},

4000

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

4001

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

4002

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

4003

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

4004

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

4005

# grouped together into a single bucket; for example if `lower_bound` = 10,

4006

# then all values less than 10 are replaced with the value "-10".

4007

# Note that for the purposes of inspection or transformation, the number

4008

# of bytes considered to comprise a 'Value' is based on its representation

4009

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4010

# 123456789, the number of bytes would be counted as 9, even though an

4011

# int64 only holds up to 8 bytes of data.

4012

"timestampValue": "A String", # timestamp

4013

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4014

# and time zone are either specified elsewhere or are not significant. The date

4015

# is relative to the Proleptic Gregorian Calendar. This can represent:

4016

#

4017

# * A full date, with non-zero year, month and day values

4018

# * A month and day value, with a zero year, e.g. an anniversary

4019

# * A year on its own, with zero month and day values

4020

# * A year and month value, with a zero day, e.g. a credit card expiration date

4021

#

4022

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4023

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4024

# a year.

4025

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4026

# month and day.

4027

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4028

# if specifying a year by itself or a year and month where the day is not

4029

# significant.

4030

},

4031

"stringValue": "A String", # string

4032

"integerValue": "A String", # integer

4033

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4034

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4035

# types are google.type.Date and `google.protobuf.Timestamp`.

4036

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4037

# to allow the value "24:00:00" for scenarios like business closing time.

4038

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

4039

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4040

# allow the value 60 if it allows leap-seconds.

4041

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4042

},

4043

"booleanValue": True or False, # boolean

4044

"floatValue": 3.14, # float

4045

"dayOfWeekValue": "A String", # day of week

4046

},

4047

},

4048

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

4049

# fixed character. Masking can start from the beginning or end of the string.

4050

# This can be used on data of any type (numbers, longs, and so on) and when

4051

# de-identifying structured data we'll attempt to preserve the original data's

4052

# type. (This allows you to take a long like 123 and modify it to a string like

4053

# **3.

4054

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

4055

# characters. For example, if the input string is `555-555-5555` and you

4056

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

4057

# returns `***-**5-5555`.

4058

{ # Characters to skip when doing deidentification of a value. These will be left

4059

# alone and skipped.

4060

"charactersToSkip": "A String", # Characters to not transform when masking.

4061

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

4066

# masked. Skipped characters do not count towards this tally.

4067

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

4068

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

4069

# code or credit card number. This string must have a length of 1. If not

4070

# supplied, this value defaults to `*` for strings, and `0` for digits.

4071

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

4072

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

4073

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

4074

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

4075

# is `true`, then the string `12345` is masked as `12***`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

4076

},

4077

},

4078

"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the

4079

# given `RecordCondition`. The conditions are allowed to reference fields

4080

# that are not used in the actual transformation.

#

# Example Use Cases:

#

# - Apply a different bucket transformation to an age column if the zip code

4085

# column for the same record is within a specific range.

4086

# - Redact a field if the date of birth field is greater than 85.

4087

# a field.

4088

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

4089

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

4090

# only supported value is `AND`.

4091

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

4092

"conditions": [ # A collection of conditions.

4093

{ # The field type of `value` and `field` do not need to match to be

4094

# considered equal, but not all comparisons are possible.

4095

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

4096

# but all other comparisons are invalid with incompatible types.

4097

# A `value` of type:

4098

#

4099

# - `string` can be compared against all other types

4100

# - `boolean` can only be compared against other booleans

4101

# - `integer` can be compared against doubles or a string if the string value

4102

# can be parsed as an integer.

4103

# - `double` can be compared against integers or a string if the string can

4104

# be parsed as a double.

4105

# - `Timestamp` can be compared against strings in RFC 3339 date string

4106

# format.

4107

# - `TimeOfDay` can be compared against timestamps and strings in the format

4108

# of 'HH:mm:ss'.

4109

#

4110

# If we fail to compare do to type mismatch, a warning will be given and

4111

# the condition will evaluate to false.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

4112

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

4113

# Note that for the purposes of inspection or transformation, the number

4114

# of bytes considered to comprise a 'Value' is based on its representation

4115

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4116

# 123456789, the number of bytes would be counted as 9, even though an

4117

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

4118

"timestampValue": "A String", # timestamp

4119

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4120

# and time zone are either specified elsewhere or are not significant. The date

4121

# is relative to the Proleptic Gregorian Calendar. This can represent:

4122

#

4123

# * A full date, with non-zero year, month and day values

4124

# * A month and day value, with a zero year, e.g. an anniversary

4125

# * A year on its own, with zero month and day values

4126

# * A year and month value, with a zero day, e.g. a credit card expiration date

4127

#

4128

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4129

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4130

# a year.

4131

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4132

# month and day.

4133

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4134

# if specifying a year by itself or a year and month where the day is not

4135

# significant.

4136

},

4137

"stringValue": "A String", # string

4138

"integerValue": "A String", # integer

4139

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4140

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4141

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

4142

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4143

# to allow the value "24:00:00" for scenarios like business closing time.

4144

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

4145

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4146

# allow the value 60 if it allows leap-seconds.

4147

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

4148

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

4149

"booleanValue": True or False, # boolean

4150

"floatValue": 3.14, # float

4151

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

4152

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

4153

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

4154

"name": "A String", # Name describing the field.

4155

},

4156

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

},

],

},

},

},

},

],

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

4164

"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that

4165

# match any suppression rule are omitted from the output.

4166

{ # Configuration to suppress records whose suppression conditions evaluate to

4167

# true.

4168

"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being

4169

# evaluated to be suppressed from the transformed content.

4170

# a field.

4171

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

4172

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

4173

# only supported value is `AND`.

4174

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

4175

"conditions": [ # A collection of conditions.

4176

{ # The field type of `value` and `field` do not need to match to be

4177

# considered equal, but not all comparisons are possible.

4178

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

4179

# but all other comparisons are invalid with incompatible types.

4180

# A `value` of type:

4181

#

4182

# - `string` can be compared against all other types

4183

# - `boolean` can only be compared against other booleans

4184

# - `integer` can be compared against doubles or a string if the string value

4185

# can be parsed as an integer.

4186

# - `double` can be compared against integers or a string if the string can

4187

# be parsed as a double.

4188

# - `Timestamp` can be compared against strings in RFC 3339 date string

4189

# format.

4190

# - `TimeOfDay` can be compared against timestamps and strings in the format

4191

# of 'HH:mm:ss'.

4192

#

4193

# If we fail to compare do to type mismatch, a warning will be given and

4194

# the condition will evaluate to false.

4195

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

4196

# Note that for the purposes of inspection or transformation, the number

4197

# of bytes considered to comprise a 'Value' is based on its representation

4198

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4199

# 123456789, the number of bytes would be counted as 9, even though an

4200

# int64 only holds up to 8 bytes of data.

4201

"timestampValue": "A String", # timestamp

4202

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4203

# and time zone are either specified elsewhere or are not significant. The date

4204

# is relative to the Proleptic Gregorian Calendar. This can represent:

4205

#

4206

# * A full date, with non-zero year, month and day values

4207

# * A month and day value, with a zero year, e.g. an anniversary

4208

# * A year on its own, with zero month and day values

4209

# * A year and month value, with a zero day, e.g. a credit card expiration date

4210

#

4211

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4212

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4213

# a year.

4214

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4215

# month and day.

4216

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4217

# if specifying a year by itself or a year and month where the day is not

4218

# significant.

4219

},

4220

"stringValue": "A String", # string

4221

"integerValue": "A String", # integer

4222

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4223

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4224

# types are google.type.Date and `google.protobuf.Timestamp`.

4225

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4226

# to allow the value "24:00:00" for scenarios like business closing time.

4227

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

4228

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4229

# allow the value 60 if it allows leap-seconds.

4230

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4231

},

4232

"booleanValue": True or False, # boolean

4233

"floatValue": 3.14, # float

4234

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

4235

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

4236

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

4237

"name": "A String", # Name describing the field.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

4238

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

4239

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

4240

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

4241

],

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

4242

},

4243

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

},

},

],

},

},

}</pre>

</div>

<code class="details" id="delete">delete(name, x__xgafv=None)</code>

4254

<pre>Deletes a DeidentifyTemplate.

4255

See https://cloud.google.com/dlp/docs/creating-templates-deid to learn

more.

Args:

name: string, Required. Resource name of the organization and deidentify template to be deleted,

4260

for example `organizations/433245324/deidentifyTemplates/432452342` or

4261

projects/project-id/deidentifyTemplates/432452342. (required)

4262

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

4269

4270

{ # A generic empty message that you can re-use to avoid defining duplicated

4271

# empty messages in your APIs. A typical example is to use it as the request

4272

# or the response type of an API method. For instance:

4273

#

4274

# service Foo {

4275

# rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);

4276

# }

4277

#

4278

# The JSON representation for `Empty` is empty JSON object `{}`.

}</pre>

</div>

<code class="details" id="get">get(name, x__xgafv=None)</code>

4284

<pre>Gets a DeidentifyTemplate.

4285

See https://cloud.google.com/dlp/docs/creating-templates-deid to learn

more.

Args:

name: string, Required. Resource name of the organization and deidentify template to be read, for

4290

example `organizations/433245324/deidentifyTemplates/432452342` or

4291

projects/project-id/deidentifyTemplates/432452342. (required)

4292

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

4299

4300

{ # DeidentifyTemplates contains instructions on how to de-identify content.

4301

# See https://cloud.google.com/dlp/docs/concepts-templates to learn more.

4302

"name": "A String", # Output only. The template name.

4303

#

4304

# The template will have one of the following formats:

4305

# `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR

4306

# `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`

4307

"description": "A String", # Short description (max 256 chars).

4308

"displayName": "A String", # Display name (max 256 chars).

4309

"createTime": "A String", # Output only. The creation timestamp of an inspectTemplate.

4310

"updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate.

4311

"deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

4312

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text

4313

# transformation everywhere.

4314

# apply various `PrimitiveTransformation`s to each finding, where the

4315

# transformation is applied to only values that were identified as a specific

4316

# info_type.

4317

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

4318

# for a given infoType.

4319

{ # A transformation to apply to text that is identified as a specific

4320

# info_type.

4321

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

4322

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

4323

# portion of the value.

4324

"partToExtract": "A String", # The part of the time to keep.

4325

},

4326

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

4327

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

4328

# to learn more.

4329

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

4330

# If set, must also set cryptoKey. If set, shift will be consistent for the

4331

# given context.

4332

"name": "A String", # Name describing the field.

4333

},

4334

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

4335

# range (inclusive ends). Negative means shift to earlier in time. Must not

4336

# be more than 365250 days (1000 years) each direction.

4337

#

4338

# For example, 3 means shift date to at most 3 days into the future.

4339

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

4340

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

4341

# results in the same shift for the same context and crypto_key. If

4342

# set, must also set context. Can only be applied to table items.

4343

# a key encryption key (KEK) stored by KMS).

4344

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

4345

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

4346

# unwrap the data crypto key.

4347

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

4348

# leaking the key. Choose another type of key if possible.

4349

"key": "A String", # Required. A 128/192/256 bit key.

4350

},

4351

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

4352

# It will be discarded after the request finishes.

4353

"name": "A String", # Required. Name of the key.

4354

# This is an arbitrary string used to differentiate different keys.

4355

# A unique key is generated per name: two separate `TransientCryptoKey`

4356

# protos share the same generated key if their names are the same.

4357

# When the data crypto key is generated, this name is not used in any way

4358

# (repeating the api call will result in a different key being generated).

4359

},

4360

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

4361

# The wrapped key must be a 128/192/256 bit key.

4362

# Authorization requires the following IAM permissions when sending a request

4363

# to perform a crypto transformation using a kms-wrapped crypto key:

4364

# dlp.kms.encrypt

4365

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

4366

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

4371

},

4372

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

4373

# Uses SHA-256.

4374

# The key size must be either 32 or 64 bytes.

4375

# Outputs a base64 encoded representation of the hashed output

4376

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

4377

# Currently, only string and integer values can be hashed.

4378

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

4379

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

4380

# a key encryption key (KEK) stored by KMS).

4381

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

4382

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

4383

# unwrap the data crypto key.

4384

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

4385

# leaking the key. Choose another type of key if possible.

4386

"key": "A String", # Required. A 128/192/256 bit key.

4387

},

4388

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

4389

# It will be discarded after the request finishes.

4390

"name": "A String", # Required. Name of the key.

4391

# This is an arbitrary string used to differentiate different keys.

4392

# A unique key is generated per name: two separate `TransientCryptoKey`

4393

# protos share the same generated key if their names are the same.

4394

# When the data crypto key is generated, this name is not used in any way

4395

# (repeating the api call will result in a different key being generated).

4396

},

4397

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

4398

# The wrapped key must be a 128/192/256 bit key.

4399

# Authorization requires the following IAM permissions when sending a request

4400

# to perform a crypto transformation using a kms-wrapped crypto key:

4401

# dlp.kms.encrypt

4402

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

4403

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

4408

# (FPE) with the FFX mode of operation; however when used in the

4409

# `ReidentifyContent` API method, it serves the opposite function by reversing

4410

# the surrogate back into the original identifier. The identifier must be

4411

# encoded as ASCII. For a given crypto key and context, the same identifier

4412

# will be replaced with the same surrogate. Identifiers must be at least two

4413

# characters long. In the case that the identifier is the empty string, it will

4414

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

4415

# more.

4416

#

4417

# Note: We recommend using CryptoDeterministicConfig for all use cases which

4418

# do not require preserving the input alphabet space and size, plus warrant

4419

# referential integrity.

4420

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

4421

# This annotation will be applied to the surrogate by prefixing it with

4422

# the name of the custom infoType followed by the number of

4423

# characters comprising the surrogate. The following scheme defines the

4424

# format: info_type_name(surrogate_character_count):surrogate

4425

#

4426

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

4427

# the surrogate is 'abc', the full replacement value

4428

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

4429

#

4430

# This annotation identifies the surrogate when inspecting content using the

4431

# custom infoType

4432

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

4433

# This facilitates reversal of the surrogate when it occurs in free text.

4434

#

4435

# In order for inspection to work properly, the name of this infoType must

4436

# not occur naturally anywhere in your data; otherwise, inspection may

4437

# find a surrogate that does not correspond to an actual identifier.

4438

# Therefore, choose your custom infoType name carefully after considering

4439

# what your data looks like. One way to select a name that has a high chance

4440

# of yielding reliable detection is to include one or more unicode characters

4441

# that are highly improbable to exist in your data.

4442

# For example, assuming your data is entered from a regular ASCII keyboard,

4443

# the symbol with the hex code point 29DD might be used like so:

4444

# ⧝MY_TOKEN_TYPE

4445

"name": "A String", # Name of the information type. Either a name of your choosing when

4446

# creating a CustomInfoType, or one of the names listed

4447

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

4448

# a built-in type. InfoType names should conform to the pattern

4449

# `[a-zA-Z0-9_]{1,64}`.

4450

},

4451

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

4452

# identifier in two different contexts won't be given the same surrogate. If

4453

# the context is not set, a default tweak will be used.

4454

#

4455

# If the context is set but:

4456

#

4457

# 1. there is no record present when transforming a given value or

4458

# 1. the field is not present when transforming a given value,

4459

#

4460

# a default tweak will be used.

4461

#

4462

# Note that case (1) is expected when an `InfoTypeTransformation` is

4463

# applied to both structured and non-structured `ContentItem`s.

4464

# Currently, the referenced field may be of value type integer or string.

4465

#

4466

# The tweak is constructed as a sequence of bytes in big endian byte order

4467

# such that:

4468

#

4469

# - a 64 bit integer is encoded followed by a single byte of value 1

4470

# - a string is encoded in UTF-8 format followed by a single byte of value 2

4471

"name": "A String", # Name describing the field.

4472

},

4473

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

4474

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

4475

# a key encryption key (KEK) stored by KMS).

4476

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

4477

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

4478

# unwrap the data crypto key.

4479

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

4480

# leaking the key. Choose another type of key if possible.

4481

"key": "A String", # Required. A 128/192/256 bit key.

4482

},

4483

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

4484

# It will be discarded after the request finishes.

4485

"name": "A String", # Required. Name of the key.

4486

# This is an arbitrary string used to differentiate different keys.

4487

# A unique key is generated per name: two separate `TransientCryptoKey`

4488

# protos share the same generated key if their names are the same.

4489

# When the data crypto key is generated, this name is not used in any way

4490

# (repeating the api call will result in a different key being generated).

4491

},

4492

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

4493

# The wrapped key must be a 128/192/256 bit key.

4494

# Authorization requires the following IAM permissions when sending a request

4495

# to perform a crypto transformation using a kms-wrapped crypto key:

4496

# dlp.kms.encrypt

4497

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

4498

"wrappedKey": "A String", # Required. The wrapped data crypto key.

4499

},

4500

},

4501

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

4502

# that the FFX mode natively supports. This happens before/after

4503

# encryption/decryption.

4504

# Each character listed must appear only once.

4505

# Number of characters must be in the range [2, 95].

4506

# This must be encoded as ASCII.

4507

# The order of characters does not matter.

4508

"commonAlphabet": "A String", # Common alphabets.

4509

},

4510

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

4511

# input. Outputs a base64 encoded representation of the encrypted output.

4512

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

4513

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

4514

# This annotation will be applied to the surrogate by prefixing it with

4515

# the name of the custom info type followed by the number of

4516

# characters comprising the surrogate. The following scheme defines the

4517

# format: {info type name}({surrogate character count}):{surrogate}

4518

#

4519

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

4520

# the surrogate is 'abc', the full replacement value

4521

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

4522

#

4523

# This annotation identifies the surrogate when inspecting content using the

4524

# custom info type 'Surrogate'. This facilitates reversal of the

4525

# surrogate when it occurs in free text.

4526

#

4527

# Note: For record transformations where the entire cell in a table is being

4528

# transformed, surrogates are not mandatory. Surrogates are used to denote

4529

# the location of the token and are necessary for re-identification in free

4530

# form text.

4531

#

4532

# In order for inspection to work properly, the name of this info type must

4533

# not occur naturally anywhere in your data; otherwise, inspection may either

4534

#

4535

# - reverse a surrogate that does not correspond to an actual identifier

4536

# - be unable to parse the surrogate and result in an error

4537

#

4538

# Therefore, choose your custom info type name carefully after considering

4539

# what your data looks like. One way to select a name that has a high chance

4540

# of yielding reliable detection is to include one or more unicode characters

4541

# that are highly improbable to exist in your data.

4542

# For example, assuming your data is entered from a regular ASCII keyboard,

4543

# the symbol with the hex code point 29DD might be used like so:

4544

# ⧝MY_TOKEN_TYPE.

4545

"name": "A String", # Name of the information type. Either a name of your choosing when

4546

# creating a CustomInfoType, or one of the names listed

4547

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

4548

# a built-in type. InfoType names should conform to the pattern

4549

# `[a-zA-Z0-9_]{1,64}`.

4550

},

4551

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

4552

# referential integrity such that the same identifier in two different

4553

# contexts will be given a distinct surrogate. The context is appended to

4554

# plaintext value being encrypted. On decryption the provided context is

4555

# validated against the value used during encryption. If a context was

4556

# provided during encryption, same context must be provided during decryption

4557

# as well.

4558

#

4559

# If the context is not set, plaintext would be used as is for encryption.

4560

# If the context is set but:

4561

#

4562

# 1. there is no record present when transforming a given value or

4563

# 2. the field is not present when transforming a given value,

4564

#

4565

# plaintext would be used as is for encryption.

4566

#

4567

# Note that case (1) is expected when an `InfoTypeTransformation` is

4568

# applied to both structured and non-structured `ContentItem`s.

4569

"name": "A String", # Name describing the field.

4570

},

4571

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

4572

# a key encryption key (KEK) stored by KMS).

4573

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

4574

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

4575

# unwrap the data crypto key.

4576

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

4577

# leaking the key. Choose another type of key if possible.

4578

"key": "A String", # Required. A 128/192/256 bit key.

4579

},

4580

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

4581

# It will be discarded after the request finishes.

4582

"name": "A String", # Required. Name of the key.

4583

# This is an arbitrary string used to differentiate different keys.

4584

# A unique key is generated per name: two separate `TransientCryptoKey`

4585

# protos share the same generated key if their names are the same.

4586

# When the data crypto key is generated, this name is not used in any way

4587

# (repeating the api call will result in a different key being generated).

4588

},

4589

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

4590

# The wrapped key must be a 128/192/256 bit key.

4591

# Authorization requires the following IAM permissions when sending a request

4592

# to perform a crypto transformation using a kms-wrapped crypto key:

4593

# dlp.kms.encrypt

4594

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

4595

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

4600

# replacement values are dynamically provided by the user for custom behavior,

4601

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

4602

# This can be used on

4603

# data of type: number, long, string, timestamp.

4604

# If the bound `Value` type differs from the type of data being transformed, we

4605

# will first attempt converting the type of the data to be transformed to match

4606

# the type of the bound before comparing.

4607

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

4608

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

4609

{ # Bucket is represented as a range, along with replacement values.

4610

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

4611

# the default behavior will be to hyphenate the min-max range.

4612

# Note that for the purposes of inspection or transformation, the number

4613

# of bytes considered to comprise a 'Value' is based on its representation

4614

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4615

# 123456789, the number of bytes would be counted as 9, even though an

4616

# int64 only holds up to 8 bytes of data.

4617

"timestampValue": "A String", # timestamp

4618

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4619

# and time zone are either specified elsewhere or are not significant. The date

4620

# is relative to the Proleptic Gregorian Calendar. This can represent:

4621

#

4622

# * A full date, with non-zero year, month and day values

4623

# * A month and day value, with a zero year, e.g. an anniversary

4624

# * A year on its own, with zero month and day values

4625

# * A year and month value, with a zero day, e.g. a credit card expiration date

4626

#

4627

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4628

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4629

# a year.

4630

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4631

# month and day.

4632

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4633

# if specifying a year by itself or a year and month where the day is not

4634

# significant.

4635

},

4636

"stringValue": "A String", # string

4637

"integerValue": "A String", # integer

4638

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4639

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4640

# types are google.type.Date and `google.protobuf.Timestamp`.

4641

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4642

# to allow the value "24:00:00" for scenarios like business closing time.

4643

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

4644

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4645

# allow the value 60 if it allows leap-seconds.

4646

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4647

},

4648

"booleanValue": True or False, # boolean

4649

"floatValue": 3.14, # float

4650

"dayOfWeekValue": "A String", # day of week

4651

},

4652

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

4653

# used.

4654

# Note that for the purposes of inspection or transformation, the number

4655

# of bytes considered to comprise a 'Value' is based on its representation

4656

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4657

# 123456789, the number of bytes would be counted as 9, even though an

4658

# int64 only holds up to 8 bytes of data.

4659

"timestampValue": "A String", # timestamp

4660

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4661

# and time zone are either specified elsewhere or are not significant. The date

4662

# is relative to the Proleptic Gregorian Calendar. This can represent:

4663

#

4664

# * A full date, with non-zero year, month and day values

4665

# * A month and day value, with a zero year, e.g. an anniversary

4666

# * A year on its own, with zero month and day values

4667

# * A year and month value, with a zero day, e.g. a credit card expiration date

4668

#

4669

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4670

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4671

# a year.

4672

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4673

# month and day.

4674

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4675

# if specifying a year by itself or a year and month where the day is not

4676

# significant.

4677

},

4678

"stringValue": "A String", # string

4679

"integerValue": "A String", # integer

4680

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4681

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4682

# types are google.type.Date and `google.protobuf.Timestamp`.

4683

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4684

# to allow the value "24:00:00" for scenarios like business closing time.

4685

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

4686

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4687

# allow the value 60 if it allows leap-seconds.

4688

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4689

},

4690

"booleanValue": True or False, # boolean

4691

"floatValue": 3.14, # float

4692

"dayOfWeekValue": "A String", # day of week

4693

},

4694

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

4695

# Note that for the purposes of inspection or transformation, the number

4696

# of bytes considered to comprise a 'Value' is based on its representation

4697

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4698

# 123456789, the number of bytes would be counted as 9, even though an

4699

# int64 only holds up to 8 bytes of data.

4700

"timestampValue": "A String", # timestamp

4701

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4702

# and time zone are either specified elsewhere or are not significant. The date

4703

# is relative to the Proleptic Gregorian Calendar. This can represent:

4704

#

4705

# * A full date, with non-zero year, month and day values

4706

# * A month and day value, with a zero year, e.g. an anniversary

4707

# * A year on its own, with zero month and day values

4708

# * A year and month value, with a zero day, e.g. a credit card expiration date

4709

#

4710

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4711

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4712

# a year.

4713

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4714

# month and day.

4715

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4716

# if specifying a year by itself or a year and month where the day is not

4717

# significant.

4718

},

4719

"stringValue": "A String", # string

4720

"integerValue": "A String", # integer

4721

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4722

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4723

# types are google.type.Date and `google.protobuf.Timestamp`.

4724

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4725

# to allow the value "24:00:00" for scenarios like business closing time.

4726

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

4727

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4728

# allow the value 60 if it allows leap-seconds.

4729

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4730

},

4731

"booleanValue": True or False, # boolean

4732

"floatValue": 3.14, # float

4733

"dayOfWeekValue": "A String", # day of week

},

},

],

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

4739

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

4740

# output would be 'My phone number is '.

4741

},

4742

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

4743

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

4744

# Note that for the purposes of inspection or transformation, the number

4745

# of bytes considered to comprise a 'Value' is based on its representation

4746

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4747

# 123456789, the number of bytes would be counted as 9, even though an

4748

# int64 only holds up to 8 bytes of data.

4749

"timestampValue": "A String", # timestamp

4750

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4751

# and time zone are either specified elsewhere or are not significant. The date

4752

# is relative to the Proleptic Gregorian Calendar. This can represent:

4753

#

4754

# * A full date, with non-zero year, month and day values

4755

# * A month and day value, with a zero year, e.g. an anniversary

4756

# * A year on its own, with zero month and day values

4757

# * A year and month value, with a zero day, e.g. a credit card expiration date

4758

#

4759

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4760

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4761

# a year.

4762

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4763

# month and day.

4764

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4765

# if specifying a year by itself or a year and month where the day is not

4766

# significant.

4767

},

4768

"stringValue": "A String", # string

4769

"integerValue": "A String", # integer

4770

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4771

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4772

# types are google.type.Date and `google.protobuf.Timestamp`.

4773

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4774

# to allow the value "24:00:00" for scenarios like business closing time.

4775

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

4776

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4777

# allow the value 60 if it allows leap-seconds.

4778

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4779

},

4780

"booleanValue": True or False, # boolean

4781

"floatValue": 3.14, # float

4782

"dayOfWeekValue": "A String", # day of week

4783

},

4784

},

4785

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

4786

# Bucketing transformation can provide all of this functionality,

4787

# but requires more configuration. This message is provided as a convenience to

4788

# the user for simple bucketing strategies.

4789

#

4790

# The transformed value will be a hyphenated string of

4791

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

4792

# all values that are within this bucket will be replaced with "10-20".

4793

#

4794

# This can be used on data of type: double, long.

4795

#

4796

# If the bound Value type differs from the type of data

4797

# being transformed, we will first attempt converting the type of the data to

4798

# be transformed to match the type of the bound before comparing.

4799

#

4800

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

4801

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

4802

# grouped together into a single bucket; for example if `upper_bound` = 89,

4803

# then all values greater than 89 are replaced with the value "89+".

4804

# Note that for the purposes of inspection or transformation, the number

4805

# of bytes considered to comprise a 'Value' is based on its representation

4806

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4807

# 123456789, the number of bytes would be counted as 9, even though an

4808

# int64 only holds up to 8 bytes of data.

4809

"timestampValue": "A String", # timestamp

4810

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4811

# and time zone are either specified elsewhere or are not significant. The date

4812

# is relative to the Proleptic Gregorian Calendar. This can represent:

4813

#

4814

# * A full date, with non-zero year, month and day values

4815

# * A month and day value, with a zero year, e.g. an anniversary

4816

# * A year on its own, with zero month and day values

4817

# * A year and month value, with a zero day, e.g. a credit card expiration date

4818

#

4819

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4820

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4821

# a year.

4822

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4823

# month and day.

4824

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4825

# if specifying a year by itself or a year and month where the day is not

4826

# significant.

4827

},

4828

"stringValue": "A String", # string

4829

"integerValue": "A String", # integer

4830

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4831

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4832

# types are google.type.Date and `google.protobuf.Timestamp`.

4833

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4834

# to allow the value "24:00:00" for scenarios like business closing time.

4835

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

4836

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4837

# allow the value 60 if it allows leap-seconds.

4838

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4839

},

4840

"booleanValue": True or False, # boolean

4841

"floatValue": 3.14, # float

4842

"dayOfWeekValue": "A String", # day of week

4843

},

4844

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

4845

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

4846

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

4847

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

4848

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

4849

# grouped together into a single bucket; for example if `lower_bound` = 10,

4850

# then all values less than 10 are replaced with the value "-10".

4851

# Note that for the purposes of inspection or transformation, the number

4852

# of bytes considered to comprise a 'Value' is based on its representation

4853

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

4854

# 123456789, the number of bytes would be counted as 9, even though an

4855

# int64 only holds up to 8 bytes of data.

4856

"timestampValue": "A String", # timestamp

4857

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

4858

# and time zone are either specified elsewhere or are not significant. The date

4859

# is relative to the Proleptic Gregorian Calendar. This can represent:

4860

#

4861

# * A full date, with non-zero year, month and day values

4862

# * A month and day value, with a zero year, e.g. an anniversary

4863

# * A year on its own, with zero month and day values

4864

# * A year and month value, with a zero day, e.g. a credit card expiration date

4865

#

4866

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

4867

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

4868

# a year.

4869

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

4870

# month and day.

4871

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

4872

# if specifying a year by itself or a year and month where the day is not

4873

# significant.

4874

},

4875

"stringValue": "A String", # string

4876

"integerValue": "A String", # integer

4877

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

4878

# or are specified elsewhere. An API may choose to allow leap seconds. Related

4879

# types are google.type.Date and `google.protobuf.Timestamp`.

4880

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

4881

# to allow the value "24:00:00" for scenarios like business closing time.

4882

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

4883

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

4884

# allow the value 60 if it allows leap-seconds.

4885

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

4886

},

4887

"booleanValue": True or False, # boolean

4888

"floatValue": 3.14, # float

4889

"dayOfWeekValue": "A String", # day of week

4890

},

4891

},

4892

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

4893

# fixed character. Masking can start from the beginning or end of the string.

4894

# This can be used on data of any type (numbers, longs, and so on) and when

4895

# de-identifying structured data we'll attempt to preserve the original data's

4896

# type. (This allows you to take a long like 123 and modify it to a string like

4897

# **3.

4898

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

4899

# characters. For example, if the input string is `555-555-5555` and you

4900

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

4901

# returns `***-**5-5555`.

4902

{ # Characters to skip when doing deidentification of a value. These will be left

4903

# alone and skipped.

4904

"charactersToSkip": "A String", # Characters to not transform when masking.

4905

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

4910

# masked. Skipped characters do not count towards this tally.

4911

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

4912

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

4913

# code or credit card number. This string must have a length of 1. If not

4914

# supplied, this value defaults to `*` for strings, and `0` for digits.

4915

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

4916

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

4917

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

4918

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

4919

# is `true`, then the string `12345` is masked as `12***`.

4920

},

4921

},

4922

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

4923

# this transformation to apply to all findings that correspond to

4924

# infoTypes that were requested in `InspectConfig`.

4925

{ # Type of information detected by the API.

4926

"name": "A String", # Name of the information type. Either a name of your choosing when

4927

# creating a CustomInfoType, or one of the names listed

4928

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

4929

# a built-in type. InfoType names should conform to the pattern

4930

# `[a-zA-Z0-9_]{1,64}`.

},

],

},

],

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

4936

"transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default

4937

# mode is `TransformationErrorHandling.ThrowError`.

4938

# transformation error occurs when the requested transformation is incompatible

4939

# with the data. For example, trying to de-identify an IP address using a

4940

# `DateShift` transformation would result in a transformation error, since date

4941

# info cannot be extracted from an IP address.

4942

# Information about any incompatible transformations, and how they were

4943

# handled, is returned in the response as part of the

4944

# `TransformationOverviews`.

4945

"throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error

4946

},

4947

"leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors

4948

# cause an error. For example, if a `DateShift` transformation were applied

4949

# an an IP address, this mode would leave the IP address unchanged in the

# response.

},

},

"recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to

4954

# specific locations within structured datasets, such as transforming

4955

# a column within a table.

4956

# table.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

4957

"fieldTransformations": [ # Transform the record by applying various field transformations.

4958

{ # The transformation to apply to the field.

4959

"fields": [ # Required. Input field(s) to apply the transformation to.

4960

{ # General identifier of a data field in a storage service.

4961

"name": "A String", # Name describing the field.

4962

},

4963

],

4964

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively

4965

# transform content that matches an `InfoType`.

4966

# apply various `PrimitiveTransformation`s to each finding, where the

4967

# transformation is applied to only values that were identified as a specific

4968

# info_type.

4969

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

4970

# for a given infoType.

4971

{ # A transformation to apply to text that is identified as a specific

4972

# info_type.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

4973

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

4974

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

4975

# portion of the value.

4976

"partToExtract": "A String", # The part of the time to keep.

4977

},

4978

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

4979

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

4980

# to learn more.

4981

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

4982

# If set, must also set cryptoKey. If set, shift will be consistent for the

4983

# given context.

4984

"name": "A String", # Name describing the field.

4985

},

4986

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

4987

# range (inclusive ends). Negative means shift to earlier in time. Must not

4988

# be more than 365250 days (1000 years) each direction.

4989

#

4990

# For example, 3 means shift date to at most 3 days into the future.

4991

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

4992

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

4993

# results in the same shift for the same context and crypto_key. If

4994

# set, must also set context. Can only be applied to table items.

4995

# a key encryption key (KEK) stored by KMS).

4996

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

4997

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

4998

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

4999

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

5000

# leaking the key. Choose another type of key if possible.

5001

"key": "A String", # Required. A 128/192/256 bit key.

5002

},

5003

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

5004

# It will be discarded after the request finishes.

5005

"name": "A String", # Required. Name of the key.

5006

# This is an arbitrary string used to differentiate different keys.

5007

# A unique key is generated per name: two separate `TransientCryptoKey`

5008

# protos share the same generated key if their names are the same.

5009

# When the data crypto key is generated, this name is not used in any way

5010

# (repeating the api call will result in a different key being generated).

5011

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

5012

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

5013

# The wrapped key must be a 128/192/256 bit key.

5014

# Authorization requires the following IAM permissions when sending a request

5015

# to perform a crypto transformation using a kms-wrapped crypto key:

5016

# dlp.kms.encrypt

5017

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

5018

"wrappedKey": "A String", # Required. The wrapped data crypto key.

5019

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5020

},

5021

},

5022

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

5023

},

5024

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

5025

# Uses SHA-256.

5026

# The key size must be either 32 or 64 bytes.

5027

# Outputs a base64 encoded representation of the hashed output

5028

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

5029

# Currently, only string and integer values can be hashed.

5030

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

5031

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

5032

# a key encryption key (KEK) stored by KMS).

5033

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

5034

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

5035

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5036

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

5037

# leaking the key. Choose another type of key if possible.

5038

"key": "A String", # Required. A 128/192/256 bit key.

5039

},

5040

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

5041

# It will be discarded after the request finishes.

5042

"name": "A String", # Required. Name of the key.

5043

# This is an arbitrary string used to differentiate different keys.

5044

# A unique key is generated per name: two separate `TransientCryptoKey`

5045

# protos share the same generated key if their names are the same.

5046

# When the data crypto key is generated, this name is not used in any way

5047

# (repeating the api call will result in a different key being generated).

5048

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

5049

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

5050

# The wrapped key must be a 128/192/256 bit key.

5051

# Authorization requires the following IAM permissions when sending a request

5052

# to perform a crypto transformation using a kms-wrapped crypto key:

5053

# dlp.kms.encrypt

5054

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

5055

"wrappedKey": "A String", # Required. The wrapped data crypto key.

5056

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5057

},

5058

},

5059

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

5060

# (FPE) with the FFX mode of operation; however when used in the

5061

# `ReidentifyContent` API method, it serves the opposite function by reversing

5062

# the surrogate back into the original identifier. The identifier must be

5063

# encoded as ASCII. For a given crypto key and context, the same identifier

5064

# will be replaced with the same surrogate. Identifiers must be at least two

5065

# characters long. In the case that the identifier is the empty string, it will

5066

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

5067

# more.

5068

#

5069

# Note: We recommend using CryptoDeterministicConfig for all use cases which

5070

# do not require preserving the input alphabet space and size, plus warrant

5071

# referential integrity.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5072

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

5073

# This annotation will be applied to the surrogate by prefixing it with

5074

# the name of the custom infoType followed by the number of

5075

# characters comprising the surrogate. The following scheme defines the

5076

# format: info_type_name(surrogate_character_count):surrogate

5077

#

5078

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

5079

# the surrogate is 'abc', the full replacement value

5080

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

5081

#

5082

# This annotation identifies the surrogate when inspecting content using the

5083

# custom infoType

5084

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

5085

# This facilitates reversal of the surrogate when it occurs in free text.

5086

#

5087

# In order for inspection to work properly, the name of this infoType must

5088

# not occur naturally anywhere in your data; otherwise, inspection may

5089

# find a surrogate that does not correspond to an actual identifier.

5090

# Therefore, choose your custom infoType name carefully after considering

5091

# what your data looks like. One way to select a name that has a high chance

5092

# of yielding reliable detection is to include one or more unicode characters

5093

# that are highly improbable to exist in your data.

5094

# For example, assuming your data is entered from a regular ASCII keyboard,

5095

# the symbol with the hex code point 29DD might be used like so:

5096

# ⧝MY_TOKEN_TYPE

5097

"name": "A String", # Name of the information type. Either a name of your choosing when

5098

# creating a CustomInfoType, or one of the names listed

5099

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

5100

# a built-in type. InfoType names should conform to the pattern

5101

# `[a-zA-Z0-9_]{1,64}`.

5102

},

5103

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

5104

# identifier in two different contexts won't be given the same surrogate. If

5105

# the context is not set, a default tweak will be used.

5106

#

5107

# If the context is set but:

5108

#

5109

# 1. there is no record present when transforming a given value or

5110

# 1. the field is not present when transforming a given value,

5111

#

5112

# a default tweak will be used.

5113

#

5114

# Note that case (1) is expected when an `InfoTypeTransformation` is

5115

# applied to both structured and non-structured `ContentItem`s.

5116

# Currently, the referenced field may be of value type integer or string.

5117

#

5118

# The tweak is constructed as a sequence of bytes in big endian byte order

5119

# such that:

5120

#

5121

# - a 64 bit integer is encoded followed by a single byte of value 1

5122

# - a string is encoded in UTF-8 format followed by a single byte of value 2

5123

"name": "A String", # Name describing the field.

5124

},

5125

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

5126

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

5127

# a key encryption key (KEK) stored by KMS).

5128

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

5129

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

5130

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5131

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

5132

# leaking the key. Choose another type of key if possible.

5133

"key": "A String", # Required. A 128/192/256 bit key.

5134

},

5135

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

5136

# It will be discarded after the request finishes.

5137

"name": "A String", # Required. Name of the key.

5138

# This is an arbitrary string used to differentiate different keys.

5139

# A unique key is generated per name: two separate `TransientCryptoKey`

5140

# protos share the same generated key if their names are the same.

5141

# When the data crypto key is generated, this name is not used in any way

5142

# (repeating the api call will result in a different key being generated).

5143

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

5144

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

5145

# The wrapped key must be a 128/192/256 bit key.

5146

# Authorization requires the following IAM permissions when sending a request

5147

# to perform a crypto transformation using a kms-wrapped crypto key:

5148

# dlp.kms.encrypt

5149

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

5150

"wrappedKey": "A String", # Required. The wrapped data crypto key.

5151

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5152

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

5153

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

5154

# that the FFX mode natively supports. This happens before/after

5155

# encryption/decryption.

5156

# Each character listed must appear only once.

5157

# Number of characters must be in the range [2, 95].

5158

# This must be encoded as ASCII.

5159

# The order of characters does not matter.

5160

"commonAlphabet": "A String", # Common alphabets.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5161

},

5162

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

5163

# input. Outputs a base64 encoded representation of the encrypted output.

5164

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

5165

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

5166

# This annotation will be applied to the surrogate by prefixing it with

5167

# the name of the custom info type followed by the number of

5168

# characters comprising the surrogate. The following scheme defines the

5169

# format: {info type name}({surrogate character count}):{surrogate}

5170

#

5171

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

5172

# the surrogate is 'abc', the full replacement value

5173

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

5174

#

5175

# This annotation identifies the surrogate when inspecting content using the

5176

# custom info type 'Surrogate'. This facilitates reversal of the

5177

# surrogate when it occurs in free text.

5178

#

5179

# Note: For record transformations where the entire cell in a table is being

5180

# transformed, surrogates are not mandatory. Surrogates are used to denote

5181

# the location of the token and are necessary for re-identification in free

5182

# form text.

5183

#

5184

# In order for inspection to work properly, the name of this info type must

5185

# not occur naturally anywhere in your data; otherwise, inspection may either

5186

#

5187

# - reverse a surrogate that does not correspond to an actual identifier

5188

# - be unable to parse the surrogate and result in an error

5189

#

5190

# Therefore, choose your custom info type name carefully after considering

5191

# what your data looks like. One way to select a name that has a high chance

5192

# of yielding reliable detection is to include one or more unicode characters

5193

# that are highly improbable to exist in your data.

5194

# For example, assuming your data is entered from a regular ASCII keyboard,

5195

# the symbol with the hex code point 29DD might be used like so:

5196

# ⧝MY_TOKEN_TYPE.

5197

"name": "A String", # Name of the information type. Either a name of your choosing when

5198

# creating a CustomInfoType, or one of the names listed

5199

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

5200

# a built-in type. InfoType names should conform to the pattern

5201

# `[a-zA-Z0-9_]{1,64}`.

5202

},

5203

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

5204

# referential integrity such that the same identifier in two different

5205

# contexts will be given a distinct surrogate. The context is appended to

5206

# plaintext value being encrypted. On decryption the provided context is

5207

# validated against the value used during encryption. If a context was

5208

# provided during encryption, same context must be provided during decryption

5209

# as well.

5210

#

5211

# If the context is not set, plaintext would be used as is for encryption.

5212

# If the context is set but:

5213

#

5214

# 1. there is no record present when transforming a given value or

5215

# 2. the field is not present when transforming a given value,

5216

#

5217

# plaintext would be used as is for encryption.

5218

#

5219

# Note that case (1) is expected when an `InfoTypeTransformation` is

5220

# applied to both structured and non-structured `ContentItem`s.

5221

"name": "A String", # Name describing the field.

5222

},

5223

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

5224

# a key encryption key (KEK) stored by KMS).

5225

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

5226

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

5227

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5228

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

5229

# leaking the key. Choose another type of key if possible.

5230

"key": "A String", # Required. A 128/192/256 bit key.

5231

},

5232

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

5233

# It will be discarded after the request finishes.

5234

"name": "A String", # Required. Name of the key.

5235

# This is an arbitrary string used to differentiate different keys.

5236

# A unique key is generated per name: two separate `TransientCryptoKey`

5237

# protos share the same generated key if their names are the same.

5238

# When the data crypto key is generated, this name is not used in any way

5239

# (repeating the api call will result in a different key being generated).

5240

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

5241

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

5242

# The wrapped key must be a 128/192/256 bit key.

5243

# Authorization requires the following IAM permissions when sending a request

5244

# to perform a crypto transformation using a kms-wrapped crypto key:

5245

# dlp.kms.encrypt

5246

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

5247

"wrappedKey": "A String", # Required. The wrapped data crypto key.

5248

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5249

},

5250

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5251

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

5252

# replacement values are dynamically provided by the user for custom behavior,

5253

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

5254

# This can be used on

5255

# data of type: number, long, string, timestamp.

5256

# If the bound `Value` type differs from the type of data being transformed, we

5257

# will first attempt converting the type of the data to be transformed to match

5258

# the type of the bound before comparing.

5259

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

5260

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

5261

{ # Bucket is represented as a range, along with replacement values.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5262

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

5263

# the default behavior will be to hyphenate the min-max range.

5264

# Note that for the purposes of inspection or transformation, the number

5265

# of bytes considered to comprise a 'Value' is based on its representation

5266

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

5267

# 123456789, the number of bytes would be counted as 9, even though an

5268

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5269

"timestampValue": "A String", # timestamp

5270

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

5271

# and time zone are either specified elsewhere or are not significant. The date

5272

# is relative to the Proleptic Gregorian Calendar. This can represent:

5273

#

5274

# * A full date, with non-zero year, month and day values

5275

# * A month and day value, with a zero year, e.g. an anniversary

5276

# * A year on its own, with zero month and day values

5277

# * A year and month value, with a zero day, e.g. a credit card expiration date

5278

#

5279

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

5280

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

5281

# a year.

5282

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

5283

# month and day.

5284

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

5285

# if specifying a year by itself or a year and month where the day is not

5286

# significant.

5287

},

5288

"stringValue": "A String", # string

5289

"integerValue": "A String", # integer

5290

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

5291

# or are specified elsewhere. An API may choose to allow leap seconds. Related

5292

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5293

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

5294

# to allow the value "24:00:00" for scenarios like business closing time.

5295

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

5296

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

5297

# allow the value 60 if it allows leap-seconds.

5298

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5299

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

5300

"booleanValue": True or False, # boolean

5301

"floatValue": 3.14, # float

5302

"dayOfWeekValue": "A String", # day of week

5303

},

5304

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

5305

# used.

5306

# Note that for the purposes of inspection or transformation, the number

5307

# of bytes considered to comprise a 'Value' is based on its representation

5308

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

5309

# 123456789, the number of bytes would be counted as 9, even though an

5310

# int64 only holds up to 8 bytes of data.

5311

"timestampValue": "A String", # timestamp

5312

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

5313

# and time zone are either specified elsewhere or are not significant. The date

5314

# is relative to the Proleptic Gregorian Calendar. This can represent:

5315

#

5316

# * A full date, with non-zero year, month and day values

5317

# * A month and day value, with a zero year, e.g. an anniversary

5318

# * A year on its own, with zero month and day values

5319

# * A year and month value, with a zero day, e.g. a credit card expiration date

5320

#

5321

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

5322

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

5323

# a year.

5324

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

5325

# month and day.

5326

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

5327

# if specifying a year by itself or a year and month where the day is not

5328

# significant.

5329

},

5330

"stringValue": "A String", # string

5331

"integerValue": "A String", # integer

5332

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

5333

# or are specified elsewhere. An API may choose to allow leap seconds. Related

5334

# types are google.type.Date and `google.protobuf.Timestamp`.

5335

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

5336

# to allow the value "24:00:00" for scenarios like business closing time.

5337

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

5338

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

5339

# allow the value 60 if it allows leap-seconds.

5340

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

5341

},

5342

"booleanValue": True or False, # boolean

5343

"floatValue": 3.14, # float

5344

"dayOfWeekValue": "A String", # day of week

5345

},

5346

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

5347

# Note that for the purposes of inspection or transformation, the number

5348

# of bytes considered to comprise a 'Value' is based on its representation

5349

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

5350

# 123456789, the number of bytes would be counted as 9, even though an

5351

# int64 only holds up to 8 bytes of data.

5352

"timestampValue": "A String", # timestamp

5353

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

5354

# and time zone are either specified elsewhere or are not significant. The date

5355

# is relative to the Proleptic Gregorian Calendar. This can represent:

5356

#

5357

# * A full date, with non-zero year, month and day values

5358

# * A month and day value, with a zero year, e.g. an anniversary

5359

# * A year on its own, with zero month and day values

5360

# * A year and month value, with a zero day, e.g. a credit card expiration date

5361

#

5362

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

5363

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

5364

# a year.

5365

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

5366

# month and day.

5367

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

5368

# if specifying a year by itself or a year and month where the day is not

5369

# significant.

5370

},

5371

"stringValue": "A String", # string

5372

"integerValue": "A String", # integer

5373

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

5374

# or are specified elsewhere. An API may choose to allow leap seconds. Related

5375

# types are google.type.Date and `google.protobuf.Timestamp`.

5376

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

5377

# to allow the value "24:00:00" for scenarios like business closing time.

5378

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

5379

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

5380

# allow the value 60 if it allows leap-seconds.

5381

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

5382

},

5383

"booleanValue": True or False, # boolean

5384

"floatValue": 3.14, # float

5385

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

},

},

],

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

5390

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

5391

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

5392

# output would be 'My phone number is '.

5393

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5394

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

5395

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

5396

# Note that for the purposes of inspection or transformation, the number

5397

# of bytes considered to comprise a 'Value' is based on its representation

5398

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

5399

# 123456789, the number of bytes would be counted as 9, even though an

5400

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5401

"timestampValue": "A String", # timestamp

5402

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

5403

# and time zone are either specified elsewhere or are not significant. The date

5404

# is relative to the Proleptic Gregorian Calendar. This can represent:

5405

#

5406

# * A full date, with non-zero year, month and day values

5407

# * A month and day value, with a zero year, e.g. an anniversary

5408

# * A year on its own, with zero month and day values

5409

# * A year and month value, with a zero day, e.g. a credit card expiration date

5410

#

5411

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

5412

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

5413

# a year.

5414

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

5415

# month and day.

5416

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

5417

# if specifying a year by itself or a year and month where the day is not

5418

# significant.

5419

},

5420

"stringValue": "A String", # string

5421

"integerValue": "A String", # integer

5422

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

5423

# or are specified elsewhere. An API may choose to allow leap seconds. Related

5424

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5425

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

5426

# to allow the value "24:00:00" for scenarios like business closing time.

5427

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

5428

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

5429

# allow the value 60 if it allows leap-seconds.

5430

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5431

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

5432

"booleanValue": True or False, # boolean

5433

"floatValue": 3.14, # float

5434

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5435

},

5436

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5437

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

5438

# Bucketing transformation can provide all of this functionality,

5439

# but requires more configuration. This message is provided as a convenience to

5440

# the user for simple bucketing strategies.

5441

#

5442

# The transformed value will be a hyphenated string of

5443

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

5444

# all values that are within this bucket will be replaced with "10-20".

5445

#

5446

# This can be used on data of type: double, long.

5447

#

5448

# If the bound Value type differs from the type of data

5449

# being transformed, we will first attempt converting the type of the data to

5450

# be transformed to match the type of the bound before comparing.

5451

#

5452

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5453

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

5454

# grouped together into a single bucket; for example if `upper_bound` = 89,

5455

# then all values greater than 89 are replaced with the value "89+".

5456

# Note that for the purposes of inspection or transformation, the number

5457

# of bytes considered to comprise a 'Value' is based on its representation

5458

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

5459

# 123456789, the number of bytes would be counted as 9, even though an

5460

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5461

"timestampValue": "A String", # timestamp

5462

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

5463

# and time zone are either specified elsewhere or are not significant. The date

5464

# is relative to the Proleptic Gregorian Calendar. This can represent:

5465

#

5466

# * A full date, with non-zero year, month and day values

5467

# * A month and day value, with a zero year, e.g. an anniversary

5468

# * A year on its own, with zero month and day values

5469

# * A year and month value, with a zero day, e.g. a credit card expiration date

5470

#

5471

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

5472

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

5473

# a year.

5474

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

5475

# month and day.

5476

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

5477

# if specifying a year by itself or a year and month where the day is not

5478

# significant.

5479

},

5480

"stringValue": "A String", # string

5481

"integerValue": "A String", # integer

5482

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

5483

# or are specified elsewhere. An API may choose to allow leap seconds. Related

5484

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5485

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

5486

# to allow the value "24:00:00" for scenarios like business closing time.

5487

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

5488

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

5489

# allow the value 60 if it allows leap-seconds.

5490

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5491

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

5492

"booleanValue": True or False, # boolean

5493

"floatValue": 3.14, # float

5494

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5495

},

5496

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

5497

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

5498

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

5499

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

5500

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

5501

# grouped together into a single bucket; for example if `lower_bound` = 10,

5502

# then all values less than 10 are replaced with the value "-10".

5503

# Note that for the purposes of inspection or transformation, the number

5504

# of bytes considered to comprise a 'Value' is based on its representation

5505

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

5506

# 123456789, the number of bytes would be counted as 9, even though an

5507

# int64 only holds up to 8 bytes of data.

5508

"timestampValue": "A String", # timestamp

5509

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

5510

# and time zone are either specified elsewhere or are not significant. The date

5511

# is relative to the Proleptic Gregorian Calendar. This can represent:

5512

#

5513

# * A full date, with non-zero year, month and day values

5514

# * A month and day value, with a zero year, e.g. an anniversary

5515

# * A year on its own, with zero month and day values

5516

# * A year and month value, with a zero day, e.g. a credit card expiration date

5517

#

5518

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

5519

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

5520

# a year.

5521

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

5522

# month and day.

5523

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

5524

# if specifying a year by itself or a year and month where the day is not

5525

# significant.

5526

},

5527

"stringValue": "A String", # string

5528

"integerValue": "A String", # integer

5529

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

5530

# or are specified elsewhere. An API may choose to allow leap seconds. Related

5531

# types are google.type.Date and `google.protobuf.Timestamp`.

5532

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

5533

# to allow the value "24:00:00" for scenarios like business closing time.

5534

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

5535

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

5536

# allow the value 60 if it allows leap-seconds.

5537

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

5538

},

5539

"booleanValue": True or False, # boolean

5540

"floatValue": 3.14, # float

5541

"dayOfWeekValue": "A String", # day of week

5542

},

5543

},

5544

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

5545

# fixed character. Masking can start from the beginning or end of the string.

5546

# This can be used on data of any type (numbers, longs, and so on) and when

5547

# de-identifying structured data we'll attempt to preserve the original data's

5548

# type. (This allows you to take a long like 123 and modify it to a string like

5549

# **3.

5550

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

5551

# characters. For example, if the input string is `555-555-5555` and you

5552

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

5553

# returns `***-**5-5555`.

5554

{ # Characters to skip when doing deidentification of a value. These will be left

5555

# alone and skipped.

5556

"charactersToSkip": "A String", # Characters to not transform when masking.

5557

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

5562

# masked. Skipped characters do not count towards this tally.

5563

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

5564

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

5565

# code or credit card number. This string must have a length of 1. If not

5566

# supplied, this value defaults to `*` for strings, and `0` for digits.

5567

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

5568

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

5569

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

5570

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

5571

# is `true`, then the string `12345` is masked as `12***`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5572

},

5573

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

5574

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

5575

# this transformation to apply to all findings that correspond to

5576

# infoTypes that were requested in `InspectConfig`.

5577

{ # Type of information detected by the API.

5578

"name": "A String", # Name of the information type. Either a name of your choosing when

5579

# creating a CustomInfoType, or one of the names listed

5580

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

5581

# a built-in type. InfoType names should conform to the pattern

5582

# `[a-zA-Z0-9_]{1,64}`.

5583

},

5584

],

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

},

],

},

"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.

5589

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

5590

# portion of the value.

5591

"partToExtract": "A String", # The part of the time to keep.

5592

},

5593

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

5594

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

5595

# to learn more.

5596

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

5597

# If set, must also set cryptoKey. If set, shift will be consistent for the

5598

# given context.

5599

"name": "A String", # Name describing the field.

5600

},

5601

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

5602

# range (inclusive ends). Negative means shift to earlier in time. Must not

5603

# be more than 365250 days (1000 years) each direction.

5604

#

5605

# For example, 3 means shift date to at most 3 days into the future.

5606

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

5607

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

5608

# results in the same shift for the same context and crypto_key. If

5609

# set, must also set context. Can only be applied to table items.

5610

# a key encryption key (KEK) stored by KMS).

5611

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

5612

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

5613

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5614

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

5615

# leaking the key. Choose another type of key if possible.

5616

"key": "A String", # Required. A 128/192/256 bit key.

5617

},

5618

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

5619

# It will be discarded after the request finishes.

5620

"name": "A String", # Required. Name of the key.

5621

# This is an arbitrary string used to differentiate different keys.

5622

# A unique key is generated per name: two separate `TransientCryptoKey`

5623

# protos share the same generated key if their names are the same.

5624

# When the data crypto key is generated, this name is not used in any way

5625

# (repeating the api call will result in a different key being generated).

5626

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

5627

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

5628

# The wrapped key must be a 128/192/256 bit key.

5629

# Authorization requires the following IAM permissions when sending a request

5630

# to perform a crypto transformation using a kms-wrapped crypto key:

5631

# dlp.kms.encrypt

5632

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

5633

"wrappedKey": "A String", # Required. The wrapped data crypto key.

5634

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5635

},

5636

},

5637

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

5638

},

5639

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

5640

# Uses SHA-256.

5641

# The key size must be either 32 or 64 bytes.

5642

# Outputs a base64 encoded representation of the hashed output

5643

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

5644

# Currently, only string and integer values can be hashed.

5645

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

5646

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

5647

# a key encryption key (KEK) stored by KMS).

5648

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

5649

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

5650

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5651

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

5652

# leaking the key. Choose another type of key if possible.

5653

"key": "A String", # Required. A 128/192/256 bit key.

5654

},

5655

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

5656

# It will be discarded after the request finishes.

5657

"name": "A String", # Required. Name of the key.

5658

# This is an arbitrary string used to differentiate different keys.

5659

# A unique key is generated per name: two separate `TransientCryptoKey`

5660

# protos share the same generated key if their names are the same.

5661

# When the data crypto key is generated, this name is not used in any way

5662

# (repeating the api call will result in a different key being generated).

5663

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

5664

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

5665

# The wrapped key must be a 128/192/256 bit key.

5666

# Authorization requires the following IAM permissions when sending a request

5667

# to perform a crypto transformation using a kms-wrapped crypto key:

5668

# dlp.kms.encrypt

5669

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

5670

"wrappedKey": "A String", # Required. The wrapped data crypto key.

5671

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5672

},

5673

},

5674

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

5675

# (FPE) with the FFX mode of operation; however when used in the

5676

# `ReidentifyContent` API method, it serves the opposite function by reversing

5677

# the surrogate back into the original identifier. The identifier must be

5678

# encoded as ASCII. For a given crypto key and context, the same identifier

5679

# will be replaced with the same surrogate. Identifiers must be at least two

5680

# characters long. In the case that the identifier is the empty string, it will

5681

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

5682

# more.

5683

#

5684

# Note: We recommend using CryptoDeterministicConfig for all use cases which

5685

# do not require preserving the input alphabet space and size, plus warrant

5686

# referential integrity.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5687

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

5688

# This annotation will be applied to the surrogate by prefixing it with

5689

# the name of the custom infoType followed by the number of

5690

# characters comprising the surrogate. The following scheme defines the

5691

# format: info_type_name(surrogate_character_count):surrogate

5692

#

5693

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

5694

# the surrogate is 'abc', the full replacement value

5695

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

5696

#

5697

# This annotation identifies the surrogate when inspecting content using the

5698

# custom infoType

5699

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

5700

# This facilitates reversal of the surrogate when it occurs in free text.

5701

#

5702

# In order for inspection to work properly, the name of this infoType must

5703

# not occur naturally anywhere in your data; otherwise, inspection may

5704

# find a surrogate that does not correspond to an actual identifier.

5705

# Therefore, choose your custom infoType name carefully after considering

5706

# what your data looks like. One way to select a name that has a high chance

5707

# of yielding reliable detection is to include one or more unicode characters

5708

# that are highly improbable to exist in your data.

5709

# For example, assuming your data is entered from a regular ASCII keyboard,

5710

# the symbol with the hex code point 29DD might be used like so:

5711

# ⧝MY_TOKEN_TYPE

5712

"name": "A String", # Name of the information type. Either a name of your choosing when

5713

# creating a CustomInfoType, or one of the names listed

5714

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

5715

# a built-in type. InfoType names should conform to the pattern

5716

# `[a-zA-Z0-9_]{1,64}`.

5717

},

5718

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

5719

# identifier in two different contexts won't be given the same surrogate. If

5720

# the context is not set, a default tweak will be used.

5721

#

5722

# If the context is set but:

5723

#

5724

# 1. there is no record present when transforming a given value or

5725

# 1. the field is not present when transforming a given value,

5726

#

5727

# a default tweak will be used.

5728

#

5729

# Note that case (1) is expected when an `InfoTypeTransformation` is

5730

# applied to both structured and non-structured `ContentItem`s.

5731

# Currently, the referenced field may be of value type integer or string.

5732

#

5733

# The tweak is constructed as a sequence of bytes in big endian byte order

5734

# such that:

5735

#

5736

# - a 64 bit integer is encoded followed by a single byte of value 1

5737

# - a string is encoded in UTF-8 format followed by a single byte of value 2

5738

"name": "A String", # Name describing the field.

5739

},

5740

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

5741

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

5742

# a key encryption key (KEK) stored by KMS).

5743

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

5744

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

5745

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5746

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

5747

# leaking the key. Choose another type of key if possible.

5748

"key": "A String", # Required. A 128/192/256 bit key.

5749

},

5750

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

5751

# It will be discarded after the request finishes.

5752

"name": "A String", # Required. Name of the key.

5753

# This is an arbitrary string used to differentiate different keys.

5754

# A unique key is generated per name: two separate `TransientCryptoKey`

5755

# protos share the same generated key if their names are the same.

5756

# When the data crypto key is generated, this name is not used in any way

5757

# (repeating the api call will result in a different key being generated).

5758

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

5759

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

5760

# The wrapped key must be a 128/192/256 bit key.

5761

# Authorization requires the following IAM permissions when sending a request

5762

# to perform a crypto transformation using a kms-wrapped crypto key:

5763

# dlp.kms.encrypt

5764

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

5765

"wrappedKey": "A String", # Required. The wrapped data crypto key.

5766

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5767

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

5768

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

5769

# that the FFX mode natively supports. This happens before/after

5770

# encryption/decryption.

5771

# Each character listed must appear only once.

5772

# Number of characters must be in the range [2, 95].

5773

# This must be encoded as ASCII.

5774

# The order of characters does not matter.

5775

"commonAlphabet": "A String", # Common alphabets.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5776

},

5777

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

5778

# input. Outputs a base64 encoded representation of the encrypted output.

5779

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

5780

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

5781

# This annotation will be applied to the surrogate by prefixing it with

5782

# the name of the custom info type followed by the number of

5783

# characters comprising the surrogate. The following scheme defines the

5784

# format: {info type name}({surrogate character count}):{surrogate}

5785

#

5786

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

5787

# the surrogate is 'abc', the full replacement value

5788

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

5789

#

5790

# This annotation identifies the surrogate when inspecting content using the

5791

# custom info type 'Surrogate'. This facilitates reversal of the

5792

# surrogate when it occurs in free text.

5793

#

5794

# Note: For record transformations where the entire cell in a table is being

5795

# transformed, surrogates are not mandatory. Surrogates are used to denote

5796

# the location of the token and are necessary for re-identification in free

5797

# form text.

5798

#

5799

# In order for inspection to work properly, the name of this info type must

5800

# not occur naturally anywhere in your data; otherwise, inspection may either

5801

#

5802

# - reverse a surrogate that does not correspond to an actual identifier

5803

# - be unable to parse the surrogate and result in an error

5804

#

5805

# Therefore, choose your custom info type name carefully after considering

5806

# what your data looks like. One way to select a name that has a high chance

5807

# of yielding reliable detection is to include one or more unicode characters

5808

# that are highly improbable to exist in your data.

5809

# For example, assuming your data is entered from a regular ASCII keyboard,

5810

# the symbol with the hex code point 29DD might be used like so:

5811

# ⧝MY_TOKEN_TYPE.

5812

"name": "A String", # Name of the information type. Either a name of your choosing when

5813

# creating a CustomInfoType, or one of the names listed

5814

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

5815

# a built-in type. InfoType names should conform to the pattern

5816

# `[a-zA-Z0-9_]{1,64}`.

5817

},

5818

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

5819

# referential integrity such that the same identifier in two different

5820

# contexts will be given a distinct surrogate. The context is appended to

5821

# plaintext value being encrypted. On decryption the provided context is

5822

# validated against the value used during encryption. If a context was

5823

# provided during encryption, same context must be provided during decryption

5824

# as well.

5825

#

5826

# If the context is not set, plaintext would be used as is for encryption.

5827

# If the context is set but:

5828

#

5829

# 1. there is no record present when transforming a given value or

5830

# 2. the field is not present when transforming a given value,

5831

#

5832

# plaintext would be used as is for encryption.

5833

#

5834

# Note that case (1) is expected when an `InfoTypeTransformation` is

5835

# applied to both structured and non-structured `ContentItem`s.

5836

"name": "A String", # Name describing the field.

5837

},

5838

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

5839

# a key encryption key (KEK) stored by KMS).

5840

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

5841

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

5842

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5843

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

5844

# leaking the key. Choose another type of key if possible.

5845

"key": "A String", # Required. A 128/192/256 bit key.

5846

},

5847

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

5848

# It will be discarded after the request finishes.

5849

"name": "A String", # Required. Name of the key.

5850

# This is an arbitrary string used to differentiate different keys.

5851

# A unique key is generated per name: two separate `TransientCryptoKey`

5852

# protos share the same generated key if their names are the same.

5853

# When the data crypto key is generated, this name is not used in any way

5854

# (repeating the api call will result in a different key being generated).

5855

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

5856

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

5857

# The wrapped key must be a 128/192/256 bit key.

5858

# Authorization requires the following IAM permissions when sending a request

5859

# to perform a crypto transformation using a kms-wrapped crypto key:

5860

# dlp.kms.encrypt

5861

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

5862

"wrappedKey": "A String", # Required. The wrapped data crypto key.

5863

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5864

},

5865

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5866

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

5867

# replacement values are dynamically provided by the user for custom behavior,

5868

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

5869

# This can be used on

5870

# data of type: number, long, string, timestamp.

5871

# If the bound `Value` type differs from the type of data being transformed, we

5872

# will first attempt converting the type of the data to be transformed to match

5873

# the type of the bound before comparing.

5874

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

5875

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

5876

{ # Bucket is represented as a range, along with replacement values.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5877

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

5878

# the default behavior will be to hyphenate the min-max range.

5879

# Note that for the purposes of inspection or transformation, the number

5880

# of bytes considered to comprise a 'Value' is based on its representation

5881

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

5882

# 123456789, the number of bytes would be counted as 9, even though an

5883

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5884

"timestampValue": "A String", # timestamp

5885

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

5886

# and time zone are either specified elsewhere or are not significant. The date

5887

# is relative to the Proleptic Gregorian Calendar. This can represent:

5888

#

5889

# * A full date, with non-zero year, month and day values

5890

# * A month and day value, with a zero year, e.g. an anniversary

5891

# * A year on its own, with zero month and day values

5892

# * A year and month value, with a zero day, e.g. a credit card expiration date

5893

#

5894

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

5895

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

5896

# a year.

5897

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

5898

# month and day.

5899

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

5900

# if specifying a year by itself or a year and month where the day is not

5901

# significant.

5902

},

5903

"stringValue": "A String", # string

5904

"integerValue": "A String", # integer

5905

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

5906

# or are specified elsewhere. An API may choose to allow leap seconds. Related

5907

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5908

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

5909

# to allow the value "24:00:00" for scenarios like business closing time.

5910

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

5911

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

5912

# allow the value 60 if it allows leap-seconds.

5913

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

5914

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

5915

"booleanValue": True or False, # boolean

5916

"floatValue": 3.14, # float

5917

"dayOfWeekValue": "A String", # day of week

5918

},

5919

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

5920

# used.

5921

# Note that for the purposes of inspection or transformation, the number

5922

# of bytes considered to comprise a 'Value' is based on its representation

5923

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

5924

# 123456789, the number of bytes would be counted as 9, even though an

5925

# int64 only holds up to 8 bytes of data.

5926

"timestampValue": "A String", # timestamp

5927

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

5928

# and time zone are either specified elsewhere or are not significant. The date

5929

# is relative to the Proleptic Gregorian Calendar. This can represent:

5930

#

5931

# * A full date, with non-zero year, month and day values

5932

# * A month and day value, with a zero year, e.g. an anniversary

5933

# * A year on its own, with zero month and day values

5934

# * A year and month value, with a zero day, e.g. a credit card expiration date

5935

#

5936

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

5937

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

5938

# a year.

5939

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

5940

# month and day.

5941

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

5942

# if specifying a year by itself or a year and month where the day is not

5943

# significant.

5944

},

5945

"stringValue": "A String", # string

5946

"integerValue": "A String", # integer

5947

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

5948

# or are specified elsewhere. An API may choose to allow leap seconds. Related

5949

# types are google.type.Date and `google.protobuf.Timestamp`.

5950

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

5951

# to allow the value "24:00:00" for scenarios like business closing time.

5952

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

5953

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

5954

# allow the value 60 if it allows leap-seconds.

5955

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

5956

},

5957

"booleanValue": True or False, # boolean

5958

"floatValue": 3.14, # float

5959

"dayOfWeekValue": "A String", # day of week

5960

},

5961

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

5962

# Note that for the purposes of inspection or transformation, the number

5963

# of bytes considered to comprise a 'Value' is based on its representation

5964

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

5965

# 123456789, the number of bytes would be counted as 9, even though an

5966

# int64 only holds up to 8 bytes of data.

5967

"timestampValue": "A String", # timestamp

5968

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

5969

# and time zone are either specified elsewhere or are not significant. The date

5970

# is relative to the Proleptic Gregorian Calendar. This can represent:

5971

#

5972

# * A full date, with non-zero year, month and day values

5973

# * A month and day value, with a zero year, e.g. an anniversary

5974

# * A year on its own, with zero month and day values

5975

# * A year and month value, with a zero day, e.g. a credit card expiration date

5976

#

5977

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

5978

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

5979

# a year.

5980

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

5981

# month and day.

5982

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

5983

# if specifying a year by itself or a year and month where the day is not

5984

# significant.

5985

},

5986

"stringValue": "A String", # string

5987

"integerValue": "A String", # integer

5988

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

5989

# or are specified elsewhere. An API may choose to allow leap seconds. Related

5990

# types are google.type.Date and `google.protobuf.Timestamp`.

5991

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

5992

# to allow the value "24:00:00" for scenarios like business closing time.

5993

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

5994

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

5995

# allow the value 60 if it allows leap-seconds.

5996

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

5997

},

5998

"booleanValue": True or False, # boolean

5999

"floatValue": 3.14, # float

6000

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

},

},

],

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

6005

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

6006

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

6007

# output would be 'My phone number is '.

6008

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

6009

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

6010

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

6011

# Note that for the purposes of inspection or transformation, the number

6012

# of bytes considered to comprise a 'Value' is based on its representation

6013

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6014

# 123456789, the number of bytes would be counted as 9, even though an

6015

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

6016

"timestampValue": "A String", # timestamp

6017

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6018

# and time zone are either specified elsewhere or are not significant. The date

6019

# is relative to the Proleptic Gregorian Calendar. This can represent:

6020

#

6021

# * A full date, with non-zero year, month and day values

6022

# * A month and day value, with a zero year, e.g. an anniversary

6023

# * A year on its own, with zero month and day values

6024

# * A year and month value, with a zero day, e.g. a credit card expiration date

6025

#

6026

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6027

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6028

# a year.

6029

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6030

# month and day.

6031

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6032

# if specifying a year by itself or a year and month where the day is not

6033

# significant.

6034

},

6035

"stringValue": "A String", # string

6036

"integerValue": "A String", # integer

6037

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6038

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6039

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

6040

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6041

# to allow the value "24:00:00" for scenarios like business closing time.

6042

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

6043

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6044

# allow the value 60 if it allows leap-seconds.

6045

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

6046

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

6047

"booleanValue": True or False, # boolean

6048

"floatValue": 3.14, # float

6049

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

6050

},

6051

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

6052

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

6053

# Bucketing transformation can provide all of this functionality,

6054

# but requires more configuration. This message is provided as a convenience to

6055

# the user for simple bucketing strategies.

6056

#

6057

# The transformed value will be a hyphenated string of

6058

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

6059

# all values that are within this bucket will be replaced with "10-20".

6060

#

6061

# This can be used on data of type: double, long.

6062

#

6063

# If the bound Value type differs from the type of data

6064

# being transformed, we will first attempt converting the type of the data to

6065

# be transformed to match the type of the bound before comparing.

6066

#

6067

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

6068

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

6069

# grouped together into a single bucket; for example if `upper_bound` = 89,

6070

# then all values greater than 89 are replaced with the value "89+".

6071

# Note that for the purposes of inspection or transformation, the number

6072

# of bytes considered to comprise a 'Value' is based on its representation

6073

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6074

# 123456789, the number of bytes would be counted as 9, even though an

6075

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

6076

"timestampValue": "A String", # timestamp

6077

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6078

# and time zone are either specified elsewhere or are not significant. The date

6079

# is relative to the Proleptic Gregorian Calendar. This can represent:

6080

#

6081

# * A full date, with non-zero year, month and day values

6082

# * A month and day value, with a zero year, e.g. an anniversary

6083

# * A year on its own, with zero month and day values

6084

# * A year and month value, with a zero day, e.g. a credit card expiration date

6085

#

6086

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6087

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6088

# a year.

6089

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6090

# month and day.

6091

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6092

# if specifying a year by itself or a year and month where the day is not

6093

# significant.

6094

},

6095

"stringValue": "A String", # string

6096

"integerValue": "A String", # integer

6097

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6098

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6099

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

6100

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6101

# to allow the value "24:00:00" for scenarios like business closing time.

6102

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

6103

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6104

# allow the value 60 if it allows leap-seconds.

6105

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

6106

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

6107

"booleanValue": True or False, # boolean

6108

"floatValue": 3.14, # float

6109

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

6110

},

6111

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

6112

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

6113

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

6114

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

6115

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

6116

# grouped together into a single bucket; for example if `lower_bound` = 10,

6117

# then all values less than 10 are replaced with the value "-10".

6118

# Note that for the purposes of inspection or transformation, the number

6119

# of bytes considered to comprise a 'Value' is based on its representation

6120

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6121

# 123456789, the number of bytes would be counted as 9, even though an

6122

# int64 only holds up to 8 bytes of data.

6123

"timestampValue": "A String", # timestamp

6124

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6125

# and time zone are either specified elsewhere or are not significant. The date

6126

# is relative to the Proleptic Gregorian Calendar. This can represent:

6127

#

6128

# * A full date, with non-zero year, month and day values

6129

# * A month and day value, with a zero year, e.g. an anniversary

6130

# * A year on its own, with zero month and day values

6131

# * A year and month value, with a zero day, e.g. a credit card expiration date

6132

#

6133

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6134

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6135

# a year.

6136

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6137

# month and day.

6138

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6139

# if specifying a year by itself or a year and month where the day is not

6140

# significant.

6141

},

6142

"stringValue": "A String", # string

6143

"integerValue": "A String", # integer

6144

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6145

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6146

# types are google.type.Date and `google.protobuf.Timestamp`.

6147

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6148

# to allow the value "24:00:00" for scenarios like business closing time.

6149

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

6150

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6151

# allow the value 60 if it allows leap-seconds.

6152

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6153

},

6154

"booleanValue": True or False, # boolean

6155

"floatValue": 3.14, # float

6156

"dayOfWeekValue": "A String", # day of week

6157

},

6158

},

6159

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

6160

# fixed character. Masking can start from the beginning or end of the string.

6161

# This can be used on data of any type (numbers, longs, and so on) and when

6162

# de-identifying structured data we'll attempt to preserve the original data's

6163

# type. (This allows you to take a long like 123 and modify it to a string like

6164

# **3.

6165

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

6166

# characters. For example, if the input string is `555-555-5555` and you

6167

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

6168

# returns `***-**5-5555`.

6169

{ # Characters to skip when doing deidentification of a value. These will be left

6170

# alone and skipped.

6171

"charactersToSkip": "A String", # Characters to not transform when masking.

6172

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

6177

# masked. Skipped characters do not count towards this tally.

6178

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

6179

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

6180

# code or credit card number. This string must have a length of 1. If not

6181

# supplied, this value defaults to `*` for strings, and `0` for digits.

6182

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

6183

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

6184

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

6185

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

6186

# is `true`, then the string `12345` is masked as `12***`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

6187

},

6188

},

6189

"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the

6190

# given `RecordCondition`. The conditions are allowed to reference fields

6191

# that are not used in the actual transformation.

#

# Example Use Cases:

#

# - Apply a different bucket transformation to an age column if the zip code

6196

# column for the same record is within a specific range.

6197

# - Redact a field if the date of birth field is greater than 85.

6198

# a field.

6199

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

6200

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

6201

# only supported value is `AND`.

6202

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

6203

"conditions": [ # A collection of conditions.

6204

{ # The field type of `value` and `field` do not need to match to be

6205

# considered equal, but not all comparisons are possible.

6206

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

6207

# but all other comparisons are invalid with incompatible types.

6208

# A `value` of type:

6209

#

6210

# - `string` can be compared against all other types

6211

# - `boolean` can only be compared against other booleans

6212

# - `integer` can be compared against doubles or a string if the string value

6213

# can be parsed as an integer.

6214

# - `double` can be compared against integers or a string if the string can

6215

# be parsed as a double.

6216

# - `Timestamp` can be compared against strings in RFC 3339 date string

6217

# format.

6218

# - `TimeOfDay` can be compared against timestamps and strings in the format

6219

# of 'HH:mm:ss'.

6220

#

6221

# If we fail to compare do to type mismatch, a warning will be given and

6222

# the condition will evaluate to false.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

6223

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

6224

# Note that for the purposes of inspection or transformation, the number

6225

# of bytes considered to comprise a 'Value' is based on its representation

6226

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6227

# 123456789, the number of bytes would be counted as 9, even though an

6228

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

6229

"timestampValue": "A String", # timestamp

6230

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6231

# and time zone are either specified elsewhere or are not significant. The date

6232

# is relative to the Proleptic Gregorian Calendar. This can represent:

6233

#

6234

# * A full date, with non-zero year, month and day values

6235

# * A month and day value, with a zero year, e.g. an anniversary

6236

# * A year on its own, with zero month and day values

6237

# * A year and month value, with a zero day, e.g. a credit card expiration date

6238

#

6239

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6240

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6241

# a year.

6242

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6243

# month and day.

6244

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6245

# if specifying a year by itself or a year and month where the day is not

6246

# significant.

6247

},

6248

"stringValue": "A String", # string

6249

"integerValue": "A String", # integer

6250

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6251

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6252

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

6253

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6254

# to allow the value "24:00:00" for scenarios like business closing time.

6255

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

6256

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6257

# allow the value 60 if it allows leap-seconds.

6258

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

6259

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

6260

"booleanValue": True or False, # boolean

6261

"floatValue": 3.14, # float

6262

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

6263

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

6264

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

6265

"name": "A String", # Name describing the field.

6266

},

6267

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

},

],

},

},

},

},

],

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

6275

"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that

6276

# match any suppression rule are omitted from the output.

6277

{ # Configuration to suppress records whose suppression conditions evaluate to

6278

# true.

6279

"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being

6280

# evaluated to be suppressed from the transformed content.

6281

# a field.

6282

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

6283

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

6284

# only supported value is `AND`.

6285

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

6286

"conditions": [ # A collection of conditions.

6287

{ # The field type of `value` and `field` do not need to match to be

6288

# considered equal, but not all comparisons are possible.

6289

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

6290

# but all other comparisons are invalid with incompatible types.

6291

# A `value` of type:

6292

#

6293

# - `string` can be compared against all other types

6294

# - `boolean` can only be compared against other booleans

6295

# - `integer` can be compared against doubles or a string if the string value

6296

# can be parsed as an integer.

6297

# - `double` can be compared against integers or a string if the string can

6298

# be parsed as a double.

6299

# - `Timestamp` can be compared against strings in RFC 3339 date string

6300

# format.

6301

# - `TimeOfDay` can be compared against timestamps and strings in the format

6302

# of 'HH:mm:ss'.

6303

#

6304

# If we fail to compare do to type mismatch, a warning will be given and

6305

# the condition will evaluate to false.

6306

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

6307

# Note that for the purposes of inspection or transformation, the number

6308

# of bytes considered to comprise a 'Value' is based on its representation

6309

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6310

# 123456789, the number of bytes would be counted as 9, even though an

6311

# int64 only holds up to 8 bytes of data.

6312

"timestampValue": "A String", # timestamp

6313

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6314

# and time zone are either specified elsewhere or are not significant. The date

6315

# is relative to the Proleptic Gregorian Calendar. This can represent:

6316

#

6317

# * A full date, with non-zero year, month and day values

6318

# * A month and day value, with a zero year, e.g. an anniversary

6319

# * A year on its own, with zero month and day values

6320

# * A year and month value, with a zero day, e.g. a credit card expiration date

6321

#

6322

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6323

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6324

# a year.

6325

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6326

# month and day.

6327

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6328

# if specifying a year by itself or a year and month where the day is not

6329

# significant.

6330

},

6331

"stringValue": "A String", # string

6332

"integerValue": "A String", # integer

6333

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6334

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6335

# types are google.type.Date and `google.protobuf.Timestamp`.

6336

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6337

# to allow the value "24:00:00" for scenarios like business closing time.

6338

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

6339

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6340

# allow the value 60 if it allows leap-seconds.

6341

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6342

},

6343

"booleanValue": True or False, # boolean

6344

"floatValue": 3.14, # float

6345

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

6346

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

6347

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

6348

"name": "A String", # Name describing the field.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

6349

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

6350

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

6351

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

6352

],

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

6353

},

6354

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

},

},

],

},

},

}</pre>

</div>

Bu Sun Kim

2020-05-27 12:20:54 -0700

[diff] [blame]

6364

<code class="details" id="list">list(parent, locationId, pageSize=None, orderBy=None, pageToken=None, x__xgafv=None)</code>

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

6365

<pre>Lists DeidentifyTemplates.

6366

See https://cloud.google.com/dlp/docs/creating-templates-deid to learn

more.

Args:

parent: string, Required. The parent resource name, for example projects/my-project-id or

6371

organizations/my-org-id. (required)

6372

locationId: string, The geographic location where deidentifications templates will be retrieved

6373

from. Use `-` for all locations. Reserved for future extensions. (required)

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

6374

pageSize: integer, Size of the page, can be limited by server. If zero server returns

6375

a page of max size 100.

6376

orderBy: string, Comma separated list of fields to order by,

6377

followed by `asc` or `desc` postfix. This list is case-insensitive,

6378

default sorting order is ascending, redundant space characters are

6379

insignificant.

6380

6381

Example: `name asc,update_time, create_time desc`

6382

6383

Supported fields are:

6384

6385

- `create_time`: corresponds to time the template was created.

6386

- `update_time`: corresponds to time the template was last updated.

6387

- `name`: corresponds to template's name.

6388

- `display_name`: corresponds to template's display name.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

6389

pageToken: string, Page token to continue retrieval. Comes from previous call

6390

to `ListDeidentifyTemplates`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

6391

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

6398

6399

{ # Response message for ListDeidentifyTemplates.

6400

"nextPageToken": "A String", # If the next page is available then the next page token to be used

6401

# in following ListDeidentifyTemplates request.

6402

"deidentifyTemplates": [ # List of deidentify templates, up to page_size in

6403

# ListDeidentifyTemplatesRequest.

6404

{ # DeidentifyTemplates contains instructions on how to de-identify content.

6405

# See https://cloud.google.com/dlp/docs/concepts-templates to learn more.

6406

"name": "A String", # Output only. The template name.

6407

#

6408

# The template will have one of the following formats:

6409

# `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR

6410

# `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`

6411

"description": "A String", # Short description (max 256 chars).

6412

"displayName": "A String", # Display name (max 256 chars).

6413

"createTime": "A String", # Output only. The creation timestamp of an inspectTemplate.

6414

"updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate.

6415

"deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

6416

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text

6417

# transformation everywhere.

6418

# apply various `PrimitiveTransformation`s to each finding, where the

6419

# transformation is applied to only values that were identified as a specific

6420

# info_type.

6421

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

6422

# for a given infoType.

6423

{ # A transformation to apply to text that is identified as a specific

6424

# info_type.

6425

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

6426

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

6427

# portion of the value.

6428

"partToExtract": "A String", # The part of the time to keep.

6429

},

6430

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

6431

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

6432

# to learn more.

6433

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

6434

# If set, must also set cryptoKey. If set, shift will be consistent for the

6435

# given context.

6436

"name": "A String", # Name describing the field.

6437

},

6438

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

6439

# range (inclusive ends). Negative means shift to earlier in time. Must not

6440

# be more than 365250 days (1000 years) each direction.

6441

#

6442

# For example, 3 means shift date to at most 3 days into the future.

6443

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

6444

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

6445

# results in the same shift for the same context and crypto_key. If

6446

# set, must also set context. Can only be applied to table items.

6447

# a key encryption key (KEK) stored by KMS).

6448

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

6449

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

6450

# unwrap the data crypto key.

6451

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

6452

# leaking the key. Choose another type of key if possible.

6453

"key": "A String", # Required. A 128/192/256 bit key.

6454

},

6455

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

6456

# It will be discarded after the request finishes.

6457

"name": "A String", # Required. Name of the key.

6458

# This is an arbitrary string used to differentiate different keys.

6459

# A unique key is generated per name: two separate `TransientCryptoKey`

6460

# protos share the same generated key if their names are the same.

6461

# When the data crypto key is generated, this name is not used in any way

6462

# (repeating the api call will result in a different key being generated).

6463

},

6464

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

6465

# The wrapped key must be a 128/192/256 bit key.

6466

# Authorization requires the following IAM permissions when sending a request

6467

# to perform a crypto transformation using a kms-wrapped crypto key:

6468

# dlp.kms.encrypt

6469

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

6470

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

6475

},

6476

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

6477

# Uses SHA-256.

6478

# The key size must be either 32 or 64 bytes.

6479

# Outputs a base64 encoded representation of the hashed output

6480

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

6481

# Currently, only string and integer values can be hashed.

6482

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

6483

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

6484

# a key encryption key (KEK) stored by KMS).

6485

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

6486

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

6487

# unwrap the data crypto key.

6488

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

6489

# leaking the key. Choose another type of key if possible.

6490

"key": "A String", # Required. A 128/192/256 bit key.

6491

},

6492

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

6493

# It will be discarded after the request finishes.

6494

"name": "A String", # Required. Name of the key.

6495

# This is an arbitrary string used to differentiate different keys.

6496

# A unique key is generated per name: two separate `TransientCryptoKey`

6497

# protos share the same generated key if their names are the same.

6498

# When the data crypto key is generated, this name is not used in any way

6499

# (repeating the api call will result in a different key being generated).

6500

},

6501

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

6502

# The wrapped key must be a 128/192/256 bit key.

6503

# Authorization requires the following IAM permissions when sending a request

6504

# to perform a crypto transformation using a kms-wrapped crypto key:

6505

# dlp.kms.encrypt

6506

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

6507

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

6512

# (FPE) with the FFX mode of operation; however when used in the

6513

# `ReidentifyContent` API method, it serves the opposite function by reversing

6514

# the surrogate back into the original identifier. The identifier must be

6515

# encoded as ASCII. For a given crypto key and context, the same identifier

6516

# will be replaced with the same surrogate. Identifiers must be at least two

6517

# characters long. In the case that the identifier is the empty string, it will

6518

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

6519

# more.

6520

#

6521

# Note: We recommend using CryptoDeterministicConfig for all use cases which

6522

# do not require preserving the input alphabet space and size, plus warrant

6523

# referential integrity.

6524

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

6525

# This annotation will be applied to the surrogate by prefixing it with

6526

# the name of the custom infoType followed by the number of

6527

# characters comprising the surrogate. The following scheme defines the

6528

# format: info_type_name(surrogate_character_count):surrogate

6529

#

6530

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

6531

# the surrogate is 'abc', the full replacement value

6532

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

6533

#

6534

# This annotation identifies the surrogate when inspecting content using the

6535

# custom infoType

6536

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

6537

# This facilitates reversal of the surrogate when it occurs in free text.

6538

#

6539

# In order for inspection to work properly, the name of this infoType must

6540

# not occur naturally anywhere in your data; otherwise, inspection may

6541

# find a surrogate that does not correspond to an actual identifier.

6542

# Therefore, choose your custom infoType name carefully after considering

6543

# what your data looks like. One way to select a name that has a high chance

6544

# of yielding reliable detection is to include one or more unicode characters

6545

# that are highly improbable to exist in your data.

6546

# For example, assuming your data is entered from a regular ASCII keyboard,

6547

# the symbol with the hex code point 29DD might be used like so:

6548

# ⧝MY_TOKEN_TYPE

6549

"name": "A String", # Name of the information type. Either a name of your choosing when

6550

# creating a CustomInfoType, or one of the names listed

6551

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

6552

# a built-in type. InfoType names should conform to the pattern

6553

# `[a-zA-Z0-9_]{1,64}`.

6554

},

6555

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

6556

# identifier in two different contexts won't be given the same surrogate. If

6557

# the context is not set, a default tweak will be used.

6558

#

6559

# If the context is set but:

6560

#

6561

# 1. there is no record present when transforming a given value or

6562

# 1. the field is not present when transforming a given value,

6563

#

6564

# a default tweak will be used.

6565

#

6566

# Note that case (1) is expected when an `InfoTypeTransformation` is

6567

# applied to both structured and non-structured `ContentItem`s.

6568

# Currently, the referenced field may be of value type integer or string.

6569

#

6570

# The tweak is constructed as a sequence of bytes in big endian byte order

6571

# such that:

6572

#

6573

# - a 64 bit integer is encoded followed by a single byte of value 1

6574

# - a string is encoded in UTF-8 format followed by a single byte of value 2

6575

"name": "A String", # Name describing the field.

6576

},

6577

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

6578

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

6579

# a key encryption key (KEK) stored by KMS).

6580

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

6581

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

6582

# unwrap the data crypto key.

6583

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

6584

# leaking the key. Choose another type of key if possible.

6585

"key": "A String", # Required. A 128/192/256 bit key.

6586

},

6587

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

6588

# It will be discarded after the request finishes.

6589

"name": "A String", # Required. Name of the key.

6590

# This is an arbitrary string used to differentiate different keys.

6591

# A unique key is generated per name: two separate `TransientCryptoKey`

6592

# protos share the same generated key if their names are the same.

6593

# When the data crypto key is generated, this name is not used in any way

6594

# (repeating the api call will result in a different key being generated).

6595

},

6596

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

6597

# The wrapped key must be a 128/192/256 bit key.

6598

# Authorization requires the following IAM permissions when sending a request

6599

# to perform a crypto transformation using a kms-wrapped crypto key:

6600

# dlp.kms.encrypt

6601

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

6602

"wrappedKey": "A String", # Required. The wrapped data crypto key.

6603

},

6604

},

6605

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

6606

# that the FFX mode natively supports. This happens before/after

6607

# encryption/decryption.

6608

# Each character listed must appear only once.

6609

# Number of characters must be in the range [2, 95].

6610

# This must be encoded as ASCII.

6611

# The order of characters does not matter.

6612

"commonAlphabet": "A String", # Common alphabets.

6613

},

6614

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

6615

# input. Outputs a base64 encoded representation of the encrypted output.

6616

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

6617

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

6618

# This annotation will be applied to the surrogate by prefixing it with

6619

# the name of the custom info type followed by the number of

6620

# characters comprising the surrogate. The following scheme defines the

6621

# format: {info type name}({surrogate character count}):{surrogate}

6622

#

6623

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

6624

# the surrogate is 'abc', the full replacement value

6625

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

6626

#

6627

# This annotation identifies the surrogate when inspecting content using the

6628

# custom info type 'Surrogate'. This facilitates reversal of the

6629

# surrogate when it occurs in free text.

6630

#

6631

# Note: For record transformations where the entire cell in a table is being

6632

# transformed, surrogates are not mandatory. Surrogates are used to denote

6633

# the location of the token and are necessary for re-identification in free

6634

# form text.

6635

#

6636

# In order for inspection to work properly, the name of this info type must

6637

# not occur naturally anywhere in your data; otherwise, inspection may either

6638

#

6639

# - reverse a surrogate that does not correspond to an actual identifier

6640

# - be unable to parse the surrogate and result in an error

6641

#

6642

# Therefore, choose your custom info type name carefully after considering

6643

# what your data looks like. One way to select a name that has a high chance

6644

# of yielding reliable detection is to include one or more unicode characters

6645

# that are highly improbable to exist in your data.

6646

# For example, assuming your data is entered from a regular ASCII keyboard,

6647

# the symbol with the hex code point 29DD might be used like so:

6648

# ⧝MY_TOKEN_TYPE.

6649

"name": "A String", # Name of the information type. Either a name of your choosing when

6650

# creating a CustomInfoType, or one of the names listed

6651

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

6652

# a built-in type. InfoType names should conform to the pattern

6653

# `[a-zA-Z0-9_]{1,64}`.

6654

},

6655

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

6656

# referential integrity such that the same identifier in two different

6657

# contexts will be given a distinct surrogate. The context is appended to

6658

# plaintext value being encrypted. On decryption the provided context is

6659

# validated against the value used during encryption. If a context was

6660

# provided during encryption, same context must be provided during decryption

6661

# as well.

6662

#

6663

# If the context is not set, plaintext would be used as is for encryption.

6664

# If the context is set but:

6665

#

6666

# 1. there is no record present when transforming a given value or

6667

# 2. the field is not present when transforming a given value,

6668

#

6669

# plaintext would be used as is for encryption.

6670

#

6671

# Note that case (1) is expected when an `InfoTypeTransformation` is

6672

# applied to both structured and non-structured `ContentItem`s.

6673

"name": "A String", # Name describing the field.

6674

},

6675

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

6676

# a key encryption key (KEK) stored by KMS).

6677

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

6678

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

6679

# unwrap the data crypto key.

6680

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

6681

# leaking the key. Choose another type of key if possible.

6682

"key": "A String", # Required. A 128/192/256 bit key.

6683

},

6684

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

6685

# It will be discarded after the request finishes.

6686

"name": "A String", # Required. Name of the key.

6687

# This is an arbitrary string used to differentiate different keys.

6688

# A unique key is generated per name: two separate `TransientCryptoKey`

6689

# protos share the same generated key if their names are the same.

6690

# When the data crypto key is generated, this name is not used in any way

6691

# (repeating the api call will result in a different key being generated).

6692

},

6693

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

6694

# The wrapped key must be a 128/192/256 bit key.

6695

# Authorization requires the following IAM permissions when sending a request

6696

# to perform a crypto transformation using a kms-wrapped crypto key:

6697

# dlp.kms.encrypt

6698

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

6699

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

6704

# replacement values are dynamically provided by the user for custom behavior,

6705

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

6706

# This can be used on

6707

# data of type: number, long, string, timestamp.

6708

# If the bound `Value` type differs from the type of data being transformed, we

6709

# will first attempt converting the type of the data to be transformed to match

6710

# the type of the bound before comparing.

6711

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

6712

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

6713

{ # Bucket is represented as a range, along with replacement values.

6714

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

6715

# the default behavior will be to hyphenate the min-max range.

6716

# Note that for the purposes of inspection or transformation, the number

6717

# of bytes considered to comprise a 'Value' is based on its representation

6718

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6719

# 123456789, the number of bytes would be counted as 9, even though an

6720

# int64 only holds up to 8 bytes of data.

6721

"timestampValue": "A String", # timestamp

6722

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6723

# and time zone are either specified elsewhere or are not significant. The date

6724

# is relative to the Proleptic Gregorian Calendar. This can represent:

6725

#

6726

# * A full date, with non-zero year, month and day values

6727

# * A month and day value, with a zero year, e.g. an anniversary

6728

# * A year on its own, with zero month and day values

6729

# * A year and month value, with a zero day, e.g. a credit card expiration date

6730

#

6731

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6732

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6733

# a year.

6734

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6735

# month and day.

6736

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6737

# if specifying a year by itself or a year and month where the day is not

6738

# significant.

6739

},

6740

"stringValue": "A String", # string

6741

"integerValue": "A String", # integer

6742

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6743

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6744

# types are google.type.Date and `google.protobuf.Timestamp`.

6745

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6746

# to allow the value "24:00:00" for scenarios like business closing time.

6747

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

6748

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6749

# allow the value 60 if it allows leap-seconds.

6750

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6751

},

6752

"booleanValue": True or False, # boolean

6753

"floatValue": 3.14, # float

6754

"dayOfWeekValue": "A String", # day of week

6755

},

6756

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

6757

# used.

6758

# Note that for the purposes of inspection or transformation, the number

6759

# of bytes considered to comprise a 'Value' is based on its representation

6760

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6761

# 123456789, the number of bytes would be counted as 9, even though an

6762

# int64 only holds up to 8 bytes of data.

6763

"timestampValue": "A String", # timestamp

6764

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6765

# and time zone are either specified elsewhere or are not significant. The date

6766

# is relative to the Proleptic Gregorian Calendar. This can represent:

6767

#

6768

# * A full date, with non-zero year, month and day values

6769

# * A month and day value, with a zero year, e.g. an anniversary

6770

# * A year on its own, with zero month and day values

6771

# * A year and month value, with a zero day, e.g. a credit card expiration date

6772

#

6773

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6774

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6775

# a year.

6776

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6777

# month and day.

6778

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6779

# if specifying a year by itself or a year and month where the day is not

6780

# significant.

6781

},

6782

"stringValue": "A String", # string

6783

"integerValue": "A String", # integer

6784

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6785

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6786

# types are google.type.Date and `google.protobuf.Timestamp`.

6787

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6788

# to allow the value "24:00:00" for scenarios like business closing time.

6789

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

6790

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6791

# allow the value 60 if it allows leap-seconds.

6792

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6793

},

6794

"booleanValue": True or False, # boolean

6795

"floatValue": 3.14, # float

6796

"dayOfWeekValue": "A String", # day of week

6797

},

6798

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

6799

# Note that for the purposes of inspection or transformation, the number

6800

# of bytes considered to comprise a 'Value' is based on its representation

6801

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6802

# 123456789, the number of bytes would be counted as 9, even though an

6803

# int64 only holds up to 8 bytes of data.

6804

"timestampValue": "A String", # timestamp

6805

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6806

# and time zone are either specified elsewhere or are not significant. The date

6807

# is relative to the Proleptic Gregorian Calendar. This can represent:

6808

#

6809

# * A full date, with non-zero year, month and day values

6810

# * A month and day value, with a zero year, e.g. an anniversary

6811

# * A year on its own, with zero month and day values

6812

# * A year and month value, with a zero day, e.g. a credit card expiration date

6813

#

6814

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6815

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6816

# a year.

6817

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6818

# month and day.

6819

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6820

# if specifying a year by itself or a year and month where the day is not

6821

# significant.

6822

},

6823

"stringValue": "A String", # string

6824

"integerValue": "A String", # integer

6825

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6826

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6827

# types are google.type.Date and `google.protobuf.Timestamp`.

6828

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6829

# to allow the value "24:00:00" for scenarios like business closing time.

6830

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

6831

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6832

# allow the value 60 if it allows leap-seconds.

6833

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6834

},

6835

"booleanValue": True or False, # boolean

6836

"floatValue": 3.14, # float

6837

"dayOfWeekValue": "A String", # day of week

},

},

],

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

6843

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

6844

# output would be 'My phone number is '.

6845

},

6846

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

6847

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

6848

# Note that for the purposes of inspection or transformation, the number

6849

# of bytes considered to comprise a 'Value' is based on its representation

6850

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6851

# 123456789, the number of bytes would be counted as 9, even though an

6852

# int64 only holds up to 8 bytes of data.

6853

"timestampValue": "A String", # timestamp

6854

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6855

# and time zone are either specified elsewhere or are not significant. The date

6856

# is relative to the Proleptic Gregorian Calendar. This can represent:

6857

#

6858

# * A full date, with non-zero year, month and day values

6859

# * A month and day value, with a zero year, e.g. an anniversary

6860

# * A year on its own, with zero month and day values

6861

# * A year and month value, with a zero day, e.g. a credit card expiration date

6862

#

6863

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6864

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6865

# a year.

6866

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6867

# month and day.

6868

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6869

# if specifying a year by itself or a year and month where the day is not

6870

# significant.

6871

},

6872

"stringValue": "A String", # string

6873

"integerValue": "A String", # integer

6874

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6875

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6876

# types are google.type.Date and `google.protobuf.Timestamp`.

6877

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6878

# to allow the value "24:00:00" for scenarios like business closing time.

6879

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

6880

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6881

# allow the value 60 if it allows leap-seconds.

6882

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6883

},

6884

"booleanValue": True or False, # boolean

6885

"floatValue": 3.14, # float

6886

"dayOfWeekValue": "A String", # day of week

6887

},

6888

},

6889

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

6890

# Bucketing transformation can provide all of this functionality,

6891

# but requires more configuration. This message is provided as a convenience to

6892

# the user for simple bucketing strategies.

6893

#

6894

# The transformed value will be a hyphenated string of

6895

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

6896

# all values that are within this bucket will be replaced with "10-20".

6897

#

6898

# This can be used on data of type: double, long.

6899

#

6900

# If the bound Value type differs from the type of data

6901

# being transformed, we will first attempt converting the type of the data to

6902

# be transformed to match the type of the bound before comparing.

6903

#

6904

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

6905

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

6906

# grouped together into a single bucket; for example if `upper_bound` = 89,

6907

# then all values greater than 89 are replaced with the value "89+".

6908

# Note that for the purposes of inspection or transformation, the number

6909

# of bytes considered to comprise a 'Value' is based on its representation

6910

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6911

# 123456789, the number of bytes would be counted as 9, even though an

6912

# int64 only holds up to 8 bytes of data.

6913

"timestampValue": "A String", # timestamp

6914

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6915

# and time zone are either specified elsewhere or are not significant. The date

6916

# is relative to the Proleptic Gregorian Calendar. This can represent:

6917

#

6918

# * A full date, with non-zero year, month and day values

6919

# * A month and day value, with a zero year, e.g. an anniversary

6920

# * A year on its own, with zero month and day values

6921

# * A year and month value, with a zero day, e.g. a credit card expiration date

6922

#

6923

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6924

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6925

# a year.

6926

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6927

# month and day.

6928

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6929

# if specifying a year by itself or a year and month where the day is not

6930

# significant.

6931

},

6932

"stringValue": "A String", # string

6933

"integerValue": "A String", # integer

6934

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6935

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6936

# types are google.type.Date and `google.protobuf.Timestamp`.

6937

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6938

# to allow the value "24:00:00" for scenarios like business closing time.

6939

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

6940

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6941

# allow the value 60 if it allows leap-seconds.

6942

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6943

},

6944

"booleanValue": True or False, # boolean

6945

"floatValue": 3.14, # float

6946

"dayOfWeekValue": "A String", # day of week

6947

},

6948

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

6949

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

6950

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

6951

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

6952

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

6953

# grouped together into a single bucket; for example if `lower_bound` = 10,

6954

# then all values less than 10 are replaced with the value "-10".

6955

# Note that for the purposes of inspection or transformation, the number

6956

# of bytes considered to comprise a 'Value' is based on its representation

6957

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

6958

# 123456789, the number of bytes would be counted as 9, even though an

6959

# int64 only holds up to 8 bytes of data.

6960

"timestampValue": "A String", # timestamp

6961

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

6962

# and time zone are either specified elsewhere or are not significant. The date

6963

# is relative to the Proleptic Gregorian Calendar. This can represent:

6964

#

6965

# * A full date, with non-zero year, month and day values

6966

# * A month and day value, with a zero year, e.g. an anniversary

6967

# * A year on its own, with zero month and day values

6968

# * A year and month value, with a zero day, e.g. a credit card expiration date

6969

#

6970

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

6971

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

6972

# a year.

6973

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

6974

# month and day.

6975

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

6976

# if specifying a year by itself or a year and month where the day is not

6977

# significant.

6978

},

6979

"stringValue": "A String", # string

6980

"integerValue": "A String", # integer

6981

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

6982

# or are specified elsewhere. An API may choose to allow leap seconds. Related

6983

# types are google.type.Date and `google.protobuf.Timestamp`.

6984

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

6985

# to allow the value "24:00:00" for scenarios like business closing time.

6986

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

6987

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

6988

# allow the value 60 if it allows leap-seconds.

6989

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

6990

},

6991

"booleanValue": True or False, # boolean

6992

"floatValue": 3.14, # float

6993

"dayOfWeekValue": "A String", # day of week

6994

},

6995

},

6996

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

6997

# fixed character. Masking can start from the beginning or end of the string.

6998

# This can be used on data of any type (numbers, longs, and so on) and when

6999

# de-identifying structured data we'll attempt to preserve the original data's

7000

# type. (This allows you to take a long like 123 and modify it to a string like

7001

# **3.

7002

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

7003

# characters. For example, if the input string is `555-555-5555` and you

7004

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

7005

# returns `***-**5-5555`.

7006

{ # Characters to skip when doing deidentification of a value. These will be left

7007

# alone and skipped.

7008

"charactersToSkip": "A String", # Characters to not transform when masking.

7009

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

7014

# masked. Skipped characters do not count towards this tally.

7015

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

7016

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

7017

# code or credit card number. This string must have a length of 1. If not

7018

# supplied, this value defaults to `*` for strings, and `0` for digits.

7019

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

7020

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

7021

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

7022

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

7023

# is `true`, then the string `12345` is masked as `12***`.

7024

},

7025

},

7026

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

7027

# this transformation to apply to all findings that correspond to

7028

# infoTypes that were requested in `InspectConfig`.

7029

{ # Type of information detected by the API.

7030

"name": "A String", # Name of the information type. Either a name of your choosing when

7031

# creating a CustomInfoType, or one of the names listed

7032

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

7033

# a built-in type. InfoType names should conform to the pattern

7034

# `[a-zA-Z0-9_]{1,64}`.

},

],

},

],

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7040

"transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default

7041

# mode is `TransformationErrorHandling.ThrowError`.

7042

# transformation error occurs when the requested transformation is incompatible

7043

# with the data. For example, trying to de-identify an IP address using a

7044

# `DateShift` transformation would result in a transformation error, since date

7045

# info cannot be extracted from an IP address.

7046

# Information about any incompatible transformations, and how they were

7047

# handled, is returned in the response as part of the

7048

# `TransformationOverviews`.

7049

"throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error

7050

},

7051

"leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors

7052

# cause an error. For example, if a `DateShift` transformation were applied

7053

# an an IP address, this mode would leave the IP address unchanged in the

# response.

},

},

"recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to

7058

# specific locations within structured datasets, such as transforming

7059

# a column within a table.

7060

# table.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7061

"fieldTransformations": [ # Transform the record by applying various field transformations.

7062

{ # The transformation to apply to the field.

7063

"fields": [ # Required. Input field(s) to apply the transformation to.

7064

{ # General identifier of a data field in a storage service.

7065

"name": "A String", # Name describing the field.

7066

},

7067

],

7068

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively

7069

# transform content that matches an `InfoType`.

7070

# apply various `PrimitiveTransformation`s to each finding, where the

7071

# transformation is applied to only values that were identified as a specific

7072

# info_type.

7073

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

7074

# for a given infoType.

7075

{ # A transformation to apply to text that is identified as a specific

7076

# info_type.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7077

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

7078

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

7079

# portion of the value.

7080

"partToExtract": "A String", # The part of the time to keep.

7081

},

7082

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

7083

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

7084

# to learn more.

7085

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

7086

# If set, must also set cryptoKey. If set, shift will be consistent for the

7087

# given context.

7088

"name": "A String", # Name describing the field.

7089

},

7090

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

7091

# range (inclusive ends). Negative means shift to earlier in time. Must not

7092

# be more than 365250 days (1000 years) each direction.

7093

#

7094

# For example, 3 means shift date to at most 3 days into the future.

7095

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

7096

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

7097

# results in the same shift for the same context and crypto_key. If

7098

# set, must also set context. Can only be applied to table items.

7099

# a key encryption key (KEK) stored by KMS).

7100

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

7101

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

7102

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7103

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

7104

# leaking the key. Choose another type of key if possible.

7105

"key": "A String", # Required. A 128/192/256 bit key.

7106

},

7107

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

7108

# It will be discarded after the request finishes.

7109

"name": "A String", # Required. Name of the key.

7110

# This is an arbitrary string used to differentiate different keys.

7111

# A unique key is generated per name: two separate `TransientCryptoKey`

7112

# protos share the same generated key if their names are the same.

7113

# When the data crypto key is generated, this name is not used in any way

7114

# (repeating the api call will result in a different key being generated).

7115

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

7116

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

7117

# The wrapped key must be a 128/192/256 bit key.

7118

# Authorization requires the following IAM permissions when sending a request

7119

# to perform a crypto transformation using a kms-wrapped crypto key:

7120

# dlp.kms.encrypt

7121

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

7122

"wrappedKey": "A String", # Required. The wrapped data crypto key.

7123

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7124

},

7125

},

7126

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

7127

},

7128

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

7129

# Uses SHA-256.

7130

# The key size must be either 32 or 64 bytes.

7131

# Outputs a base64 encoded representation of the hashed output

7132

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

7133

# Currently, only string and integer values can be hashed.

7134

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

7135

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

7136

# a key encryption key (KEK) stored by KMS).

7137

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

7138

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

7139

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7140

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

7141

# leaking the key. Choose another type of key if possible.

7142

"key": "A String", # Required. A 128/192/256 bit key.

7143

},

7144

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

7145

# It will be discarded after the request finishes.

7146

"name": "A String", # Required. Name of the key.

7147

# This is an arbitrary string used to differentiate different keys.

7148

# A unique key is generated per name: two separate `TransientCryptoKey`

7149

# protos share the same generated key if their names are the same.

7150

# When the data crypto key is generated, this name is not used in any way

7151

# (repeating the api call will result in a different key being generated).

7152

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

7153

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

7154

# The wrapped key must be a 128/192/256 bit key.

7155

# Authorization requires the following IAM permissions when sending a request

7156

# to perform a crypto transformation using a kms-wrapped crypto key:

7157

# dlp.kms.encrypt

7158

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

7159

"wrappedKey": "A String", # Required. The wrapped data crypto key.

7160

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7161

},

7162

},

7163

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

7164

# (FPE) with the FFX mode of operation; however when used in the

7165

# `ReidentifyContent` API method, it serves the opposite function by reversing

7166

# the surrogate back into the original identifier. The identifier must be

7167

# encoded as ASCII. For a given crypto key and context, the same identifier

7168

# will be replaced with the same surrogate. Identifiers must be at least two

7169

# characters long. In the case that the identifier is the empty string, it will

7170

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

7171

# more.

7172

#

7173

# Note: We recommend using CryptoDeterministicConfig for all use cases which

7174

# do not require preserving the input alphabet space and size, plus warrant

7175

# referential integrity.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7176

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

7177

# This annotation will be applied to the surrogate by prefixing it with

7178

# the name of the custom infoType followed by the number of

7179

# characters comprising the surrogate. The following scheme defines the

7180

# format: info_type_name(surrogate_character_count):surrogate

7181

#

7182

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

7183

# the surrogate is 'abc', the full replacement value

7184

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

7185

#

7186

# This annotation identifies the surrogate when inspecting content using the

7187

# custom infoType

7188

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

7189

# This facilitates reversal of the surrogate when it occurs in free text.

7190

#

7191

# In order for inspection to work properly, the name of this infoType must

7192

# not occur naturally anywhere in your data; otherwise, inspection may

7193

# find a surrogate that does not correspond to an actual identifier.

7194

# Therefore, choose your custom infoType name carefully after considering

7195

# what your data looks like. One way to select a name that has a high chance

7196

# of yielding reliable detection is to include one or more unicode characters

7197

# that are highly improbable to exist in your data.

7198

# For example, assuming your data is entered from a regular ASCII keyboard,

7199

# the symbol with the hex code point 29DD might be used like so:

7200

# ⧝MY_TOKEN_TYPE

7201

"name": "A String", # Name of the information type. Either a name of your choosing when

7202

# creating a CustomInfoType, or one of the names listed

7203

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

7204

# a built-in type. InfoType names should conform to the pattern

7205

# `[a-zA-Z0-9_]{1,64}`.

7206

},

7207

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

7208

# identifier in two different contexts won't be given the same surrogate. If

7209

# the context is not set, a default tweak will be used.

7210

#

7211

# If the context is set but:

7212

#

7213

# 1. there is no record present when transforming a given value or

7214

# 1. the field is not present when transforming a given value,

7215

#

7216

# a default tweak will be used.

7217

#

7218

# Note that case (1) is expected when an `InfoTypeTransformation` is

7219

# applied to both structured and non-structured `ContentItem`s.

7220

# Currently, the referenced field may be of value type integer or string.

7221

#

7222

# The tweak is constructed as a sequence of bytes in big endian byte order

7223

# such that:

7224

#

7225

# - a 64 bit integer is encoded followed by a single byte of value 1

7226

# - a string is encoded in UTF-8 format followed by a single byte of value 2

7227

"name": "A String", # Name describing the field.

7228

},

7229

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

7230

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

7231

# a key encryption key (KEK) stored by KMS).

7232

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

7233

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

7234

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7235

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

7236

# leaking the key. Choose another type of key if possible.

7237

"key": "A String", # Required. A 128/192/256 bit key.

7238

},

7239

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

7240

# It will be discarded after the request finishes.

7241

"name": "A String", # Required. Name of the key.

7242

# This is an arbitrary string used to differentiate different keys.

7243

# A unique key is generated per name: two separate `TransientCryptoKey`

7244

# protos share the same generated key if their names are the same.

7245

# When the data crypto key is generated, this name is not used in any way

7246

# (repeating the api call will result in a different key being generated).

7247

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

7248

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

7249

# The wrapped key must be a 128/192/256 bit key.

7250

# Authorization requires the following IAM permissions when sending a request

7251

# to perform a crypto transformation using a kms-wrapped crypto key:

7252

# dlp.kms.encrypt

7253

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

7254

"wrappedKey": "A String", # Required. The wrapped data crypto key.

7255

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7256

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

7257

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

7258

# that the FFX mode natively supports. This happens before/after

7259

# encryption/decryption.

7260

# Each character listed must appear only once.

7261

# Number of characters must be in the range [2, 95].

7262

# This must be encoded as ASCII.

7263

# The order of characters does not matter.

7264

"commonAlphabet": "A String", # Common alphabets.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7265

},

7266

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

7267

# input. Outputs a base64 encoded representation of the encrypted output.

7268

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

7269

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

7270

# This annotation will be applied to the surrogate by prefixing it with

7271

# the name of the custom info type followed by the number of

7272

# characters comprising the surrogate. The following scheme defines the

7273

# format: {info type name}({surrogate character count}):{surrogate}

7274

#

7275

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

7276

# the surrogate is 'abc', the full replacement value

7277

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

7278

#

7279

# This annotation identifies the surrogate when inspecting content using the

7280

# custom info type 'Surrogate'. This facilitates reversal of the

7281

# surrogate when it occurs in free text.

7282

#

7283

# Note: For record transformations where the entire cell in a table is being

7284

# transformed, surrogates are not mandatory. Surrogates are used to denote

7285

# the location of the token and are necessary for re-identification in free

7286

# form text.

7287

#

7288

# In order for inspection to work properly, the name of this info type must

7289

# not occur naturally anywhere in your data; otherwise, inspection may either

7290

#

7291

# - reverse a surrogate that does not correspond to an actual identifier

7292

# - be unable to parse the surrogate and result in an error

7293

#

7294

# Therefore, choose your custom info type name carefully after considering

7295

# what your data looks like. One way to select a name that has a high chance

7296

# of yielding reliable detection is to include one or more unicode characters

7297

# that are highly improbable to exist in your data.

7298

# For example, assuming your data is entered from a regular ASCII keyboard,

7299

# the symbol with the hex code point 29DD might be used like so:

7300

# ⧝MY_TOKEN_TYPE.

7301

"name": "A String", # Name of the information type. Either a name of your choosing when

7302

# creating a CustomInfoType, or one of the names listed

7303

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

7304

# a built-in type. InfoType names should conform to the pattern

7305

# `[a-zA-Z0-9_]{1,64}`.

7306

},

7307

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

7308

# referential integrity such that the same identifier in two different

7309

# contexts will be given a distinct surrogate. The context is appended to

7310

# plaintext value being encrypted. On decryption the provided context is

7311

# validated against the value used during encryption. If a context was

7312

# provided during encryption, same context must be provided during decryption

7313

# as well.

7314

#

7315

# If the context is not set, plaintext would be used as is for encryption.

7316

# If the context is set but:

7317

#

7318

# 1. there is no record present when transforming a given value or

7319

# 2. the field is not present when transforming a given value,

7320

#

7321

# plaintext would be used as is for encryption.

7322

#

7323

# Note that case (1) is expected when an `InfoTypeTransformation` is

7324

# applied to both structured and non-structured `ContentItem`s.

7325

"name": "A String", # Name describing the field.

7326

},

7327

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

7328

# a key encryption key (KEK) stored by KMS).

7329

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

7330

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

7331

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7332

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

7333

# leaking the key. Choose another type of key if possible.

7334

"key": "A String", # Required. A 128/192/256 bit key.

7335

},

7336

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

7337

# It will be discarded after the request finishes.

7338

"name": "A String", # Required. Name of the key.

7339

# This is an arbitrary string used to differentiate different keys.

7340

# A unique key is generated per name: two separate `TransientCryptoKey`

7341

# protos share the same generated key if their names are the same.

7342

# When the data crypto key is generated, this name is not used in any way

7343

# (repeating the api call will result in a different key being generated).

7344

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

7345

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

7346

# The wrapped key must be a 128/192/256 bit key.

7347

# Authorization requires the following IAM permissions when sending a request

7348

# to perform a crypto transformation using a kms-wrapped crypto key:

7349

# dlp.kms.encrypt

7350

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

7351

"wrappedKey": "A String", # Required. The wrapped data crypto key.

7352

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7353

},

7354

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7355

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

7356

# replacement values are dynamically provided by the user for custom behavior,

7357

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

7358

# This can be used on

7359

# data of type: number, long, string, timestamp.

7360

# If the bound `Value` type differs from the type of data being transformed, we

7361

# will first attempt converting the type of the data to be transformed to match

7362

# the type of the bound before comparing.

7363

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

7364

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

7365

{ # Bucket is represented as a range, along with replacement values.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7366

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

7367

# the default behavior will be to hyphenate the min-max range.

7368

# Note that for the purposes of inspection or transformation, the number

7369

# of bytes considered to comprise a 'Value' is based on its representation

7370

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7371

# 123456789, the number of bytes would be counted as 9, even though an

7372

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7373

"timestampValue": "A String", # timestamp

7374

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7375

# and time zone are either specified elsewhere or are not significant. The date

7376

# is relative to the Proleptic Gregorian Calendar. This can represent:

7377

#

7378

# * A full date, with non-zero year, month and day values

7379

# * A month and day value, with a zero year, e.g. an anniversary

7380

# * A year on its own, with zero month and day values

7381

# * A year and month value, with a zero day, e.g. a credit card expiration date

7382

#

7383

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7384

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7385

# a year.

7386

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

7387

# month and day.

7388

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

7389

# if specifying a year by itself or a year and month where the day is not

7390

# significant.

7391

},

7392

"stringValue": "A String", # string

7393

"integerValue": "A String", # integer

7394

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7395

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7396

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7397

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7398

# to allow the value "24:00:00" for scenarios like business closing time.

7399

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

7400

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7401

# allow the value 60 if it allows leap-seconds.

7402

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7403

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

7404

"booleanValue": True or False, # boolean

7405

"floatValue": 3.14, # float

7406

"dayOfWeekValue": "A String", # day of week

7407

},

7408

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

7409

# used.

7410

# Note that for the purposes of inspection or transformation, the number

7411

# of bytes considered to comprise a 'Value' is based on its representation

7412

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7413

# 123456789, the number of bytes would be counted as 9, even though an

7414

# int64 only holds up to 8 bytes of data.

7415

"timestampValue": "A String", # timestamp

7416

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7417

# and time zone are either specified elsewhere or are not significant. The date

7418

# is relative to the Proleptic Gregorian Calendar. This can represent:

7419

#

7420

# * A full date, with non-zero year, month and day values

7421

# * A month and day value, with a zero year, e.g. an anniversary

7422

# * A year on its own, with zero month and day values

7423

# * A year and month value, with a zero day, e.g. a credit card expiration date

7424

#

7425

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7426

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7427

# a year.

7428

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

7429

# month and day.

7430

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

7431

# if specifying a year by itself or a year and month where the day is not

7432

# significant.

7433

},

7434

"stringValue": "A String", # string

7435

"integerValue": "A String", # integer

7436

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7437

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7438

# types are google.type.Date and `google.protobuf.Timestamp`.

7439

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7440

# to allow the value "24:00:00" for scenarios like business closing time.

7441

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

7442

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7443

# allow the value 60 if it allows leap-seconds.

7444

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

7445

},

7446

"booleanValue": True or False, # boolean

7447

"floatValue": 3.14, # float

7448

"dayOfWeekValue": "A String", # day of week

7449

},

7450

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

7451

# Note that for the purposes of inspection or transformation, the number

7452

# of bytes considered to comprise a 'Value' is based on its representation

7453

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7454

# 123456789, the number of bytes would be counted as 9, even though an

7455

# int64 only holds up to 8 bytes of data.

7456

"timestampValue": "A String", # timestamp

7457

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7458

# and time zone are either specified elsewhere or are not significant. The date

7459

# is relative to the Proleptic Gregorian Calendar. This can represent:

7460

#

7461

# * A full date, with non-zero year, month and day values

7462

# * A month and day value, with a zero year, e.g. an anniversary

7463

# * A year on its own, with zero month and day values

7464

# * A year and month value, with a zero day, e.g. a credit card expiration date

7465

#

7466

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7467

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7468

# a year.

7469

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

7470

# month and day.

7471

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

7472

# if specifying a year by itself or a year and month where the day is not

7473

# significant.

7474

},

7475

"stringValue": "A String", # string

7476

"integerValue": "A String", # integer

7477

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7478

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7479

# types are google.type.Date and `google.protobuf.Timestamp`.

7480

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7481

# to allow the value "24:00:00" for scenarios like business closing time.

7482

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

7483

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7484

# allow the value 60 if it allows leap-seconds.

7485

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

7486

},

7487

"booleanValue": True or False, # boolean

7488

"floatValue": 3.14, # float

7489

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

},

},

],

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

7494

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

7495

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

7496

# output would be 'My phone number is '.

7497

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7498

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

7499

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

7500

# Note that for the purposes of inspection or transformation, the number

7501

# of bytes considered to comprise a 'Value' is based on its representation

7502

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7503

# 123456789, the number of bytes would be counted as 9, even though an

7504

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7505

"timestampValue": "A String", # timestamp

7506

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7507

# and time zone are either specified elsewhere or are not significant. The date

7508

# is relative to the Proleptic Gregorian Calendar. This can represent:

7509

#

7510

# * A full date, with non-zero year, month and day values

7511

# * A month and day value, with a zero year, e.g. an anniversary

7512

# * A year on its own, with zero month and day values

7513

# * A year and month value, with a zero day, e.g. a credit card expiration date

7514

#

7515

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7516

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7517

# a year.

7518

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

7519

# month and day.

7520

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

7521

# if specifying a year by itself or a year and month where the day is not

7522

# significant.

7523

},

7524

"stringValue": "A String", # string

7525

"integerValue": "A String", # integer

7526

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7527

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7528

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7529

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7530

# to allow the value "24:00:00" for scenarios like business closing time.

7531

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

7532

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7533

# allow the value 60 if it allows leap-seconds.

7534

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7535

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

7536

"booleanValue": True or False, # boolean

7537

"floatValue": 3.14, # float

7538

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7539

},

7540

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7541

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

7542

# Bucketing transformation can provide all of this functionality,

7543

# but requires more configuration. This message is provided as a convenience to

7544

# the user for simple bucketing strategies.

7545

#

7546

# The transformed value will be a hyphenated string of

7547

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

7548

# all values that are within this bucket will be replaced with "10-20".

7549

#

7550

# This can be used on data of type: double, long.

7551

#

7552

# If the bound Value type differs from the type of data

7553

# being transformed, we will first attempt converting the type of the data to

7554

# be transformed to match the type of the bound before comparing.

7555

#

7556

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7557

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

7558

# grouped together into a single bucket; for example if `upper_bound` = 89,

7559

# then all values greater than 89 are replaced with the value "89+".

7560

# Note that for the purposes of inspection or transformation, the number

7561

# of bytes considered to comprise a 'Value' is based on its representation

7562

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7563

# 123456789, the number of bytes would be counted as 9, even though an

7564

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7565

"timestampValue": "A String", # timestamp

7566

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7567

# and time zone are either specified elsewhere or are not significant. The date

7568

# is relative to the Proleptic Gregorian Calendar. This can represent:

7569

#

7570

# * A full date, with non-zero year, month and day values

7571

# * A month and day value, with a zero year, e.g. an anniversary

7572

# * A year on its own, with zero month and day values

7573

# * A year and month value, with a zero day, e.g. a credit card expiration date

7574

#

7575

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7576

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7577

# a year.

7578

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

7579

# month and day.

7580

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

7581

# if specifying a year by itself or a year and month where the day is not

7582

# significant.

7583

},

7584

"stringValue": "A String", # string

7585

"integerValue": "A String", # integer

7586

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7587

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7588

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7589

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7590

# to allow the value "24:00:00" for scenarios like business closing time.

7591

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

7592

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7593

# allow the value 60 if it allows leap-seconds.

7594

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7595

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

7596

"booleanValue": True or False, # boolean

7597

"floatValue": 3.14, # float

7598

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7599

},

7600

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

7601

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

7602

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

7603

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

7604

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

7605

# grouped together into a single bucket; for example if `lower_bound` = 10,

7606

# then all values less than 10 are replaced with the value "-10".

7607

# Note that for the purposes of inspection or transformation, the number

7608

# of bytes considered to comprise a 'Value' is based on its representation

7609

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7610

# 123456789, the number of bytes would be counted as 9, even though an

7611

# int64 only holds up to 8 bytes of data.

7612

"timestampValue": "A String", # timestamp

7613

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7614

# and time zone are either specified elsewhere or are not significant. The date

7615

# is relative to the Proleptic Gregorian Calendar. This can represent:

7616

#

7617

# * A full date, with non-zero year, month and day values

7618

# * A month and day value, with a zero year, e.g. an anniversary

7619

# * A year on its own, with zero month and day values

7620

# * A year and month value, with a zero day, e.g. a credit card expiration date

7621

#

7622

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7623

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

7624

# a year.

7625

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

7626

# month and day.

7627

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

7628

# if specifying a year by itself or a year and month where the day is not

7629

# significant.

7630

},

7631

"stringValue": "A String", # string

7632

"integerValue": "A String", # integer

7633

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

7634

# or are specified elsewhere. An API may choose to allow leap seconds. Related

7635

# types are google.type.Date and `google.protobuf.Timestamp`.

7636

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

7637

# to allow the value "24:00:00" for scenarios like business closing time.

7638

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

7639

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

7640

# allow the value 60 if it allows leap-seconds.

7641

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

7642

},

7643

"booleanValue": True or False, # boolean

7644

"floatValue": 3.14, # float

7645

"dayOfWeekValue": "A String", # day of week

7646

},

7647

},

7648

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

7649

# fixed character. Masking can start from the beginning or end of the string.

7650

# This can be used on data of any type (numbers, longs, and so on) and when

7651

# de-identifying structured data we'll attempt to preserve the original data's

7652

# type. (This allows you to take a long like 123 and modify it to a string like

7653

# **3.

7654

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

7655

# characters. For example, if the input string is `555-555-5555` and you

7656

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

7657

# returns `***-**5-5555`.

7658

{ # Characters to skip when doing deidentification of a value. These will be left

7659

# alone and skipped.

7660

"charactersToSkip": "A String", # Characters to not transform when masking.

7661

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

7666

# masked. Skipped characters do not count towards this tally.

7667

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

7668

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

7669

# code or credit card number. This string must have a length of 1. If not

7670

# supplied, this value defaults to `*` for strings, and `0` for digits.

7671

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

7672

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

7673

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

7674

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

7675

# is `true`, then the string `12345` is masked as `12***`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7676

},

7677

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

7678

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

7679

# this transformation to apply to all findings that correspond to

7680

# infoTypes that were requested in `InspectConfig`.

7681

{ # Type of information detected by the API.

7682

"name": "A String", # Name of the information type. Either a name of your choosing when

7683

# creating a CustomInfoType, or one of the names listed

7684

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

7685

# a built-in type. InfoType names should conform to the pattern

7686

# `[a-zA-Z0-9_]{1,64}`.

7687

},

7688

],

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

},

],

},

"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.

7693

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

7694

# portion of the value.

7695

"partToExtract": "A String", # The part of the time to keep.

7696

},

7697

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

7698

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

7699

# to learn more.

7700

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

7701

# If set, must also set cryptoKey. If set, shift will be consistent for the

7702

# given context.

7703

"name": "A String", # Name describing the field.

7704

},

7705

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

7706

# range (inclusive ends). Negative means shift to earlier in time. Must not

7707

# be more than 365250 days (1000 years) each direction.

7708

#

7709

# For example, 3 means shift date to at most 3 days into the future.

7710

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

7711

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

7712

# results in the same shift for the same context and crypto_key. If

7713

# set, must also set context. Can only be applied to table items.

7714

# a key encryption key (KEK) stored by KMS).

7715

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

7716

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

7717

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7718

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

7719

# leaking the key. Choose another type of key if possible.

7720

"key": "A String", # Required. A 128/192/256 bit key.

7721

},

7722

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

7723

# It will be discarded after the request finishes.

7724

"name": "A String", # Required. Name of the key.

7725

# This is an arbitrary string used to differentiate different keys.

7726

# A unique key is generated per name: two separate `TransientCryptoKey`

7727

# protos share the same generated key if their names are the same.

7728

# When the data crypto key is generated, this name is not used in any way

7729

# (repeating the api call will result in a different key being generated).

7730

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

7731

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

7732

# The wrapped key must be a 128/192/256 bit key.

7733

# Authorization requires the following IAM permissions when sending a request

7734

# to perform a crypto transformation using a kms-wrapped crypto key:

7735

# dlp.kms.encrypt

7736

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

7737

"wrappedKey": "A String", # Required. The wrapped data crypto key.

7738

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7739

},

7740

},

7741

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

7742

},

7743

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

7744

# Uses SHA-256.

7745

# The key size must be either 32 or 64 bytes.

7746

# Outputs a base64 encoded representation of the hashed output

7747

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

7748

# Currently, only string and integer values can be hashed.

7749

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

7750

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

7751

# a key encryption key (KEK) stored by KMS).

7752

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

7753

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

7754

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7755

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

7756

# leaking the key. Choose another type of key if possible.

7757

"key": "A String", # Required. A 128/192/256 bit key.

7758

},

7759

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

7760

# It will be discarded after the request finishes.

7761

"name": "A String", # Required. Name of the key.

7762

# This is an arbitrary string used to differentiate different keys.

7763

# A unique key is generated per name: two separate `TransientCryptoKey`

7764

# protos share the same generated key if their names are the same.

7765

# When the data crypto key is generated, this name is not used in any way

7766

# (repeating the api call will result in a different key being generated).

7767

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

7768

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

7769

# The wrapped key must be a 128/192/256 bit key.

7770

# Authorization requires the following IAM permissions when sending a request

7771

# to perform a crypto transformation using a kms-wrapped crypto key:

7772

# dlp.kms.encrypt

7773

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

7774

"wrappedKey": "A String", # Required. The wrapped data crypto key.

7775

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7776

},

7777

},

7778

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

7779

# (FPE) with the FFX mode of operation; however when used in the

7780

# `ReidentifyContent` API method, it serves the opposite function by reversing

7781

# the surrogate back into the original identifier. The identifier must be

7782

# encoded as ASCII. For a given crypto key and context, the same identifier

7783

# will be replaced with the same surrogate. Identifiers must be at least two

7784

# characters long. In the case that the identifier is the empty string, it will

7785

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

7786

# more.

7787

#

7788

# Note: We recommend using CryptoDeterministicConfig for all use cases which

7789

# do not require preserving the input alphabet space and size, plus warrant

7790

# referential integrity.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7791

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

7792

# This annotation will be applied to the surrogate by prefixing it with

7793

# the name of the custom infoType followed by the number of

7794

# characters comprising the surrogate. The following scheme defines the

7795

# format: info_type_name(surrogate_character_count):surrogate

7796

#

7797

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

7798

# the surrogate is 'abc', the full replacement value

7799

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

7800

#

7801

# This annotation identifies the surrogate when inspecting content using the

7802

# custom infoType

7803

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

7804

# This facilitates reversal of the surrogate when it occurs in free text.

7805

#

7806

# In order for inspection to work properly, the name of this infoType must

7807

# not occur naturally anywhere in your data; otherwise, inspection may

7808

# find a surrogate that does not correspond to an actual identifier.

7809

# Therefore, choose your custom infoType name carefully after considering

7810

# what your data looks like. One way to select a name that has a high chance

7811

# of yielding reliable detection is to include one or more unicode characters

7812

# that are highly improbable to exist in your data.

7813

# For example, assuming your data is entered from a regular ASCII keyboard,

7814

# the symbol with the hex code point 29DD might be used like so:

7815

# ⧝MY_TOKEN_TYPE

7816

"name": "A String", # Name of the information type. Either a name of your choosing when

7817

# creating a CustomInfoType, or one of the names listed

7818

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

7819

# a built-in type. InfoType names should conform to the pattern

7820

# `[a-zA-Z0-9_]{1,64}`.

7821

},

7822

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

7823

# identifier in two different contexts won't be given the same surrogate. If

7824

# the context is not set, a default tweak will be used.

7825

#

7826

# If the context is set but:

7827

#

7828

# 1. there is no record present when transforming a given value or

7829

# 1. the field is not present when transforming a given value,

7830

#

7831

# a default tweak will be used.

7832

#

7833

# Note that case (1) is expected when an `InfoTypeTransformation` is

7834

# applied to both structured and non-structured `ContentItem`s.

7835

# Currently, the referenced field may be of value type integer or string.

7836

#

7837

# The tweak is constructed as a sequence of bytes in big endian byte order

7838

# such that:

7839

#

7840

# - a 64 bit integer is encoded followed by a single byte of value 1

7841

# - a string is encoded in UTF-8 format followed by a single byte of value 2

7842

"name": "A String", # Name describing the field.

7843

},

7844

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

7845

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

7846

# a key encryption key (KEK) stored by KMS).

7847

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

7848

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

7849

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7850

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

7851

# leaking the key. Choose another type of key if possible.

7852

"key": "A String", # Required. A 128/192/256 bit key.

7853

},

7854

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

7855

# It will be discarded after the request finishes.

7856

"name": "A String", # Required. Name of the key.

7857

# This is an arbitrary string used to differentiate different keys.

7858

# A unique key is generated per name: two separate `TransientCryptoKey`

7859

# protos share the same generated key if their names are the same.

7860

# When the data crypto key is generated, this name is not used in any way

7861

# (repeating the api call will result in a different key being generated).

7862

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

7863

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

7864

# The wrapped key must be a 128/192/256 bit key.

7865

# Authorization requires the following IAM permissions when sending a request

7866

# to perform a crypto transformation using a kms-wrapped crypto key:

7867

# dlp.kms.encrypt

7868

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

7869

"wrappedKey": "A String", # Required. The wrapped data crypto key.

7870

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7871

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

7872

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

7873

# that the FFX mode natively supports. This happens before/after

7874

# encryption/decryption.

7875

# Each character listed must appear only once.

7876

# Number of characters must be in the range [2, 95].

7877

# This must be encoded as ASCII.

7878

# The order of characters does not matter.

7879

"commonAlphabet": "A String", # Common alphabets.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7880

},

7881

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

7882

# input. Outputs a base64 encoded representation of the encrypted output.

7883

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

7884

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

7885

# This annotation will be applied to the surrogate by prefixing it with

7886

# the name of the custom info type followed by the number of

7887

# characters comprising the surrogate. The following scheme defines the

7888

# format: {info type name}({surrogate character count}):{surrogate}

7889

#

7890

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

7891

# the surrogate is 'abc', the full replacement value

7892

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

7893

#

7894

# This annotation identifies the surrogate when inspecting content using the

7895

# custom info type 'Surrogate'. This facilitates reversal of the

7896

# surrogate when it occurs in free text.

7897

#

7898

# Note: For record transformations where the entire cell in a table is being

7899

# transformed, surrogates are not mandatory. Surrogates are used to denote

7900

# the location of the token and are necessary for re-identification in free

7901

# form text.

7902

#

7903

# In order for inspection to work properly, the name of this info type must

7904

# not occur naturally anywhere in your data; otherwise, inspection may either

7905

#

7906

# - reverse a surrogate that does not correspond to an actual identifier

7907

# - be unable to parse the surrogate and result in an error

7908

#

7909

# Therefore, choose your custom info type name carefully after considering

7910

# what your data looks like. One way to select a name that has a high chance

7911

# of yielding reliable detection is to include one or more unicode characters

7912

# that are highly improbable to exist in your data.

7913

# For example, assuming your data is entered from a regular ASCII keyboard,

7914

# the symbol with the hex code point 29DD might be used like so:

7915

# ⧝MY_TOKEN_TYPE.

7916

"name": "A String", # Name of the information type. Either a name of your choosing when

7917

# creating a CustomInfoType, or one of the names listed

7918

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

7919

# a built-in type. InfoType names should conform to the pattern

7920

# `[a-zA-Z0-9_]{1,64}`.

7921

},

7922

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

7923

# referential integrity such that the same identifier in two different

7924

# contexts will be given a distinct surrogate. The context is appended to

7925

# plaintext value being encrypted. On decryption the provided context is

7926

# validated against the value used during encryption. If a context was

7927

# provided during encryption, same context must be provided during decryption

7928

# as well.

7929

#

7930

# If the context is not set, plaintext would be used as is for encryption.

7931

# If the context is set but:

7932

#

7933

# 1. there is no record present when transforming a given value or

7934

# 2. the field is not present when transforming a given value,

7935

#

7936

# plaintext would be used as is for encryption.

7937

#

7938

# Note that case (1) is expected when an `InfoTypeTransformation` is

7939

# applied to both structured and non-structured `ContentItem`s.

7940

"name": "A String", # Name describing the field.

7941

},

7942

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

7943

# a key encryption key (KEK) stored by KMS).

7944

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

7945

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

7946

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7947

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

7948

# leaking the key. Choose another type of key if possible.

7949

"key": "A String", # Required. A 128/192/256 bit key.

7950

},

7951

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

7952

# It will be discarded after the request finishes.

7953

"name": "A String", # Required. Name of the key.

7954

# This is an arbitrary string used to differentiate different keys.

7955

# A unique key is generated per name: two separate `TransientCryptoKey`

7956

# protos share the same generated key if their names are the same.

7957

# When the data crypto key is generated, this name is not used in any way

7958

# (repeating the api call will result in a different key being generated).

7959

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

7960

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

7961

# The wrapped key must be a 128/192/256 bit key.

7962

# Authorization requires the following IAM permissions when sending a request

7963

# to perform a crypto transformation using a kms-wrapped crypto key:

7964

# dlp.kms.encrypt

7965

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

7966

"wrappedKey": "A String", # Required. The wrapped data crypto key.

7967

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7968

},

7969

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7970

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

7971

# replacement values are dynamically provided by the user for custom behavior,

7972

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

7973

# This can be used on

7974

# data of type: number, long, string, timestamp.

7975

# If the bound `Value` type differs from the type of data being transformed, we

7976

# will first attempt converting the type of the data to be transformed to match

7977

# the type of the bound before comparing.

7978

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

7979

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

7980

{ # Bucket is represented as a range, along with replacement values.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7981

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

7982

# the default behavior will be to hyphenate the min-max range.

7983

# Note that for the purposes of inspection or transformation, the number

7984

# of bytes considered to comprise a 'Value' is based on its representation

7985

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

7986

# 123456789, the number of bytes would be counted as 9, even though an

7987

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

7988

"timestampValue": "A String", # timestamp

7989

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

7990

# and time zone are either specified elsewhere or are not significant. The date

7991

# is relative to the Proleptic Gregorian Calendar. This can represent:

7992

#

7993

# * A full date, with non-zero year, month and day values

7994

# * A month and day value, with a zero year, e.g. an anniversary

7995

# * A year on its own, with zero month and day values

7996

# * A year and month value, with a zero day, e.g. a credit card expiration date

7997

#

7998

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

7999

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8000

# a year.

8001

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8002

# month and day.

8003

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8004

# if specifying a year by itself or a year and month where the day is not

8005

# significant.

8006

},

8007

"stringValue": "A String", # string

8008

"integerValue": "A String", # integer

8009

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8010

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8011

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

8012

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8013

# to allow the value "24:00:00" for scenarios like business closing time.

8014

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

8015

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8016

# allow the value 60 if it allows leap-seconds.

8017

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

8018

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

8019

"booleanValue": True or False, # boolean

8020

"floatValue": 3.14, # float

8021

"dayOfWeekValue": "A String", # day of week

8022

},

8023

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

8024

# used.

8025

# Note that for the purposes of inspection or transformation, the number

8026

# of bytes considered to comprise a 'Value' is based on its representation

8027

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8028

# 123456789, the number of bytes would be counted as 9, even though an

8029

# int64 only holds up to 8 bytes of data.

8030

"timestampValue": "A String", # timestamp

8031

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8032

# and time zone are either specified elsewhere or are not significant. The date

8033

# is relative to the Proleptic Gregorian Calendar. This can represent:

8034

#

8035

# * A full date, with non-zero year, month and day values

8036

# * A month and day value, with a zero year, e.g. an anniversary

8037

# * A year on its own, with zero month and day values

8038

# * A year and month value, with a zero day, e.g. a credit card expiration date

8039

#

8040

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8041

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8042

# a year.

8043

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8044

# month and day.

8045

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8046

# if specifying a year by itself or a year and month where the day is not

8047

# significant.

8048

},

8049

"stringValue": "A String", # string

8050

"integerValue": "A String", # integer

8051

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8052

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8053

# types are google.type.Date and `google.protobuf.Timestamp`.

8054

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8055

# to allow the value "24:00:00" for scenarios like business closing time.

8056

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

8057

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8058

# allow the value 60 if it allows leap-seconds.

8059

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8060

},

8061

"booleanValue": True or False, # boolean

8062

"floatValue": 3.14, # float

8063

"dayOfWeekValue": "A String", # day of week

8064

},

8065

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

8066

# Note that for the purposes of inspection or transformation, the number

8067

# of bytes considered to comprise a 'Value' is based on its representation

8068

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8069

# 123456789, the number of bytes would be counted as 9, even though an

8070

# int64 only holds up to 8 bytes of data.

8071

"timestampValue": "A String", # timestamp

8072

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8073

# and time zone are either specified elsewhere or are not significant. The date

8074

# is relative to the Proleptic Gregorian Calendar. This can represent:

8075

#

8076

# * A full date, with non-zero year, month and day values

8077

# * A month and day value, with a zero year, e.g. an anniversary

8078

# * A year on its own, with zero month and day values

8079

# * A year and month value, with a zero day, e.g. a credit card expiration date

8080

#

8081

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8082

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8083

# a year.

8084

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8085

# month and day.

8086

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8087

# if specifying a year by itself or a year and month where the day is not

8088

# significant.

8089

},

8090

"stringValue": "A String", # string

8091

"integerValue": "A String", # integer

8092

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8093

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8094

# types are google.type.Date and `google.protobuf.Timestamp`.

8095

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8096

# to allow the value "24:00:00" for scenarios like business closing time.

8097

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

8098

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8099

# allow the value 60 if it allows leap-seconds.

8100

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8101

},

8102

"booleanValue": True or False, # boolean

8103

"floatValue": 3.14, # float

8104

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

},

},

],

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

8109

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

8110

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

8111

# output would be 'My phone number is '.

8112

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

8113

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

8114

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

8115

# Note that for the purposes of inspection or transformation, the number

8116

# of bytes considered to comprise a 'Value' is based on its representation

8117

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8118

# 123456789, the number of bytes would be counted as 9, even though an

8119

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

8120

"timestampValue": "A String", # timestamp

8121

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8122

# and time zone are either specified elsewhere or are not significant. The date

8123

# is relative to the Proleptic Gregorian Calendar. This can represent:

8124

#

8125

# * A full date, with non-zero year, month and day values

8126

# * A month and day value, with a zero year, e.g. an anniversary

8127

# * A year on its own, with zero month and day values

8128

# * A year and month value, with a zero day, e.g. a credit card expiration date

8129

#

8130

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8131

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8132

# a year.

8133

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8134

# month and day.

8135

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8136

# if specifying a year by itself or a year and month where the day is not

8137

# significant.

8138

},

8139

"stringValue": "A String", # string

8140

"integerValue": "A String", # integer

8141

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8142

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8143

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

8144

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8145

# to allow the value "24:00:00" for scenarios like business closing time.

8146

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

8147

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8148

# allow the value 60 if it allows leap-seconds.

8149

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

8150

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

8151

"booleanValue": True or False, # boolean

8152

"floatValue": 3.14, # float

8153

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

8154

},

8155

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

8156

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

8157

# Bucketing transformation can provide all of this functionality,

8158

# but requires more configuration. This message is provided as a convenience to

8159

# the user for simple bucketing strategies.

8160

#

8161

# The transformed value will be a hyphenated string of

8162

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

8163

# all values that are within this bucket will be replaced with "10-20".

8164

#

8165

# This can be used on data of type: double, long.

8166

#

8167

# If the bound Value type differs from the type of data

8168

# being transformed, we will first attempt converting the type of the data to

8169

# be transformed to match the type of the bound before comparing.

8170

#

8171

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

8172

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

8173

# grouped together into a single bucket; for example if `upper_bound` = 89,

8174

# then all values greater than 89 are replaced with the value "89+".

8175

# Note that for the purposes of inspection or transformation, the number

8176

# of bytes considered to comprise a 'Value' is based on its representation

8177

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8178

# 123456789, the number of bytes would be counted as 9, even though an

8179

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

8180

"timestampValue": "A String", # timestamp

8181

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8182

# and time zone are either specified elsewhere or are not significant. The date

8183

# is relative to the Proleptic Gregorian Calendar. This can represent:

8184

#

8185

# * A full date, with non-zero year, month and day values

8186

# * A month and day value, with a zero year, e.g. an anniversary

8187

# * A year on its own, with zero month and day values

8188

# * A year and month value, with a zero day, e.g. a credit card expiration date

8189

#

8190

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8191

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8192

# a year.

8193

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8194

# month and day.

8195

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8196

# if specifying a year by itself or a year and month where the day is not

8197

# significant.

8198

},

8199

"stringValue": "A String", # string

8200

"integerValue": "A String", # integer

8201

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8202

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8203

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

8204

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8205

# to allow the value "24:00:00" for scenarios like business closing time.

8206

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

8207

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8208

# allow the value 60 if it allows leap-seconds.

8209

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

8210

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

8211

"booleanValue": True or False, # boolean

8212

"floatValue": 3.14, # float

8213

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

8214

},

8215

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

8216

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

8217

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

8218

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

8219

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

8220

# grouped together into a single bucket; for example if `lower_bound` = 10,

8221

# then all values less than 10 are replaced with the value "-10".

8222

# Note that for the purposes of inspection or transformation, the number

8223

# of bytes considered to comprise a 'Value' is based on its representation

8224

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8225

# 123456789, the number of bytes would be counted as 9, even though an

8226

# int64 only holds up to 8 bytes of data.

8227

"timestampValue": "A String", # timestamp

8228

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8229

# and time zone are either specified elsewhere or are not significant. The date

8230

# is relative to the Proleptic Gregorian Calendar. This can represent:

8231

#

8232

# * A full date, with non-zero year, month and day values

8233

# * A month and day value, with a zero year, e.g. an anniversary

8234

# * A year on its own, with zero month and day values

8235

# * A year and month value, with a zero day, e.g. a credit card expiration date

8236

#

8237

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8238

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8239

# a year.

8240

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8241

# month and day.

8242

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8243

# if specifying a year by itself or a year and month where the day is not

8244

# significant.

8245

},

8246

"stringValue": "A String", # string

8247

"integerValue": "A String", # integer

8248

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8249

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8250

# types are google.type.Date and `google.protobuf.Timestamp`.

8251

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8252

# to allow the value "24:00:00" for scenarios like business closing time.

8253

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

8254

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8255

# allow the value 60 if it allows leap-seconds.

8256

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8257

},

8258

"booleanValue": True or False, # boolean

8259

"floatValue": 3.14, # float

8260

"dayOfWeekValue": "A String", # day of week

8261

},

8262

},

8263

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

8264

# fixed character. Masking can start from the beginning or end of the string.

8265

# This can be used on data of any type (numbers, longs, and so on) and when

8266

# de-identifying structured data we'll attempt to preserve the original data's

8267

# type. (This allows you to take a long like 123 and modify it to a string like

8268

# **3.

8269

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

8270

# characters. For example, if the input string is `555-555-5555` and you

8271

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

8272

# returns `***-**5-5555`.

8273

{ # Characters to skip when doing deidentification of a value. These will be left

8274

# alone and skipped.

8275

"charactersToSkip": "A String", # Characters to not transform when masking.

8276

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

8281

# masked. Skipped characters do not count towards this tally.

8282

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

8283

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

8284

# code or credit card number. This string must have a length of 1. If not

8285

# supplied, this value defaults to `*` for strings, and `0` for digits.

8286

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

8287

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

8288

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

8289

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

8290

# is `true`, then the string `12345` is masked as `12***`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

8291

},

8292

},

8293

"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the

8294

# given `RecordCondition`. The conditions are allowed to reference fields

8295

# that are not used in the actual transformation.

#

# Example Use Cases:

#

# - Apply a different bucket transformation to an age column if the zip code

8300

# column for the same record is within a specific range.

8301

# - Redact a field if the date of birth field is greater than 85.

8302

# a field.

8303

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

8304

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

8305

# only supported value is `AND`.

8306

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

8307

"conditions": [ # A collection of conditions.

8308

{ # The field type of `value` and `field` do not need to match to be

8309

# considered equal, but not all comparisons are possible.

8310

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

8311

# but all other comparisons are invalid with incompatible types.

8312

# A `value` of type:

8313

#

8314

# - `string` can be compared against all other types

8315

# - `boolean` can only be compared against other booleans

8316

# - `integer` can be compared against doubles or a string if the string value

8317

# can be parsed as an integer.

8318

# - `double` can be compared against integers or a string if the string can

8319

# be parsed as a double.

8320

# - `Timestamp` can be compared against strings in RFC 3339 date string

8321

# format.

8322

# - `TimeOfDay` can be compared against timestamps and strings in the format

8323

# of 'HH:mm:ss'.

8324

#

8325

# If we fail to compare do to type mismatch, a warning will be given and

8326

# the condition will evaluate to false.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

8327

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

8328

# Note that for the purposes of inspection or transformation, the number

8329

# of bytes considered to comprise a 'Value' is based on its representation

8330

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8331

# 123456789, the number of bytes would be counted as 9, even though an

8332

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

8333

"timestampValue": "A String", # timestamp

8334

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8335

# and time zone are either specified elsewhere or are not significant. The date

8336

# is relative to the Proleptic Gregorian Calendar. This can represent:

8337

#

8338

# * A full date, with non-zero year, month and day values

8339

# * A month and day value, with a zero year, e.g. an anniversary

8340

# * A year on its own, with zero month and day values

8341

# * A year and month value, with a zero day, e.g. a credit card expiration date

8342

#

8343

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8344

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8345

# a year.

8346

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8347

# month and day.

8348

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8349

# if specifying a year by itself or a year and month where the day is not

8350

# significant.

8351

},

8352

"stringValue": "A String", # string

8353

"integerValue": "A String", # integer

8354

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8355

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8356

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

8357

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8358

# to allow the value "24:00:00" for scenarios like business closing time.

8359

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

8360

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8361

# allow the value 60 if it allows leap-seconds.

8362

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

8363

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

8364

"booleanValue": True or False, # boolean

8365

"floatValue": 3.14, # float

8366

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

8367

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

8368

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

8369

"name": "A String", # Name describing the field.

8370

},

8371

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

},

],

},

},

},

},

],

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

8379

"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that

8380

# match any suppression rule are omitted from the output.

8381

{ # Configuration to suppress records whose suppression conditions evaluate to

8382

# true.

8383

"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being

8384

# evaluated to be suppressed from the transformed content.

8385

# a field.

8386

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

8387

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

8388

# only supported value is `AND`.

8389

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

8390

"conditions": [ # A collection of conditions.

8391

{ # The field type of `value` and `field` do not need to match to be

8392

# considered equal, but not all comparisons are possible.

8393

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

8394

# but all other comparisons are invalid with incompatible types.

8395

# A `value` of type:

8396

#

8397

# - `string` can be compared against all other types

8398

# - `boolean` can only be compared against other booleans

8399

# - `integer` can be compared against doubles or a string if the string value

8400

# can be parsed as an integer.

8401

# - `double` can be compared against integers or a string if the string can

8402

# be parsed as a double.

8403

# - `Timestamp` can be compared against strings in RFC 3339 date string

8404

# format.

8405

# - `TimeOfDay` can be compared against timestamps and strings in the format

8406

# of 'HH:mm:ss'.

8407

#

8408

# If we fail to compare do to type mismatch, a warning will be given and

8409

# the condition will evaluate to false.

8410

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

8411

# Note that for the purposes of inspection or transformation, the number

8412

# of bytes considered to comprise a 'Value' is based on its representation

8413

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8414

# 123456789, the number of bytes would be counted as 9, even though an

8415

# int64 only holds up to 8 bytes of data.

8416

"timestampValue": "A String", # timestamp

8417

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8418

# and time zone are either specified elsewhere or are not significant. The date

8419

# is relative to the Proleptic Gregorian Calendar. This can represent:

8420

#

8421

# * A full date, with non-zero year, month and day values

8422

# * A month and day value, with a zero year, e.g. an anniversary

8423

# * A year on its own, with zero month and day values

8424

# * A year and month value, with a zero day, e.g. a credit card expiration date

8425

#

8426

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8427

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8428

# a year.

8429

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8430

# month and day.

8431

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8432

# if specifying a year by itself or a year and month where the day is not

8433

# significant.

8434

},

8435

"stringValue": "A String", # string

8436

"integerValue": "A String", # integer

8437

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8438

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8439

# types are google.type.Date and `google.protobuf.Timestamp`.

8440

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8441

# to allow the value "24:00:00" for scenarios like business closing time.

8442

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

8443

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8444

# allow the value 60 if it allows leap-seconds.

8445

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8446

},

8447

"booleanValue": True or False, # boolean

8448

"floatValue": 3.14, # float

8449

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

8450

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

8451

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

8452

"name": "A String", # Name describing the field.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

8453

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

8454

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

8455

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

8456

],

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

8457

},

8458

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

},

},

],

},

},

},

],

}</pre>

</div>

<code class="details" id="list_next">list_next(previous_request, previous_response)</code>

8471

<pre>Retrieves the next page of results.

8472

8473

Args:

8474

previous_request: The request for the previous page. (required)

8475

previous_response: The response from the request for the previous page. (required)

8476

8477

Returns:

8478

A request object that you can call 'execute()' on to request the next

8479

page. Returns None if there are no more items in the collection.

</pre>

</div>

<code class="details" id="patch">patch(name, body=None, x__xgafv=None)</code>

8485

<pre>Updates the DeidentifyTemplate.

8486

See https://cloud.google.com/dlp/docs/creating-templates-deid to learn

more.

Args:

name: string, Required. Resource name of organization and deidentify template to be updated, for

8491

example `organizations/433245324/deidentifyTemplates/432452342` or

8492

projects/project-id/deidentifyTemplates/432452342. (required)

8493

body: object, The request body.

8494

The object takes the form of:

8495

8496

{ # Request message for UpdateDeidentifyTemplate.

8497

"deidentifyTemplate": { # DeidentifyTemplates contains instructions on how to de-identify content. # New DeidentifyTemplate value.

8498

# See https://cloud.google.com/dlp/docs/concepts-templates to learn more.

8499

"name": "A String", # Output only. The template name.

8500

#

8501

# The template will have one of the following formats:

8502

# `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR

8503

# `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`

8504

"description": "A String", # Short description (max 256 chars).

8505

"displayName": "A String", # Display name (max 256 chars).

8506

"createTime": "A String", # Output only. The creation timestamp of an inspectTemplate.

8507

"updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate.

8508

"deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

8509

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text

8510

# transformation everywhere.

8511

# apply various `PrimitiveTransformation`s to each finding, where the

8512

# transformation is applied to only values that were identified as a specific

8513

# info_type.

8514

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

8515

# for a given infoType.

8516

{ # A transformation to apply to text that is identified as a specific

8517

# info_type.

8518

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

8519

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

8520

# portion of the value.

8521

"partToExtract": "A String", # The part of the time to keep.

8522

},

8523

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

8524

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

8525

# to learn more.

8526

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

8527

# If set, must also set cryptoKey. If set, shift will be consistent for the

8528

# given context.

8529

"name": "A String", # Name describing the field.

8530

},

8531

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

8532

# range (inclusive ends). Negative means shift to earlier in time. Must not

8533

# be more than 365250 days (1000 years) each direction.

8534

#

8535

# For example, 3 means shift date to at most 3 days into the future.

8536

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

8537

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

8538

# results in the same shift for the same context and crypto_key. If

8539

# set, must also set context. Can only be applied to table items.

8540

# a key encryption key (KEK) stored by KMS).

8541

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

8542

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

8543

# unwrap the data crypto key.

8544

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

8545

# leaking the key. Choose another type of key if possible.

8546

"key": "A String", # Required. A 128/192/256 bit key.

8547

},

8548

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

8549

# It will be discarded after the request finishes.

8550

"name": "A String", # Required. Name of the key.

8551

# This is an arbitrary string used to differentiate different keys.

8552

# A unique key is generated per name: two separate `TransientCryptoKey`

8553

# protos share the same generated key if their names are the same.

8554

# When the data crypto key is generated, this name is not used in any way

8555

# (repeating the api call will result in a different key being generated).

8556

},

8557

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

8558

# The wrapped key must be a 128/192/256 bit key.

8559

# Authorization requires the following IAM permissions when sending a request

8560

# to perform a crypto transformation using a kms-wrapped crypto key:

8561

# dlp.kms.encrypt

8562

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

8563

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

8568

},

8569

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

8570

# Uses SHA-256.

8571

# The key size must be either 32 or 64 bytes.

8572

# Outputs a base64 encoded representation of the hashed output

8573

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

8574

# Currently, only string and integer values can be hashed.

8575

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

8576

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

8577

# a key encryption key (KEK) stored by KMS).

8578

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

8579

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

8580

# unwrap the data crypto key.

8581

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

8582

# leaking the key. Choose another type of key if possible.

8583

"key": "A String", # Required. A 128/192/256 bit key.

8584

},

8585

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

8586

# It will be discarded after the request finishes.

8587

"name": "A String", # Required. Name of the key.

8588

# This is an arbitrary string used to differentiate different keys.

8589

# A unique key is generated per name: two separate `TransientCryptoKey`

8590

# protos share the same generated key if their names are the same.

8591

# When the data crypto key is generated, this name is not used in any way

8592

# (repeating the api call will result in a different key being generated).

8593

},

8594

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

8595

# The wrapped key must be a 128/192/256 bit key.

8596

# Authorization requires the following IAM permissions when sending a request

8597

# to perform a crypto transformation using a kms-wrapped crypto key:

8598

# dlp.kms.encrypt

8599

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

8600

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

8605

# (FPE) with the FFX mode of operation; however when used in the

8606

# `ReidentifyContent` API method, it serves the opposite function by reversing

8607

# the surrogate back into the original identifier. The identifier must be

8608

# encoded as ASCII. For a given crypto key and context, the same identifier

8609

# will be replaced with the same surrogate. Identifiers must be at least two

8610

# characters long. In the case that the identifier is the empty string, it will

8611

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

8612

# more.

8613

#

8614

# Note: We recommend using CryptoDeterministicConfig for all use cases which

8615

# do not require preserving the input alphabet space and size, plus warrant

8616

# referential integrity.

8617

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

8618

# This annotation will be applied to the surrogate by prefixing it with

8619

# the name of the custom infoType followed by the number of

8620

# characters comprising the surrogate. The following scheme defines the

8621

# format: info_type_name(surrogate_character_count):surrogate

8622

#

8623

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

8624

# the surrogate is 'abc', the full replacement value

8625

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

8626

#

8627

# This annotation identifies the surrogate when inspecting content using the

8628

# custom infoType

8629

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

8630

# This facilitates reversal of the surrogate when it occurs in free text.

8631

#

8632

# In order for inspection to work properly, the name of this infoType must

8633

# not occur naturally anywhere in your data; otherwise, inspection may

8634

# find a surrogate that does not correspond to an actual identifier.

8635

# Therefore, choose your custom infoType name carefully after considering

8636

# what your data looks like. One way to select a name that has a high chance

8637

# of yielding reliable detection is to include one or more unicode characters

8638

# that are highly improbable to exist in your data.

8639

# For example, assuming your data is entered from a regular ASCII keyboard,

8640

# the symbol with the hex code point 29DD might be used like so:

8641

# ⧝MY_TOKEN_TYPE

8642

"name": "A String", # Name of the information type. Either a name of your choosing when

8643

# creating a CustomInfoType, or one of the names listed

8644

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

8645

# a built-in type. InfoType names should conform to the pattern

8646

# `[a-zA-Z0-9_]{1,64}`.

8647

},

8648

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

8649

# identifier in two different contexts won't be given the same surrogate. If

8650

# the context is not set, a default tweak will be used.

8651

#

8652

# If the context is set but:

8653

#

8654

# 1. there is no record present when transforming a given value or

8655

# 1. the field is not present when transforming a given value,

8656

#

8657

# a default tweak will be used.

8658

#

8659

# Note that case (1) is expected when an `InfoTypeTransformation` is

8660

# applied to both structured and non-structured `ContentItem`s.

8661

# Currently, the referenced field may be of value type integer or string.

8662

#

8663

# The tweak is constructed as a sequence of bytes in big endian byte order

8664

# such that:

8665

#

8666

# - a 64 bit integer is encoded followed by a single byte of value 1

8667

# - a string is encoded in UTF-8 format followed by a single byte of value 2

8668

"name": "A String", # Name describing the field.

8669

},

8670

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

8671

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

8672

# a key encryption key (KEK) stored by KMS).

8673

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

8674

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

8675

# unwrap the data crypto key.

8676

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

8677

# leaking the key. Choose another type of key if possible.

8678

"key": "A String", # Required. A 128/192/256 bit key.

8679

},

8680

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

8681

# It will be discarded after the request finishes.

8682

"name": "A String", # Required. Name of the key.

8683

# This is an arbitrary string used to differentiate different keys.

8684

# A unique key is generated per name: two separate `TransientCryptoKey`

8685

# protos share the same generated key if their names are the same.

8686

# When the data crypto key is generated, this name is not used in any way

8687

# (repeating the api call will result in a different key being generated).

8688

},

8689

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

8690

# The wrapped key must be a 128/192/256 bit key.

8691

# Authorization requires the following IAM permissions when sending a request

8692

# to perform a crypto transformation using a kms-wrapped crypto key:

8693

# dlp.kms.encrypt

8694

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

8695

"wrappedKey": "A String", # Required. The wrapped data crypto key.

8696

},

8697

},

8698

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

8699

# that the FFX mode natively supports. This happens before/after

8700

# encryption/decryption.

8701

# Each character listed must appear only once.

8702

# Number of characters must be in the range [2, 95].

8703

# This must be encoded as ASCII.

8704

# The order of characters does not matter.

8705

"commonAlphabet": "A String", # Common alphabets.

8706

},

8707

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

8708

# input. Outputs a base64 encoded representation of the encrypted output.

8709

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

8710

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

8711

# This annotation will be applied to the surrogate by prefixing it with

8712

# the name of the custom info type followed by the number of

8713

# characters comprising the surrogate. The following scheme defines the

8714

# format: {info type name}({surrogate character count}):{surrogate}

8715

#

8716

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

8717

# the surrogate is 'abc', the full replacement value

8718

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

8719

#

8720

# This annotation identifies the surrogate when inspecting content using the

8721

# custom info type 'Surrogate'. This facilitates reversal of the

8722

# surrogate when it occurs in free text.

8723

#

8724

# Note: For record transformations where the entire cell in a table is being

8725

# transformed, surrogates are not mandatory. Surrogates are used to denote

8726

# the location of the token and are necessary for re-identification in free

8727

# form text.

8728

#

8729

# In order for inspection to work properly, the name of this info type must

8730

# not occur naturally anywhere in your data; otherwise, inspection may either

8731

#

8732

# - reverse a surrogate that does not correspond to an actual identifier

8733

# - be unable to parse the surrogate and result in an error

8734

#

8735

# Therefore, choose your custom info type name carefully after considering

8736

# what your data looks like. One way to select a name that has a high chance

8737

# of yielding reliable detection is to include one or more unicode characters

8738

# that are highly improbable to exist in your data.

8739

# For example, assuming your data is entered from a regular ASCII keyboard,

8740

# the symbol with the hex code point 29DD might be used like so:

8741

# ⧝MY_TOKEN_TYPE.

8742

"name": "A String", # Name of the information type. Either a name of your choosing when

8743

# creating a CustomInfoType, or one of the names listed

8744

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

8745

# a built-in type. InfoType names should conform to the pattern

8746

# `[a-zA-Z0-9_]{1,64}`.

8747

},

8748

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

8749

# referential integrity such that the same identifier in two different

8750

# contexts will be given a distinct surrogate. The context is appended to

8751

# plaintext value being encrypted. On decryption the provided context is

8752

# validated against the value used during encryption. If a context was

8753

# provided during encryption, same context must be provided during decryption

8754

# as well.

8755

#

8756

# If the context is not set, plaintext would be used as is for encryption.

8757

# If the context is set but:

8758

#

8759

# 1. there is no record present when transforming a given value or

8760

# 2. the field is not present when transforming a given value,

8761

#

8762

# plaintext would be used as is for encryption.

8763

#

8764

# Note that case (1) is expected when an `InfoTypeTransformation` is

8765

# applied to both structured and non-structured `ContentItem`s.

8766

"name": "A String", # Name describing the field.

8767

},

8768

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

8769

# a key encryption key (KEK) stored by KMS).

8770

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

8771

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

8772

# unwrap the data crypto key.

8773

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

8774

# leaking the key. Choose another type of key if possible.

8775

"key": "A String", # Required. A 128/192/256 bit key.

8776

},

8777

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

8778

# It will be discarded after the request finishes.

8779

"name": "A String", # Required. Name of the key.

8780

# This is an arbitrary string used to differentiate different keys.

8781

# A unique key is generated per name: two separate `TransientCryptoKey`

8782

# protos share the same generated key if their names are the same.

8783

# When the data crypto key is generated, this name is not used in any way

8784

# (repeating the api call will result in a different key being generated).

8785

},

8786

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

8787

# The wrapped key must be a 128/192/256 bit key.

8788

# Authorization requires the following IAM permissions when sending a request

8789

# to perform a crypto transformation using a kms-wrapped crypto key:

8790

# dlp.kms.encrypt

8791

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

8792

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

8797

# replacement values are dynamically provided by the user for custom behavior,

8798

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

8799

# This can be used on

8800

# data of type: number, long, string, timestamp.

8801

# If the bound `Value` type differs from the type of data being transformed, we

8802

# will first attempt converting the type of the data to be transformed to match

8803

# the type of the bound before comparing.

8804

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

8805

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

8806

{ # Bucket is represented as a range, along with replacement values.

8807

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

8808

# the default behavior will be to hyphenate the min-max range.

8809

# Note that for the purposes of inspection or transformation, the number

8810

# of bytes considered to comprise a 'Value' is based on its representation

8811

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8812

# 123456789, the number of bytes would be counted as 9, even though an

8813

# int64 only holds up to 8 bytes of data.

8814

"timestampValue": "A String", # timestamp

8815

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8816

# and time zone are either specified elsewhere or are not significant. The date

8817

# is relative to the Proleptic Gregorian Calendar. This can represent:

8818

#

8819

# * A full date, with non-zero year, month and day values

8820

# * A month and day value, with a zero year, e.g. an anniversary

8821

# * A year on its own, with zero month and day values

8822

# * A year and month value, with a zero day, e.g. a credit card expiration date

8823

#

8824

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8825

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8826

# a year.

8827

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8828

# month and day.

8829

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8830

# if specifying a year by itself or a year and month where the day is not

8831

# significant.

8832

},

8833

"stringValue": "A String", # string

8834

"integerValue": "A String", # integer

8835

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8836

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8837

# types are google.type.Date and `google.protobuf.Timestamp`.

8838

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8839

# to allow the value "24:00:00" for scenarios like business closing time.

8840

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

8841

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8842

# allow the value 60 if it allows leap-seconds.

8843

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8844

},

8845

"booleanValue": True or False, # boolean

8846

"floatValue": 3.14, # float

8847

"dayOfWeekValue": "A String", # day of week

8848

},

8849

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

8850

# used.

8851

# Note that for the purposes of inspection or transformation, the number

8852

# of bytes considered to comprise a 'Value' is based on its representation

8853

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8854

# 123456789, the number of bytes would be counted as 9, even though an

8855

# int64 only holds up to 8 bytes of data.

8856

"timestampValue": "A String", # timestamp

8857

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8858

# and time zone are either specified elsewhere or are not significant. The date

8859

# is relative to the Proleptic Gregorian Calendar. This can represent:

8860

#

8861

# * A full date, with non-zero year, month and day values

8862

# * A month and day value, with a zero year, e.g. an anniversary

8863

# * A year on its own, with zero month and day values

8864

# * A year and month value, with a zero day, e.g. a credit card expiration date

8865

#

8866

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8867

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8868

# a year.

8869

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8870

# month and day.

8871

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8872

# if specifying a year by itself or a year and month where the day is not

8873

# significant.

8874

},

8875

"stringValue": "A String", # string

8876

"integerValue": "A String", # integer

8877

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8878

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8879

# types are google.type.Date and `google.protobuf.Timestamp`.

8880

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8881

# to allow the value "24:00:00" for scenarios like business closing time.

8882

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

8883

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8884

# allow the value 60 if it allows leap-seconds.

8885

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8886

},

8887

"booleanValue": True or False, # boolean

8888

"floatValue": 3.14, # float

8889

"dayOfWeekValue": "A String", # day of week

8890

},

8891

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

8892

# Note that for the purposes of inspection or transformation, the number

8893

# of bytes considered to comprise a 'Value' is based on its representation

8894

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8895

# 123456789, the number of bytes would be counted as 9, even though an

8896

# int64 only holds up to 8 bytes of data.

8897

"timestampValue": "A String", # timestamp

8898

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8899

# and time zone are either specified elsewhere or are not significant. The date

8900

# is relative to the Proleptic Gregorian Calendar. This can represent:

8901

#

8902

# * A full date, with non-zero year, month and day values

8903

# * A month and day value, with a zero year, e.g. an anniversary

8904

# * A year on its own, with zero month and day values

8905

# * A year and month value, with a zero day, e.g. a credit card expiration date

8906

#

8907

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8908

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8909

# a year.

8910

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8911

# month and day.

8912

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8913

# if specifying a year by itself or a year and month where the day is not

8914

# significant.

8915

},

8916

"stringValue": "A String", # string

8917

"integerValue": "A String", # integer

8918

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8919

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8920

# types are google.type.Date and `google.protobuf.Timestamp`.

8921

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8922

# to allow the value "24:00:00" for scenarios like business closing time.

8923

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

8924

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8925

# allow the value 60 if it allows leap-seconds.

8926

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8927

},

8928

"booleanValue": True or False, # boolean

8929

"floatValue": 3.14, # float

8930

"dayOfWeekValue": "A String", # day of week

},

},

],

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

8936

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

8937

# output would be 'My phone number is '.

8938

},

8939

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

8940

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

8941

# Note that for the purposes of inspection or transformation, the number

8942

# of bytes considered to comprise a 'Value' is based on its representation

8943

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

8944

# 123456789, the number of bytes would be counted as 9, even though an

8945

# int64 only holds up to 8 bytes of data.

8946

"timestampValue": "A String", # timestamp

8947

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

8948

# and time zone are either specified elsewhere or are not significant. The date

8949

# is relative to the Proleptic Gregorian Calendar. This can represent:

8950

#

8951

# * A full date, with non-zero year, month and day values

8952

# * A month and day value, with a zero year, e.g. an anniversary

8953

# * A year on its own, with zero month and day values

8954

# * A year and month value, with a zero day, e.g. a credit card expiration date

8955

#

8956

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

8957

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

8958

# a year.

8959

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

8960

# month and day.

8961

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

8962

# if specifying a year by itself or a year and month where the day is not

8963

# significant.

8964

},

8965

"stringValue": "A String", # string

8966

"integerValue": "A String", # integer

8967

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

8968

# or are specified elsewhere. An API may choose to allow leap seconds. Related

8969

# types are google.type.Date and `google.protobuf.Timestamp`.

8970

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

8971

# to allow the value "24:00:00" for scenarios like business closing time.

8972

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

8973

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

8974

# allow the value 60 if it allows leap-seconds.

8975

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

8976

},

8977

"booleanValue": True or False, # boolean

8978

"floatValue": 3.14, # float

8979

"dayOfWeekValue": "A String", # day of week

8980

},

8981

},

8982

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

8983

# Bucketing transformation can provide all of this functionality,

8984

# but requires more configuration. This message is provided as a convenience to

8985

# the user for simple bucketing strategies.

8986

#

8987

# The transformed value will be a hyphenated string of

8988

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

8989

# all values that are within this bucket will be replaced with "10-20".

8990

#

8991

# This can be used on data of type: double, long.

8992

#

8993

# If the bound Value type differs from the type of data

8994

# being transformed, we will first attempt converting the type of the data to

8995

# be transformed to match the type of the bound before comparing.

8996

#

8997

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

8998

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

8999

# grouped together into a single bucket; for example if `upper_bound` = 89,

9000

# then all values greater than 89 are replaced with the value "89+".

9001

# Note that for the purposes of inspection or transformation, the number

9002

# of bytes considered to comprise a 'Value' is based on its representation

9003

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9004

# 123456789, the number of bytes would be counted as 9, even though an

9005

# int64 only holds up to 8 bytes of data.

9006

"timestampValue": "A String", # timestamp

9007

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9008

# and time zone are either specified elsewhere or are not significant. The date

9009

# is relative to the Proleptic Gregorian Calendar. This can represent:

9010

#

9011

# * A full date, with non-zero year, month and day values

9012

# * A month and day value, with a zero year, e.g. an anniversary

9013

# * A year on its own, with zero month and day values

9014

# * A year and month value, with a zero day, e.g. a credit card expiration date

9015

#

9016

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9017

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9018

# a year.

9019

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9020

# month and day.

9021

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9022

# if specifying a year by itself or a year and month where the day is not

9023

# significant.

9024

},

9025

"stringValue": "A String", # string

9026

"integerValue": "A String", # integer

9027

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9028

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9029

# types are google.type.Date and `google.protobuf.Timestamp`.

9030

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9031

# to allow the value "24:00:00" for scenarios like business closing time.

9032

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

9033

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9034

# allow the value 60 if it allows leap-seconds.

9035

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9036

},

9037

"booleanValue": True or False, # boolean

9038

"floatValue": 3.14, # float

9039

"dayOfWeekValue": "A String", # day of week

9040

},

9041

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

9042

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

9043

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

9044

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

9045

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

9046

# grouped together into a single bucket; for example if `lower_bound` = 10,

9047

# then all values less than 10 are replaced with the value "-10".

9048

# Note that for the purposes of inspection or transformation, the number

9049

# of bytes considered to comprise a 'Value' is based on its representation

9050

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9051

# 123456789, the number of bytes would be counted as 9, even though an

9052

# int64 only holds up to 8 bytes of data.

9053

"timestampValue": "A String", # timestamp

9054

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9055

# and time zone are either specified elsewhere or are not significant. The date

9056

# is relative to the Proleptic Gregorian Calendar. This can represent:

9057

#

9058

# * A full date, with non-zero year, month and day values

9059

# * A month and day value, with a zero year, e.g. an anniversary

9060

# * A year on its own, with zero month and day values

9061

# * A year and month value, with a zero day, e.g. a credit card expiration date

9062

#

9063

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9064

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9065

# a year.

9066

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9067

# month and day.

9068

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9069

# if specifying a year by itself or a year and month where the day is not

9070

# significant.

9071

},

9072

"stringValue": "A String", # string

9073

"integerValue": "A String", # integer

9074

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9075

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9076

# types are google.type.Date and `google.protobuf.Timestamp`.

9077

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9078

# to allow the value "24:00:00" for scenarios like business closing time.

9079

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

9080

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9081

# allow the value 60 if it allows leap-seconds.

9082

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9083

},

9084

"booleanValue": True or False, # boolean

9085

"floatValue": 3.14, # float

9086

"dayOfWeekValue": "A String", # day of week

9087

},

9088

},

9089

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

9090

# fixed character. Masking can start from the beginning or end of the string.

9091

# This can be used on data of any type (numbers, longs, and so on) and when

9092

# de-identifying structured data we'll attempt to preserve the original data's

9093

# type. (This allows you to take a long like 123 and modify it to a string like

9094

# **3.

9095

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

9096

# characters. For example, if the input string is `555-555-5555` and you

9097

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

9098

# returns `***-**5-5555`.

9099

{ # Characters to skip when doing deidentification of a value. These will be left

9100

# alone and skipped.

9101

"charactersToSkip": "A String", # Characters to not transform when masking.

9102

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

9107

# masked. Skipped characters do not count towards this tally.

9108

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

9109

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

9110

# code or credit card number. This string must have a length of 1. If not

9111

# supplied, this value defaults to `*` for strings, and `0` for digits.

9112

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

9113

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

9114

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

9115

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

9116

# is `true`, then the string `12345` is masked as `12***`.

9117

},

9118

},

9119

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

9120

# this transformation to apply to all findings that correspond to

9121

# infoTypes that were requested in `InspectConfig`.

9122

{ # Type of information detected by the API.

9123

"name": "A String", # Name of the information type. Either a name of your choosing when

9124

# creating a CustomInfoType, or one of the names listed

9125

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

9126

# a built-in type. InfoType names should conform to the pattern

9127

# `[a-zA-Z0-9_]{1,64}`.

},

],

},

],

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

9133

"transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default

9134

# mode is `TransformationErrorHandling.ThrowError`.

9135

# transformation error occurs when the requested transformation is incompatible

9136

# with the data. For example, trying to de-identify an IP address using a

9137

# `DateShift` transformation would result in a transformation error, since date

9138

# info cannot be extracted from an IP address.

9139

# Information about any incompatible transformations, and how they were

9140

# handled, is returned in the response as part of the

9141

# `TransformationOverviews`.

9142

"throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error

9143

},

9144

"leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors

9145

# cause an error. For example, if a `DateShift` transformation were applied

9146

# an an IP address, this mode would leave the IP address unchanged in the

# response.

},

},

"recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to

9151

# specific locations within structured datasets, such as transforming

9152

# a column within a table.

9153

# table.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

9154

"fieldTransformations": [ # Transform the record by applying various field transformations.

9155

{ # The transformation to apply to the field.

9156

"fields": [ # Required. Input field(s) to apply the transformation to.

9157

{ # General identifier of a data field in a storage service.

9158

"name": "A String", # Name describing the field.

9159

},

9160

],

9161

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively

9162

# transform content that matches an `InfoType`.

9163

# apply various `PrimitiveTransformation`s to each finding, where the

9164

# transformation is applied to only values that were identified as a specific

9165

# info_type.

9166

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

9167

# for a given infoType.

9168

{ # A transformation to apply to text that is identified as a specific

9169

# info_type.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

9170

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

9171

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

9172

# portion of the value.

9173

"partToExtract": "A String", # The part of the time to keep.

9174

},

9175

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

9176

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

9177

# to learn more.

9178

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

9179

# If set, must also set cryptoKey. If set, shift will be consistent for the

9180

# given context.

9181

"name": "A String", # Name describing the field.

9182

},

9183

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

9184

# range (inclusive ends). Negative means shift to earlier in time. Must not

9185

# be more than 365250 days (1000 years) each direction.

9186

#

9187

# For example, 3 means shift date to at most 3 days into the future.

9188

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

9189

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

9190

# results in the same shift for the same context and crypto_key. If

9191

# set, must also set context. Can only be applied to table items.

9192

# a key encryption key (KEK) stored by KMS).

9193

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

9194

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

9195

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

9196

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

9197

# leaking the key. Choose another type of key if possible.

9198

"key": "A String", # Required. A 128/192/256 bit key.

9199

},

9200

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

9201

# It will be discarded after the request finishes.

9202

"name": "A String", # Required. Name of the key.

9203

# This is an arbitrary string used to differentiate different keys.

9204

# A unique key is generated per name: two separate `TransientCryptoKey`

9205

# protos share the same generated key if their names are the same.

9206

# When the data crypto key is generated, this name is not used in any way

9207

# (repeating the api call will result in a different key being generated).

9208

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

9209

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

9210

# The wrapped key must be a 128/192/256 bit key.

9211

# Authorization requires the following IAM permissions when sending a request

9212

# to perform a crypto transformation using a kms-wrapped crypto key:

9213

# dlp.kms.encrypt

9214

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

9215

"wrappedKey": "A String", # Required. The wrapped data crypto key.

9216

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

9217

},

9218

},

9219

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

9220

},

9221

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

9222

# Uses SHA-256.

9223

# The key size must be either 32 or 64 bytes.

9224

# Outputs a base64 encoded representation of the hashed output

9225

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

9226

# Currently, only string and integer values can be hashed.

9227

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

9228

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

9229

# a key encryption key (KEK) stored by KMS).

9230

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

9231

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

9232

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

9233

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

9234

# leaking the key. Choose another type of key if possible.

9235

"key": "A String", # Required. A 128/192/256 bit key.

9236

},

9237

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

9238

# It will be discarded after the request finishes.

9239

"name": "A String", # Required. Name of the key.

9240

# This is an arbitrary string used to differentiate different keys.

9241

# A unique key is generated per name: two separate `TransientCryptoKey`

9242

# protos share the same generated key if their names are the same.

9243

# When the data crypto key is generated, this name is not used in any way

9244

# (repeating the api call will result in a different key being generated).

9245

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

9246

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

9247

# The wrapped key must be a 128/192/256 bit key.

9248

# Authorization requires the following IAM permissions when sending a request

9249

# to perform a crypto transformation using a kms-wrapped crypto key:

9250

# dlp.kms.encrypt

9251

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

9252

"wrappedKey": "A String", # Required. The wrapped data crypto key.

9253

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

9254

},

9255

},

9256

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

9257

# (FPE) with the FFX mode of operation; however when used in the

9258

# `ReidentifyContent` API method, it serves the opposite function by reversing

9259

# the surrogate back into the original identifier. The identifier must be

9260

# encoded as ASCII. For a given crypto key and context, the same identifier

9261

# will be replaced with the same surrogate. Identifiers must be at least two

9262

# characters long. In the case that the identifier is the empty string, it will

9263

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

9264

# more.

9265

#

9266

# Note: We recommend using CryptoDeterministicConfig for all use cases which

9267

# do not require preserving the input alphabet space and size, plus warrant

9268

# referential integrity.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

9269

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

9270

# This annotation will be applied to the surrogate by prefixing it with

9271

# the name of the custom infoType followed by the number of

9272

# characters comprising the surrogate. The following scheme defines the

9273

# format: info_type_name(surrogate_character_count):surrogate

9274

#

9275

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

9276

# the surrogate is 'abc', the full replacement value

9277

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

9278

#

9279

# This annotation identifies the surrogate when inspecting content using the

9280

# custom infoType

9281

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

9282

# This facilitates reversal of the surrogate when it occurs in free text.

9283

#

9284

# In order for inspection to work properly, the name of this infoType must

9285

# not occur naturally anywhere in your data; otherwise, inspection may

9286

# find a surrogate that does not correspond to an actual identifier.

9287

# Therefore, choose your custom infoType name carefully after considering

9288

# what your data looks like. One way to select a name that has a high chance

9289

# of yielding reliable detection is to include one or more unicode characters

9290

# that are highly improbable to exist in your data.

9291

# For example, assuming your data is entered from a regular ASCII keyboard,

9292

# the symbol with the hex code point 29DD might be used like so:

9293

# ⧝MY_TOKEN_TYPE

9294

"name": "A String", # Name of the information type. Either a name of your choosing when

9295

# creating a CustomInfoType, or one of the names listed

9296

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

9297

# a built-in type. InfoType names should conform to the pattern

9298

# `[a-zA-Z0-9_]{1,64}`.

9299

},

9300

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

9301

# identifier in two different contexts won't be given the same surrogate. If

9302

# the context is not set, a default tweak will be used.

9303

#

9304

# If the context is set but:

9305

#

9306

# 1. there is no record present when transforming a given value or

9307

# 1. the field is not present when transforming a given value,

9308

#

9309

# a default tweak will be used.

9310

#

9311

# Note that case (1) is expected when an `InfoTypeTransformation` is

9312

# applied to both structured and non-structured `ContentItem`s.

9313

# Currently, the referenced field may be of value type integer or string.

9314

#

9315

# The tweak is constructed as a sequence of bytes in big endian byte order

9316

# such that:

9317

#

9318

# - a 64 bit integer is encoded followed by a single byte of value 1

9319

# - a string is encoded in UTF-8 format followed by a single byte of value 2

9320

"name": "A String", # Name describing the field.

9321

},

9322

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

9323

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

9324

# a key encryption key (KEK) stored by KMS).

9325

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

9326

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

9327

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

9328

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

9329

# leaking the key. Choose another type of key if possible.

9330

"key": "A String", # Required. A 128/192/256 bit key.

9331

},

9332

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

9333

# It will be discarded after the request finishes.

9334

"name": "A String", # Required. Name of the key.

9335

# This is an arbitrary string used to differentiate different keys.

9336

# A unique key is generated per name: two separate `TransientCryptoKey`

9337

# protos share the same generated key if their names are the same.

9338

# When the data crypto key is generated, this name is not used in any way

9339

# (repeating the api call will result in a different key being generated).

9340

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

9341

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

9342

# The wrapped key must be a 128/192/256 bit key.

9343

# Authorization requires the following IAM permissions when sending a request

9344

# to perform a crypto transformation using a kms-wrapped crypto key:

9345

# dlp.kms.encrypt

9346

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

9347

"wrappedKey": "A String", # Required. The wrapped data crypto key.

9348

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

9349

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

9350

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

9351

# that the FFX mode natively supports. This happens before/after

9352

# encryption/decryption.

9353

# Each character listed must appear only once.

9354

# Number of characters must be in the range [2, 95].

9355

# This must be encoded as ASCII.

9356

# The order of characters does not matter.

9357

"commonAlphabet": "A String", # Common alphabets.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

9358

},

9359

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

9360

# input. Outputs a base64 encoded representation of the encrypted output.

9361

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

9362

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

9363

# This annotation will be applied to the surrogate by prefixing it with

9364

# the name of the custom info type followed by the number of

9365

# characters comprising the surrogate. The following scheme defines the

9366

# format: {info type name}({surrogate character count}):{surrogate}

9367

#

9368

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

9369

# the surrogate is 'abc', the full replacement value

9370

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

9371

#

9372

# This annotation identifies the surrogate when inspecting content using the

9373

# custom info type 'Surrogate'. This facilitates reversal of the

9374

# surrogate when it occurs in free text.

9375

#

9376

# Note: For record transformations where the entire cell in a table is being

9377

# transformed, surrogates are not mandatory. Surrogates are used to denote

9378

# the location of the token and are necessary for re-identification in free

9379

# form text.

9380

#

9381

# In order for inspection to work properly, the name of this info type must

9382

# not occur naturally anywhere in your data; otherwise, inspection may either

9383

#

9384

# - reverse a surrogate that does not correspond to an actual identifier

9385

# - be unable to parse the surrogate and result in an error

9386

#

9387

# Therefore, choose your custom info type name carefully after considering

9388

# what your data looks like. One way to select a name that has a high chance

9389

# of yielding reliable detection is to include one or more unicode characters

9390

# that are highly improbable to exist in your data.

9391

# For example, assuming your data is entered from a regular ASCII keyboard,

9392

# the symbol with the hex code point 29DD might be used like so:

9393

# ⧝MY_TOKEN_TYPE.

9394

"name": "A String", # Name of the information type. Either a name of your choosing when

9395

# creating a CustomInfoType, or one of the names listed

9396

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

9397

# a built-in type. InfoType names should conform to the pattern

9398

# `[a-zA-Z0-9_]{1,64}`.

9399

},

9400

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

9401

# referential integrity such that the same identifier in two different

9402

# contexts will be given a distinct surrogate. The context is appended to

9403

# plaintext value being encrypted. On decryption the provided context is

9404

# validated against the value used during encryption. If a context was

9405

# provided during encryption, same context must be provided during decryption

9406

# as well.

9407

#

9408

# If the context is not set, plaintext would be used as is for encryption.

9409

# If the context is set but:

9410

#

9411

# 1. there is no record present when transforming a given value or

9412

# 2. the field is not present when transforming a given value,

9413

#

9414

# plaintext would be used as is for encryption.

9415

#

9416

# Note that case (1) is expected when an `InfoTypeTransformation` is

9417

# applied to both structured and non-structured `ContentItem`s.

9418

"name": "A String", # Name describing the field.

9419

},

9420

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

9421

# a key encryption key (KEK) stored by KMS).

9422

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

9423

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

9424

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

9425

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

9426

# leaking the key. Choose another type of key if possible.

9427

"key": "A String", # Required. A 128/192/256 bit key.

9428

},

9429

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

9430

# It will be discarded after the request finishes.

9431

"name": "A String", # Required. Name of the key.

9432

# This is an arbitrary string used to differentiate different keys.

9433

# A unique key is generated per name: two separate `TransientCryptoKey`

9434

# protos share the same generated key if their names are the same.

9435

# When the data crypto key is generated, this name is not used in any way

9436

# (repeating the api call will result in a different key being generated).

9437

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

9438

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

9439

# The wrapped key must be a 128/192/256 bit key.

9440

# Authorization requires the following IAM permissions when sending a request

9441

# to perform a crypto transformation using a kms-wrapped crypto key:

9442

# dlp.kms.encrypt

9443

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

9444

"wrappedKey": "A String", # Required. The wrapped data crypto key.

9445

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

9446

},

9447

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

9448

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

9449

# replacement values are dynamically provided by the user for custom behavior,

9450

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

9451

# This can be used on

9452

# data of type: number, long, string, timestamp.

9453

# If the bound `Value` type differs from the type of data being transformed, we

9454

# will first attempt converting the type of the data to be transformed to match

9455

# the type of the bound before comparing.

9456

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

9457

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

9458

{ # Bucket is represented as a range, along with replacement values.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

9459

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

9460

# the default behavior will be to hyphenate the min-max range.

9461

# Note that for the purposes of inspection or transformation, the number

9462

# of bytes considered to comprise a 'Value' is based on its representation

9463

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9464

# 123456789, the number of bytes would be counted as 9, even though an

9465

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

9466

"timestampValue": "A String", # timestamp

9467

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9468

# and time zone are either specified elsewhere or are not significant. The date

9469

# is relative to the Proleptic Gregorian Calendar. This can represent:

9470

#

9471

# * A full date, with non-zero year, month and day values

9472

# * A month and day value, with a zero year, e.g. an anniversary

9473

# * A year on its own, with zero month and day values

9474

# * A year and month value, with a zero day, e.g. a credit card expiration date

9475

#

9476

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9477

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9478

# a year.

9479

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9480

# month and day.

9481

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9482

# if specifying a year by itself or a year and month where the day is not

9483

# significant.

9484

},

9485

"stringValue": "A String", # string

9486

"integerValue": "A String", # integer

9487

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9488

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9489

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

9490

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9491

# to allow the value "24:00:00" for scenarios like business closing time.

9492

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

9493

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9494

# allow the value 60 if it allows leap-seconds.

9495

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

9496

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

9497

"booleanValue": True or False, # boolean

9498

"floatValue": 3.14, # float

9499

"dayOfWeekValue": "A String", # day of week

9500

},

9501

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

9502

# used.

9503

# Note that for the purposes of inspection or transformation, the number

9504

# of bytes considered to comprise a 'Value' is based on its representation

9505

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9506

# 123456789, the number of bytes would be counted as 9, even though an

9507

# int64 only holds up to 8 bytes of data.

9508

"timestampValue": "A String", # timestamp

9509

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9510

# and time zone are either specified elsewhere or are not significant. The date

9511

# is relative to the Proleptic Gregorian Calendar. This can represent:

9512

#

9513

# * A full date, with non-zero year, month and day values

9514

# * A month and day value, with a zero year, e.g. an anniversary

9515

# * A year on its own, with zero month and day values

9516

# * A year and month value, with a zero day, e.g. a credit card expiration date

9517

#

9518

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9519

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9520

# a year.

9521

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9522

# month and day.

9523

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9524

# if specifying a year by itself or a year and month where the day is not

9525

# significant.

9526

},

9527

"stringValue": "A String", # string

9528

"integerValue": "A String", # integer

9529

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9530

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9531

# types are google.type.Date and `google.protobuf.Timestamp`.

9532

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9533

# to allow the value "24:00:00" for scenarios like business closing time.

9534

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

9535

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9536

# allow the value 60 if it allows leap-seconds.

9537

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9538

},

9539

"booleanValue": True or False, # boolean

9540

"floatValue": 3.14, # float

9541

"dayOfWeekValue": "A String", # day of week

9542

},

9543

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

9544

# Note that for the purposes of inspection or transformation, the number

9545

# of bytes considered to comprise a 'Value' is based on its representation

9546

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9547

# 123456789, the number of bytes would be counted as 9, even though an

9548

# int64 only holds up to 8 bytes of data.

9549

"timestampValue": "A String", # timestamp

9550

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9551

# and time zone are either specified elsewhere or are not significant. The date

9552

# is relative to the Proleptic Gregorian Calendar. This can represent:

9553

#

9554

# * A full date, with non-zero year, month and day values

9555

# * A month and day value, with a zero year, e.g. an anniversary

9556

# * A year on its own, with zero month and day values

9557

# * A year and month value, with a zero day, e.g. a credit card expiration date

9558

#

9559

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9560

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9561

# a year.

9562

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9563

# month and day.

9564

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9565

# if specifying a year by itself or a year and month where the day is not

9566

# significant.

9567

},

9568

"stringValue": "A String", # string

9569

"integerValue": "A String", # integer

9570

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9571

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9572

# types are google.type.Date and `google.protobuf.Timestamp`.

9573

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9574

# to allow the value "24:00:00" for scenarios like business closing time.

9575

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

9576

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9577

# allow the value 60 if it allows leap-seconds.

9578

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9579

},

9580

"booleanValue": True or False, # boolean

9581

"floatValue": 3.14, # float

9582

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

},

},

],

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

9587

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

9588

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

9589

# output would be 'My phone number is '.

9590

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

9591

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

9592

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

9593

# Note that for the purposes of inspection or transformation, the number

9594

# of bytes considered to comprise a 'Value' is based on its representation

9595

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9596

# 123456789, the number of bytes would be counted as 9, even though an

9597

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

9598

"timestampValue": "A String", # timestamp

9599

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9600

# and time zone are either specified elsewhere or are not significant. The date

9601

# is relative to the Proleptic Gregorian Calendar. This can represent:

9602

#

9603

# * A full date, with non-zero year, month and day values

9604

# * A month and day value, with a zero year, e.g. an anniversary

9605

# * A year on its own, with zero month and day values

9606

# * A year and month value, with a zero day, e.g. a credit card expiration date

9607

#

9608

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9609

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9610

# a year.

9611

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9612

# month and day.

9613

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9614

# if specifying a year by itself or a year and month where the day is not

9615

# significant.

9616

},

9617

"stringValue": "A String", # string

9618

"integerValue": "A String", # integer

9619

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9620

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9621

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

9622

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9623

# to allow the value "24:00:00" for scenarios like business closing time.

9624

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

9625

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9626

# allow the value 60 if it allows leap-seconds.

9627

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

9628

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

9629

"booleanValue": True or False, # boolean

9630

"floatValue": 3.14, # float

9631

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

9632

},

9633

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

9634

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

9635

# Bucketing transformation can provide all of this functionality,

9636

# but requires more configuration. This message is provided as a convenience to

9637

# the user for simple bucketing strategies.

9638

#

9639

# The transformed value will be a hyphenated string of

9640

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

9641

# all values that are within this bucket will be replaced with "10-20".

9642

#

9643

# This can be used on data of type: double, long.

9644

#

9645

# If the bound Value type differs from the type of data

9646

# being transformed, we will first attempt converting the type of the data to

9647

# be transformed to match the type of the bound before comparing.

9648

#

9649

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

9650

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

9651

# grouped together into a single bucket; for example if `upper_bound` = 89,

9652

# then all values greater than 89 are replaced with the value "89+".

9653

# Note that for the purposes of inspection or transformation, the number

9654

# of bytes considered to comprise a 'Value' is based on its representation

9655

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9656

# 123456789, the number of bytes would be counted as 9, even though an

9657

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

9658

"timestampValue": "A String", # timestamp

9659

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9660

# and time zone are either specified elsewhere or are not significant. The date

9661

# is relative to the Proleptic Gregorian Calendar. This can represent:

9662

#

9663

# * A full date, with non-zero year, month and day values

9664

# * A month and day value, with a zero year, e.g. an anniversary

9665

# * A year on its own, with zero month and day values

9666

# * A year and month value, with a zero day, e.g. a credit card expiration date

9667

#

9668

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9669

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9670

# a year.

9671

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9672

# month and day.

9673

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9674

# if specifying a year by itself or a year and month where the day is not

9675

# significant.

9676

},

9677

"stringValue": "A String", # string

9678

"integerValue": "A String", # integer

9679

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9680

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9681

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

9682

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9683

# to allow the value "24:00:00" for scenarios like business closing time.

9684

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

9685

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9686

# allow the value 60 if it allows leap-seconds.

9687

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

9688

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

9689

"booleanValue": True or False, # boolean

9690

"floatValue": 3.14, # float

9691

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

9692

},

9693

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

9694

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

9695

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

9696

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

9697

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

9698

# grouped together into a single bucket; for example if `lower_bound` = 10,

9699

# then all values less than 10 are replaced with the value "-10".

9700

# Note that for the purposes of inspection or transformation, the number

9701

# of bytes considered to comprise a 'Value' is based on its representation

9702

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

9703

# 123456789, the number of bytes would be counted as 9, even though an

9704

# int64 only holds up to 8 bytes of data.

9705

"timestampValue": "A String", # timestamp

9706

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

9707

# and time zone are either specified elsewhere or are not significant. The date

9708

# is relative to the Proleptic Gregorian Calendar. This can represent:

9709

#

9710

# * A full date, with non-zero year, month and day values

9711

# * A month and day value, with a zero year, e.g. an anniversary

9712

# * A year on its own, with zero month and day values

9713

# * A year and month value, with a zero day, e.g. a credit card expiration date

9714

#

9715

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

9716

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

9717

# a year.

9718

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

9719

# month and day.

9720

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

9721

# if specifying a year by itself or a year and month where the day is not

9722

# significant.

9723

},

9724

"stringValue": "A String", # string

9725

"integerValue": "A String", # integer

9726

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

9727

# or are specified elsewhere. An API may choose to allow leap seconds. Related

9728

# types are google.type.Date and `google.protobuf.Timestamp`.

9729

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

9730

# to allow the value "24:00:00" for scenarios like business closing time.

9731

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

9732

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

9733

# allow the value 60 if it allows leap-seconds.

9734

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

9735

},

9736

"booleanValue": True or False, # boolean

9737

"floatValue": 3.14, # float

9738

"dayOfWeekValue": "A String", # day of week

9739

},

9740

},

9741

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

9742

# fixed character. Masking can start from the beginning or end of the string.

9743

# This can be used on data of any type (numbers, longs, and so on) and when

9744

# de-identifying structured data we'll attempt to preserve the original data's

9745

# type. (This allows you to take a long like 123 and modify it to a string like

9746

# **3.

9747

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

9748

# characters. For example, if the input string is `555-555-5555` and you

9749

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

9750

# returns `***-**5-5555`.

9751

{ # Characters to skip when doing deidentification of a value. These will be left

9752

# alone and skipped.

9753

"charactersToSkip": "A String", # Characters to not transform when masking.

9754

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

9759

# masked. Skipped characters do not count towards this tally.

9760

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

9761

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

9762

# code or credit card number. This string must have a length of 1. If not

9763

# supplied, this value defaults to `*` for strings, and `0` for digits.

9764

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

9765

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

9766

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

9767

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

9768

# is `true`, then the string `12345` is masked as `12***`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

9769

},

9770

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

9771

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

9772

# this transformation to apply to all findings that correspond to

9773

# infoTypes that were requested in `InspectConfig`.

9774

{ # Type of information detected by the API.

9775

"name": "A String", # Name of the information type. Either a name of your choosing when

9776

# creating a CustomInfoType, or one of the names listed

9777

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

9778

# a built-in type. InfoType names should conform to the pattern

9779

# `[a-zA-Z0-9_]{1,64}`.

9780

},

9781

],

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

},

],

},

"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.

9786

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

9787

# portion of the value.

9788

"partToExtract": "A String", # The part of the time to keep.

9789

},

9790

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

9791

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

9792

# to learn more.

9793

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

9794

# If set, must also set cryptoKey. If set, shift will be consistent for the

9795

# given context.

9796

"name": "A String", # Name describing the field.

9797

},

9798

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

9799

# range (inclusive ends). Negative means shift to earlier in time. Must not

9800

# be more than 365250 days (1000 years) each direction.

9801

#

9802

# For example, 3 means shift date to at most 3 days into the future.

9803

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

9804

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

9805

# results in the same shift for the same context and crypto_key. If

9806

# set, must also set context. Can only be applied to table items.

9807

# a key encryption key (KEK) stored by KMS).

9808

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

9809

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

9810

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

9811

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

9812

# leaking the key. Choose another type of key if possible.

9813

"key": "A String", # Required. A 128/192/256 bit key.

9814

},

9815

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

9816

# It will be discarded after the request finishes.

9817

"name": "A String", # Required. Name of the key.

9818

# This is an arbitrary string used to differentiate different keys.

9819

# A unique key is generated per name: two separate `TransientCryptoKey`

9820

# protos share the same generated key if their names are the same.

9821

# When the data crypto key is generated, this name is not used in any way

9822

# (repeating the api call will result in a different key being generated).

9823

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

9824

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

9825

# The wrapped key must be a 128/192/256 bit key.

9826

# Authorization requires the following IAM permissions when sending a request

9827

# to perform a crypto transformation using a kms-wrapped crypto key:

9828

# dlp.kms.encrypt

9829

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

9830

"wrappedKey": "A String", # Required. The wrapped data crypto key.

9831

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

9832

},

9833

},

9834

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

9835

},

9836

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

9837

# Uses SHA-256.

9838

# The key size must be either 32 or 64 bytes.

9839

# Outputs a base64 encoded representation of the hashed output

9840

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

9841

# Currently, only string and integer values can be hashed.

9842

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

9843

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

9844

# a key encryption key (KEK) stored by KMS).

9845

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

9846

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

9847

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

9848

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

9849

# leaking the key. Choose another type of key if possible.

9850

"key": "A String", # Required. A 128/192/256 bit key.

9851

},

9852

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

9853

# It will be discarded after the request finishes.

9854

"name": "A String", # Required. Name of the key.

9855

# This is an arbitrary string used to differentiate different keys.

9856

# A unique key is generated per name: two separate `TransientCryptoKey`

9857

# protos share the same generated key if their names are the same.

9858

# When the data crypto key is generated, this name is not used in any way

9859

# (repeating the api call will result in a different key being generated).

9860

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

9861

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

9862

# The wrapped key must be a 128/192/256 bit key.

9863

# Authorization requires the following IAM permissions when sending a request

9864

# to perform a crypto transformation using a kms-wrapped crypto key:

9865

# dlp.kms.encrypt

9866

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

9867

"wrappedKey": "A String", # Required. The wrapped data crypto key.

9868

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

9869

},

9870

},

9871

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

9872

# (FPE) with the FFX mode of operation; however when used in the

9873

# `ReidentifyContent` API method, it serves the opposite function by reversing

9874

# the surrogate back into the original identifier. The identifier must be

9875

# encoded as ASCII. For a given crypto key and context, the same identifier

9876

# will be replaced with the same surrogate. Identifiers must be at least two

9877

# characters long. In the case that the identifier is the empty string, it will

9878

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

9879

# more.

9880

#

9881

# Note: We recommend using CryptoDeterministicConfig for all use cases which

9882

# do not require preserving the input alphabet space and size, plus warrant

9883

# referential integrity.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

9884

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

9885

# This annotation will be applied to the surrogate by prefixing it with

9886

# the name of the custom infoType followed by the number of

9887

# characters comprising the surrogate. The following scheme defines the

9888

# format: info_type_name(surrogate_character_count):surrogate

9889

#

9890

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

9891

# the surrogate is 'abc', the full replacement value

9892

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

9893

#

9894

# This annotation identifies the surrogate when inspecting content using the

9895

# custom infoType

9896

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

9897

# This facilitates reversal of the surrogate when it occurs in free text.

9898

#

9899

# In order for inspection to work properly, the name of this infoType must

9900

# not occur naturally anywhere in your data; otherwise, inspection may

9901

# find a surrogate that does not correspond to an actual identifier.

9902

# Therefore, choose your custom infoType name carefully after considering

9903

# what your data looks like. One way to select a name that has a high chance

9904

# of yielding reliable detection is to include one or more unicode characters

9905

# that are highly improbable to exist in your data.

9906

# For example, assuming your data is entered from a regular ASCII keyboard,

9907

# the symbol with the hex code point 29DD might be used like so:

9908

# ⧝MY_TOKEN_TYPE

9909

"name": "A String", # Name of the information type. Either a name of your choosing when

9910

# creating a CustomInfoType, or one of the names listed

9911

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

9912

# a built-in type. InfoType names should conform to the pattern

9913

# `[a-zA-Z0-9_]{1,64}`.

9914

},

9915

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

9916

# identifier in two different contexts won't be given the same surrogate. If

9917

# the context is not set, a default tweak will be used.

9918

#

9919

# If the context is set but:

9920

#

9921

# 1. there is no record present when transforming a given value or

9922

# 1. the field is not present when transforming a given value,

9923

#

9924

# a default tweak will be used.

9925

#

9926

# Note that case (1) is expected when an `InfoTypeTransformation` is

9927

# applied to both structured and non-structured `ContentItem`s.

9928

# Currently, the referenced field may be of value type integer or string.

9929

#

9930

# The tweak is constructed as a sequence of bytes in big endian byte order

9931

# such that:

9932

#

9933

# - a 64 bit integer is encoded followed by a single byte of value 1

9934

# - a string is encoded in UTF-8 format followed by a single byte of value 2

9935

"name": "A String", # Name describing the field.

9936

},

9937

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

9938

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

9939

# a key encryption key (KEK) stored by KMS).

9940

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

9941

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

9942

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

9943

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

9944

# leaking the key. Choose another type of key if possible.

9945

"key": "A String", # Required. A 128/192/256 bit key.

9946

},

9947

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

9948

# It will be discarded after the request finishes.

9949

"name": "A String", # Required. Name of the key.

9950

# This is an arbitrary string used to differentiate different keys.

9951

# A unique key is generated per name: two separate `TransientCryptoKey`

9952

# protos share the same generated key if their names are the same.

9953

# When the data crypto key is generated, this name is not used in any way

9954

# (repeating the api call will result in a different key being generated).

9955

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

9956

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

9957

# The wrapped key must be a 128/192/256 bit key.

9958

# Authorization requires the following IAM permissions when sending a request

9959

# to perform a crypto transformation using a kms-wrapped crypto key:

9960

# dlp.kms.encrypt

9961

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

9962

"wrappedKey": "A String", # Required. The wrapped data crypto key.

9963

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

9964

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

9965

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

9966

# that the FFX mode natively supports. This happens before/after

9967

# encryption/decryption.

9968

# Each character listed must appear only once.

9969

# Number of characters must be in the range [2, 95].

9970

# This must be encoded as ASCII.

9971

# The order of characters does not matter.

9972

"commonAlphabet": "A String", # Common alphabets.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

9973

},

9974

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

9975

# input. Outputs a base64 encoded representation of the encrypted output.

9976

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

9977

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

9978

# This annotation will be applied to the surrogate by prefixing it with

9979

# the name of the custom info type followed by the number of

9980

# characters comprising the surrogate. The following scheme defines the

9981

# format: {info type name}({surrogate character count}):{surrogate}

9982

#

9983

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

9984

# the surrogate is 'abc', the full replacement value

9985

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

9986

#

9987

# This annotation identifies the surrogate when inspecting content using the

9988

# custom info type 'Surrogate'. This facilitates reversal of the

9989

# surrogate when it occurs in free text.

9990

#

9991

# Note: For record transformations where the entire cell in a table is being

9992

# transformed, surrogates are not mandatory. Surrogates are used to denote

9993

# the location of the token and are necessary for re-identification in free

9994

# form text.

9995

#

9996

# In order for inspection to work properly, the name of this info type must

9997

# not occur naturally anywhere in your data; otherwise, inspection may either

9998

#

9999

# - reverse a surrogate that does not correspond to an actual identifier

10000

# - be unable to parse the surrogate and result in an error

10001

#

10002

# Therefore, choose your custom info type name carefully after considering

10003

# what your data looks like. One way to select a name that has a high chance

10004

# of yielding reliable detection is to include one or more unicode characters

10005

# that are highly improbable to exist in your data.

10006

# For example, assuming your data is entered from a regular ASCII keyboard,

10007

# the symbol with the hex code point 29DD might be used like so:

10008

# ⧝MY_TOKEN_TYPE.

10009

"name": "A String", # Name of the information type. Either a name of your choosing when

10010

# creating a CustomInfoType, or one of the names listed

10011

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

10012

# a built-in type. InfoType names should conform to the pattern

10013

# `[a-zA-Z0-9_]{1,64}`.

10014

},

10015

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

10016

# referential integrity such that the same identifier in two different

10017

# contexts will be given a distinct surrogate. The context is appended to

10018

# plaintext value being encrypted. On decryption the provided context is

10019

# validated against the value used during encryption. If a context was

10020

# provided during encryption, same context must be provided during decryption

10021

# as well.

10022

#

10023

# If the context is not set, plaintext would be used as is for encryption.

10024

# If the context is set but:

10025

#

10026

# 1. there is no record present when transforming a given value or

10027

# 2. the field is not present when transforming a given value,

10028

#

10029

# plaintext would be used as is for encryption.

10030

#

10031

# Note that case (1) is expected when an `InfoTypeTransformation` is

10032

# applied to both structured and non-structured `ContentItem`s.

10033

"name": "A String", # Name describing the field.

10034

},

10035

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

10036

# a key encryption key (KEK) stored by KMS).

10037

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

10038

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

10039

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

10040

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

10041

# leaking the key. Choose another type of key if possible.

10042

"key": "A String", # Required. A 128/192/256 bit key.

10043

},

10044

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

10045

# It will be discarded after the request finishes.

10046

"name": "A String", # Required. Name of the key.

10047

# This is an arbitrary string used to differentiate different keys.

10048

# A unique key is generated per name: two separate `TransientCryptoKey`

10049

# protos share the same generated key if their names are the same.

10050

# When the data crypto key is generated, this name is not used in any way

10051

# (repeating the api call will result in a different key being generated).

10052

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

10053

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

10054

# The wrapped key must be a 128/192/256 bit key.

10055

# Authorization requires the following IAM permissions when sending a request

10056

# to perform a crypto transformation using a kms-wrapped crypto key:

10057

# dlp.kms.encrypt

10058

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

10059

"wrappedKey": "A String", # Required. The wrapped data crypto key.

10060

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

10061

},

10062

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

10063

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

10064

# replacement values are dynamically provided by the user for custom behavior,

10065

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

10066

# This can be used on

10067

# data of type: number, long, string, timestamp.

10068

# If the bound `Value` type differs from the type of data being transformed, we

10069

# will first attempt converting the type of the data to be transformed to match

10070

# the type of the bound before comparing.

10071

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

10072

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

10073

{ # Bucket is represented as a range, along with replacement values.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

10074

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

10075

# the default behavior will be to hyphenate the min-max range.

10076

# Note that for the purposes of inspection or transformation, the number

10077

# of bytes considered to comprise a 'Value' is based on its representation

10078

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

10079

# 123456789, the number of bytes would be counted as 9, even though an

10080

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

10081

"timestampValue": "A String", # timestamp

10082

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

10083

# and time zone are either specified elsewhere or are not significant. The date

10084

# is relative to the Proleptic Gregorian Calendar. This can represent:

10085

#

10086

# * A full date, with non-zero year, month and day values

10087

# * A month and day value, with a zero year, e.g. an anniversary

10088

# * A year on its own, with zero month and day values

10089

# * A year and month value, with a zero day, e.g. a credit card expiration date

10090

#

10091

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

10092

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

10093

# a year.

10094

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

10095

# month and day.

10096

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

10097

# if specifying a year by itself or a year and month where the day is not

10098

# significant.

10099

},

10100

"stringValue": "A String", # string

10101

"integerValue": "A String", # integer

10102

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

10103

# or are specified elsewhere. An API may choose to allow leap seconds. Related

10104

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

10105

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

10106

# to allow the value "24:00:00" for scenarios like business closing time.

10107

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

10108

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

10109

# allow the value 60 if it allows leap-seconds.

10110

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

10111

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

10112

"booleanValue": True or False, # boolean

10113

"floatValue": 3.14, # float

10114

"dayOfWeekValue": "A String", # day of week

10115

},

10116

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

10117

# used.

10118

# Note that for the purposes of inspection or transformation, the number

10119

# of bytes considered to comprise a 'Value' is based on its representation

10120

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

10121

# 123456789, the number of bytes would be counted as 9, even though an

10122

# int64 only holds up to 8 bytes of data.

10123

"timestampValue": "A String", # timestamp

10124

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

10125

# and time zone are either specified elsewhere or are not significant. The date

10126

# is relative to the Proleptic Gregorian Calendar. This can represent:

10127

#

10128

# * A full date, with non-zero year, month and day values

10129

# * A month and day value, with a zero year, e.g. an anniversary

10130

# * A year on its own, with zero month and day values

10131

# * A year and month value, with a zero day, e.g. a credit card expiration date

10132

#

10133

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

10134

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

10135

# a year.

10136

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

10137

# month and day.

10138

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

10139

# if specifying a year by itself or a year and month where the day is not

10140

# significant.

10141

},

10142

"stringValue": "A String", # string

10143

"integerValue": "A String", # integer

10144

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

10145

# or are specified elsewhere. An API may choose to allow leap seconds. Related

10146

# types are google.type.Date and `google.protobuf.Timestamp`.

10147

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

10148

# to allow the value "24:00:00" for scenarios like business closing time.

10149

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

10150

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

10151

# allow the value 60 if it allows leap-seconds.

10152

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

10153

},

10154

"booleanValue": True or False, # boolean

10155

"floatValue": 3.14, # float

10156

"dayOfWeekValue": "A String", # day of week

10157

},

10158

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

10159

# Note that for the purposes of inspection or transformation, the number

10160

# of bytes considered to comprise a 'Value' is based on its representation

10161

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

10162

# 123456789, the number of bytes would be counted as 9, even though an

10163

# int64 only holds up to 8 bytes of data.

10164

"timestampValue": "A String", # timestamp

10165

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

10166

# and time zone are either specified elsewhere or are not significant. The date

10167

# is relative to the Proleptic Gregorian Calendar. This can represent:

10168

#

10169

# * A full date, with non-zero year, month and day values

10170

# * A month and day value, with a zero year, e.g. an anniversary

10171

# * A year on its own, with zero month and day values

10172

# * A year and month value, with a zero day, e.g. a credit card expiration date

10173

#

10174

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

10175

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

10176

# a year.

10177

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

10178

# month and day.

10179

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

10180

# if specifying a year by itself or a year and month where the day is not

10181

# significant.

10182

},

10183

"stringValue": "A String", # string

10184

"integerValue": "A String", # integer

10185

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

10186

# or are specified elsewhere. An API may choose to allow leap seconds. Related

10187

# types are google.type.Date and `google.protobuf.Timestamp`.

10188

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

10189

# to allow the value "24:00:00" for scenarios like business closing time.

10190

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

10191

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

10192

# allow the value 60 if it allows leap-seconds.

10193

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

10194

},

10195

"booleanValue": True or False, # boolean

10196

"floatValue": 3.14, # float

10197

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

},

},

],

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

10202

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

10203

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

10204

# output would be 'My phone number is '.

10205

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

10206

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

10207

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

10208

# Note that for the purposes of inspection or transformation, the number

10209

# of bytes considered to comprise a 'Value' is based on its representation

10210

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

10211

# 123456789, the number of bytes would be counted as 9, even though an

10212

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

10213

"timestampValue": "A String", # timestamp

10214

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

10215

# and time zone are either specified elsewhere or are not significant. The date

10216

# is relative to the Proleptic Gregorian Calendar. This can represent:

10217

#

10218

# * A full date, with non-zero year, month and day values

10219

# * A month and day value, with a zero year, e.g. an anniversary

10220

# * A year on its own, with zero month and day values

10221

# * A year and month value, with a zero day, e.g. a credit card expiration date

10222

#

10223

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

10224

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

10225

# a year.

10226

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

10227

# month and day.

10228

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

10229

# if specifying a year by itself or a year and month where the day is not

10230

# significant.

10231

},

10232

"stringValue": "A String", # string

10233

"integerValue": "A String", # integer

10234

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

10235

# or are specified elsewhere. An API may choose to allow leap seconds. Related

10236

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

10237

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

10238

# to allow the value "24:00:00" for scenarios like business closing time.

10239

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

10240

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

10241

# allow the value 60 if it allows leap-seconds.

10242

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

10243

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

10244

"booleanValue": True or False, # boolean

10245

"floatValue": 3.14, # float

10246

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

10247

},

10248

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

10249

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

10250

# Bucketing transformation can provide all of this functionality,

10251

# but requires more configuration. This message is provided as a convenience to

10252

# the user for simple bucketing strategies.

10253

#

10254

# The transformed value will be a hyphenated string of

10255

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

10256

# all values that are within this bucket will be replaced with "10-20".

10257

#

10258

# This can be used on data of type: double, long.

10259

#

10260

# If the bound Value type differs from the type of data

10261

# being transformed, we will first attempt converting the type of the data to

10262

# be transformed to match the type of the bound before comparing.

10263

#

10264

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

10265

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

10266

# grouped together into a single bucket; for example if `upper_bound` = 89,

10267

# then all values greater than 89 are replaced with the value "89+".

10268

# Note that for the purposes of inspection or transformation, the number

10269

# of bytes considered to comprise a 'Value' is based on its representation

10270

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

10271

# 123456789, the number of bytes would be counted as 9, even though an

10272

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

10273

"timestampValue": "A String", # timestamp

10274

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

10275

# and time zone are either specified elsewhere or are not significant. The date

10276

# is relative to the Proleptic Gregorian Calendar. This can represent:

10277

#

10278

# * A full date, with non-zero year, month and day values

10279

# * A month and day value, with a zero year, e.g. an anniversary

10280

# * A year on its own, with zero month and day values

10281

# * A year and month value, with a zero day, e.g. a credit card expiration date

10282

#

10283

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

10284

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

10285

# a year.

10286

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

10287

# month and day.

10288

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

10289

# if specifying a year by itself or a year and month where the day is not

10290

# significant.

10291

},

10292

"stringValue": "A String", # string

10293

"integerValue": "A String", # integer

10294

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

10295

# or are specified elsewhere. An API may choose to allow leap seconds. Related

10296

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

10297

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

10298

# to allow the value "24:00:00" for scenarios like business closing time.

10299

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

10300

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

10301

# allow the value 60 if it allows leap-seconds.

10302

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

10303

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

10304

"booleanValue": True or False, # boolean

10305

"floatValue": 3.14, # float

10306

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

10307

},

10308

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

10309

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

10310

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

10311

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

10312

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

10313

# grouped together into a single bucket; for example if `lower_bound` = 10,

10314

# then all values less than 10 are replaced with the value "-10".

10315

# Note that for the purposes of inspection or transformation, the number

10316

# of bytes considered to comprise a 'Value' is based on its representation

10317

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

10318

# 123456789, the number of bytes would be counted as 9, even though an

10319

# int64 only holds up to 8 bytes of data.

10320

"timestampValue": "A String", # timestamp

10321

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

10322

# and time zone are either specified elsewhere or are not significant. The date

10323

# is relative to the Proleptic Gregorian Calendar. This can represent:

10324

#

10325

# * A full date, with non-zero year, month and day values

10326

# * A month and day value, with a zero year, e.g. an anniversary

10327

# * A year on its own, with zero month and day values

10328

# * A year and month value, with a zero day, e.g. a credit card expiration date

10329

#

10330

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

10331

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

10332

# a year.

10333

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

10334

# month and day.

10335

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

10336

# if specifying a year by itself or a year and month where the day is not

10337

# significant.

10338

},

10339

"stringValue": "A String", # string

10340

"integerValue": "A String", # integer

10341

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

10342

# or are specified elsewhere. An API may choose to allow leap seconds. Related

10343

# types are google.type.Date and `google.protobuf.Timestamp`.

10344

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

10345

# to allow the value "24:00:00" for scenarios like business closing time.

10346

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

10347

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

10348

# allow the value 60 if it allows leap-seconds.

10349

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

10350

},

10351

"booleanValue": True or False, # boolean

10352

"floatValue": 3.14, # float

10353

"dayOfWeekValue": "A String", # day of week

10354

},

10355

},

10356

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

10357

# fixed character. Masking can start from the beginning or end of the string.

10358

# This can be used on data of any type (numbers, longs, and so on) and when

10359

# de-identifying structured data we'll attempt to preserve the original data's

10360

# type. (This allows you to take a long like 123 and modify it to a string like

10361

# **3.

10362

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

10363

# characters. For example, if the input string is `555-555-5555` and you

10364

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

10365

# returns `***-**5-5555`.

10366

{ # Characters to skip when doing deidentification of a value. These will be left

10367

# alone and skipped.

10368

"charactersToSkip": "A String", # Characters to not transform when masking.

10369

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

10374

# masked. Skipped characters do not count towards this tally.

10375

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

10376

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

10377

# code or credit card number. This string must have a length of 1. If not

10378

# supplied, this value defaults to `*` for strings, and `0` for digits.

10379

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

10380

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

10381

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

10382

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

10383

# is `true`, then the string `12345` is masked as `12***`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

10384

},

10385

},

10386

"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the

10387

# given `RecordCondition`. The conditions are allowed to reference fields

10388

# that are not used in the actual transformation.

#

# Example Use Cases:

#

# - Apply a different bucket transformation to an age column if the zip code

10393

# column for the same record is within a specific range.

10394

# - Redact a field if the date of birth field is greater than 85.

10395

# a field.

10396

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

10397

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

10398

# only supported value is `AND`.

10399

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

10400

"conditions": [ # A collection of conditions.

10401

{ # The field type of `value` and `field` do not need to match to be

10402

# considered equal, but not all comparisons are possible.

10403

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

10404

# but all other comparisons are invalid with incompatible types.

10405

# A `value` of type:

10406

#

10407

# - `string` can be compared against all other types

10408

# - `boolean` can only be compared against other booleans

10409

# - `integer` can be compared against doubles or a string if the string value

10410

# can be parsed as an integer.

10411

# - `double` can be compared against integers or a string if the string can

10412

# be parsed as a double.

10413

# - `Timestamp` can be compared against strings in RFC 3339 date string

10414

# format.

10415

# - `TimeOfDay` can be compared against timestamps and strings in the format

10416

# of 'HH:mm:ss'.

10417

#

10418

# If we fail to compare do to type mismatch, a warning will be given and

10419

# the condition will evaluate to false.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

10420

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

10421

# Note that for the purposes of inspection or transformation, the number

10422

# of bytes considered to comprise a 'Value' is based on its representation

10423

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

10424

# 123456789, the number of bytes would be counted as 9, even though an

10425

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

10426

"timestampValue": "A String", # timestamp

10427

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

10428

# and time zone are either specified elsewhere or are not significant. The date

10429

# is relative to the Proleptic Gregorian Calendar. This can represent:

10430

#

10431

# * A full date, with non-zero year, month and day values

10432

# * A month and day value, with a zero year, e.g. an anniversary

10433

# * A year on its own, with zero month and day values

10434

# * A year and month value, with a zero day, e.g. a credit card expiration date

10435

#

10436

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

10437

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

10438

# a year.

10439

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

10440

# month and day.

10441

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

10442

# if specifying a year by itself or a year and month where the day is not

10443

# significant.

10444

},

10445

"stringValue": "A String", # string

10446

"integerValue": "A String", # integer

10447

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

10448

# or are specified elsewhere. An API may choose to allow leap seconds. Related

10449

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

10450

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

10451

# to allow the value "24:00:00" for scenarios like business closing time.

10452

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

10453

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

10454

# allow the value 60 if it allows leap-seconds.

10455

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

10456

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

10457

"booleanValue": True or False, # boolean

10458

"floatValue": 3.14, # float

10459

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

10460

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

10461

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

10462

"name": "A String", # Name describing the field.

10463

},

10464

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

},

],

},

},

},

},

],

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

10472

"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that

10473

# match any suppression rule are omitted from the output.

10474

{ # Configuration to suppress records whose suppression conditions evaluate to

10475

# true.

10476

"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being

10477

# evaluated to be suppressed from the transformed content.

10478

# a field.

10479

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

10480

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

10481

# only supported value is `AND`.

10482

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

10483

"conditions": [ # A collection of conditions.

10484

{ # The field type of `value` and `field` do not need to match to be

10485

# considered equal, but not all comparisons are possible.

10486

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

10487

# but all other comparisons are invalid with incompatible types.

10488

# A `value` of type:

10489

#

10490

# - `string` can be compared against all other types

10491

# - `boolean` can only be compared against other booleans

10492

# - `integer` can be compared against doubles or a string if the string value

10493

# can be parsed as an integer.

10494

# - `double` can be compared against integers or a string if the string can

10495

# be parsed as a double.

10496

# - `Timestamp` can be compared against strings in RFC 3339 date string

10497

# format.

10498

# - `TimeOfDay` can be compared against timestamps and strings in the format

10499

# of 'HH:mm:ss'.

10500

#

10501

# If we fail to compare do to type mismatch, a warning will be given and

10502

# the condition will evaluate to false.

10503

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

10504

# Note that for the purposes of inspection or transformation, the number

10505

# of bytes considered to comprise a 'Value' is based on its representation

10506

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

10507

# 123456789, the number of bytes would be counted as 9, even though an

10508

# int64 only holds up to 8 bytes of data.

10509

"timestampValue": "A String", # timestamp

10510

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

10511

# and time zone are either specified elsewhere or are not significant. The date

10512

# is relative to the Proleptic Gregorian Calendar. This can represent:

10513

#

10514

# * A full date, with non-zero year, month and day values

10515

# * A month and day value, with a zero year, e.g. an anniversary

10516

# * A year on its own, with zero month and day values

10517

# * A year and month value, with a zero day, e.g. a credit card expiration date

10518

#

10519

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

10520

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

10521

# a year.

10522

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

10523

# month and day.

10524

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

10525

# if specifying a year by itself or a year and month where the day is not

10526

# significant.

10527

},

10528

"stringValue": "A String", # string

10529

"integerValue": "A String", # integer

10530

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

10531

# or are specified elsewhere. An API may choose to allow leap seconds. Related

10532

# types are google.type.Date and `google.protobuf.Timestamp`.

10533

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

10534

# to allow the value "24:00:00" for scenarios like business closing time.

10535

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

10536

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

10537

# allow the value 60 if it allows leap-seconds.

10538

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

10539

},

10540

"booleanValue": True or False, # boolean

10541

"floatValue": 3.14, # float

10542

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

10543

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

10544

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

10545

"name": "A String", # Name describing the field.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

10546

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

10547

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

10548

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

10549

],

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

10550

},

10551

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

},

},

],

},

},

},

"updateMask": "A String", # Mask to control which fields get updated.

10559

}

10560

10561

x__xgafv: string, V1 error format.

Allowed values

1 - v1 error format

2 - v2 error format

Returns:

An object of the form:

10568

10569

{ # DeidentifyTemplates contains instructions on how to de-identify content.

10570

# See https://cloud.google.com/dlp/docs/concepts-templates to learn more.

10571

"name": "A String", # Output only. The template name.

10572

#

10573

# The template will have one of the following formats:

10574

# `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR

10575

# `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`

10576

"description": "A String", # Short description (max 256 chars).

10577

"displayName": "A String", # Display name (max 256 chars).

10578

"createTime": "A String", # Output only. The creation timestamp of an inspectTemplate.

10579

"updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate.

10580

"deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

10581

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text

10582

# transformation everywhere.

10583

# apply various `PrimitiveTransformation`s to each finding, where the

10584

# transformation is applied to only values that were identified as a specific

10585

# info_type.

10586

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

10587

# for a given infoType.

10588

{ # A transformation to apply to text that is identified as a specific

10589

# info_type.

10590

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

10591

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

10592

# portion of the value.

10593

"partToExtract": "A String", # The part of the time to keep.

10594

},

10595

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

10596

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

10597

# to learn more.

10598

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

10599

# If set, must also set cryptoKey. If set, shift will be consistent for the

10600

# given context.

10601

"name": "A String", # Name describing the field.

10602

},

10603

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

10604

# range (inclusive ends). Negative means shift to earlier in time. Must not

10605

# be more than 365250 days (1000 years) each direction.

10606

#

10607

# For example, 3 means shift date to at most 3 days into the future.

10608

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

10609

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

10610

# results in the same shift for the same context and crypto_key. If

10611

# set, must also set context. Can only be applied to table items.

10612

# a key encryption key (KEK) stored by KMS).

10613

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

10614

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

10615

# unwrap the data crypto key.

10616

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

10617

# leaking the key. Choose another type of key if possible.

10618

"key": "A String", # Required. A 128/192/256 bit key.

10619

},

10620

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

10621

# It will be discarded after the request finishes.

10622

"name": "A String", # Required. Name of the key.

10623

# This is an arbitrary string used to differentiate different keys.

10624

# A unique key is generated per name: two separate `TransientCryptoKey`

10625

# protos share the same generated key if their names are the same.

10626

# When the data crypto key is generated, this name is not used in any way

10627

# (repeating the api call will result in a different key being generated).

10628

},

10629

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

10630

# The wrapped key must be a 128/192/256 bit key.

10631

# Authorization requires the following IAM permissions when sending a request

10632

# to perform a crypto transformation using a kms-wrapped crypto key:

10633

# dlp.kms.encrypt

10634

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

10635

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

10640

},

10641

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

10642

# Uses SHA-256.

10643

# The key size must be either 32 or 64 bytes.

10644

# Outputs a base64 encoded representation of the hashed output

10645

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

10646

# Currently, only string and integer values can be hashed.

10647

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

10648

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

10649

# a key encryption key (KEK) stored by KMS).

10650

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

10651

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

10652

# unwrap the data crypto key.

10653

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

10654

# leaking the key. Choose another type of key if possible.

10655

"key": "A String", # Required. A 128/192/256 bit key.

10656

},

10657

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

10658

# It will be discarded after the request finishes.

10659

"name": "A String", # Required. Name of the key.

10660

# This is an arbitrary string used to differentiate different keys.

10661

# A unique key is generated per name: two separate `TransientCryptoKey`

10662

# protos share the same generated key if their names are the same.

10663

# When the data crypto key is generated, this name is not used in any way

10664

# (repeating the api call will result in a different key being generated).

10665

},

10666

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

10667

# The wrapped key must be a 128/192/256 bit key.

10668

# Authorization requires the following IAM permissions when sending a request

10669

# to perform a crypto transformation using a kms-wrapped crypto key:

10670

# dlp.kms.encrypt

10671

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

10672

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

10677

# (FPE) with the FFX mode of operation; however when used in the

10678

# `ReidentifyContent` API method, it serves the opposite function by reversing

10679

# the surrogate back into the original identifier. The identifier must be

10680

# encoded as ASCII. For a given crypto key and context, the same identifier

10681

# will be replaced with the same surrogate. Identifiers must be at least two

10682

# characters long. In the case that the identifier is the empty string, it will

10683

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

10684

# more.

10685

#

10686

# Note: We recommend using CryptoDeterministicConfig for all use cases which

10687

# do not require preserving the input alphabet space and size, plus warrant

10688

# referential integrity.

10689

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

10690

# This annotation will be applied to the surrogate by prefixing it with

10691

# the name of the custom infoType followed by the number of

10692

# characters comprising the surrogate. The following scheme defines the

10693

# format: info_type_name(surrogate_character_count):surrogate

10694

#

10695

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

10696

# the surrogate is 'abc', the full replacement value

10697

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

10698

#

10699

# This annotation identifies the surrogate when inspecting content using the

10700

# custom infoType

10701

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

10702

# This facilitates reversal of the surrogate when it occurs in free text.

10703

#

10704

# In order for inspection to work properly, the name of this infoType must

10705

# not occur naturally anywhere in your data; otherwise, inspection may

10706

# find a surrogate that does not correspond to an actual identifier.

10707

# Therefore, choose your custom infoType name carefully after considering

10708

# what your data looks like. One way to select a name that has a high chance

10709

# of yielding reliable detection is to include one or more unicode characters

10710

# that are highly improbable to exist in your data.

10711

# For example, assuming your data is entered from a regular ASCII keyboard,

10712

# the symbol with the hex code point 29DD might be used like so:

10713

# ⧝MY_TOKEN_TYPE

10714

"name": "A String", # Name of the information type. Either a name of your choosing when

10715

# creating a CustomInfoType, or one of the names listed

10716

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

10717

# a built-in type. InfoType names should conform to the pattern

10718

# `[a-zA-Z0-9_]{1,64}`.

10719

},

10720

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

10721

# identifier in two different contexts won't be given the same surrogate. If

10722

# the context is not set, a default tweak will be used.

10723

#

10724

# If the context is set but:

10725

#

10726

# 1. there is no record present when transforming a given value or

10727

# 1. the field is not present when transforming a given value,

10728

#

10729

# a default tweak will be used.

10730

#

10731

# Note that case (1) is expected when an `InfoTypeTransformation` is

10732

# applied to both structured and non-structured `ContentItem`s.

10733

# Currently, the referenced field may be of value type integer or string.

10734

#

10735

# The tweak is constructed as a sequence of bytes in big endian byte order

10736

# such that:

10737

#

10738

# - a 64 bit integer is encoded followed by a single byte of value 1

10739

# - a string is encoded in UTF-8 format followed by a single byte of value 2

10740

"name": "A String", # Name describing the field.

10741

},

10742

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

10743

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

10744

# a key encryption key (KEK) stored by KMS).

10745

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

10746

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

10747

# unwrap the data crypto key.

10748

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

10749

# leaking the key. Choose another type of key if possible.

10750

"key": "A String", # Required. A 128/192/256 bit key.

10751

},

10752

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

10753

# It will be discarded after the request finishes.

10754

"name": "A String", # Required. Name of the key.

10755

# This is an arbitrary string used to differentiate different keys.

10756

# A unique key is generated per name: two separate `TransientCryptoKey`

10757

# protos share the same generated key if their names are the same.

10758

# When the data crypto key is generated, this name is not used in any way

10759

# (repeating the api call will result in a different key being generated).

10760

},

10761

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

10762

# The wrapped key must be a 128/192/256 bit key.

10763

# Authorization requires the following IAM permissions when sending a request

10764

# to perform a crypto transformation using a kms-wrapped crypto key:

10765

# dlp.kms.encrypt

10766

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

10767

"wrappedKey": "A String", # Required. The wrapped data crypto key.

10768

},

10769

},

10770

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

10771

# that the FFX mode natively supports. This happens before/after

10772

# encryption/decryption.

10773

# Each character listed must appear only once.

10774

# Number of characters must be in the range [2, 95].

10775

# This must be encoded as ASCII.

10776

# The order of characters does not matter.

10777

"commonAlphabet": "A String", # Common alphabets.

10778

},

10779

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

10780

# input. Outputs a base64 encoded representation of the encrypted output.

10781

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

10782

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

10783

# This annotation will be applied to the surrogate by prefixing it with

10784

# the name of the custom info type followed by the number of

10785

# characters comprising the surrogate. The following scheme defines the

10786

# format: {info type name}({surrogate character count}):{surrogate}

10787

#

10788

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

10789

# the surrogate is 'abc', the full replacement value

10790

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

10791

#

10792

# This annotation identifies the surrogate when inspecting content using the

10793

# custom info type 'Surrogate'. This facilitates reversal of the

10794

# surrogate when it occurs in free text.

10795

#

10796

# Note: For record transformations where the entire cell in a table is being

10797

# transformed, surrogates are not mandatory. Surrogates are used to denote

10798

# the location of the token and are necessary for re-identification in free

10799

# form text.

10800

#

10801

# In order for inspection to work properly, the name of this info type must

10802

# not occur naturally anywhere in your data; otherwise, inspection may either

10803

#

10804

# - reverse a surrogate that does not correspond to an actual identifier

10805

# - be unable to parse the surrogate and result in an error

10806

#

10807

# Therefore, choose your custom info type name carefully after considering

10808

# what your data looks like. One way to select a name that has a high chance

10809

# of yielding reliable detection is to include one or more unicode characters

10810

# that are highly improbable to exist in your data.

10811

# For example, assuming your data is entered from a regular ASCII keyboard,

10812

# the symbol with the hex code point 29DD might be used like so:

10813

# ⧝MY_TOKEN_TYPE.

10814

"name": "A String", # Name of the information type. Either a name of your choosing when

10815

# creating a CustomInfoType, or one of the names listed

10816

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

10817

# a built-in type. InfoType names should conform to the pattern

10818

# `[a-zA-Z0-9_]{1,64}`.

10819

},

10820

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

10821

# referential integrity such that the same identifier in two different

10822

# contexts will be given a distinct surrogate. The context is appended to

10823

# plaintext value being encrypted. On decryption the provided context is

10824

# validated against the value used during encryption. If a context was

10825

# provided during encryption, same context must be provided during decryption

10826

# as well.

10827

#

10828

# If the context is not set, plaintext would be used as is for encryption.

10829

# If the context is set but:

10830

#

10831

# 1. there is no record present when transforming a given value or

10832

# 2. the field is not present when transforming a given value,

10833

#

10834

# plaintext would be used as is for encryption.

10835

#

10836

# Note that case (1) is expected when an `InfoTypeTransformation` is

10837

# applied to both structured and non-structured `ContentItem`s.

10838

"name": "A String", # Name describing the field.

10839

},

10840

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

10841

# a key encryption key (KEK) stored by KMS).

10842

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

10843

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

10844

# unwrap the data crypto key.

10845

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

10846

# leaking the key. Choose another type of key if possible.

10847

"key": "A String", # Required. A 128/192/256 bit key.

10848

},

10849

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

10850

# It will be discarded after the request finishes.

10851

"name": "A String", # Required. Name of the key.

10852

# This is an arbitrary string used to differentiate different keys.

10853

# A unique key is generated per name: two separate `TransientCryptoKey`

10854

# protos share the same generated key if their names are the same.

10855

# When the data crypto key is generated, this name is not used in any way

10856

# (repeating the api call will result in a different key being generated).

10857

},

10858

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

10859

# The wrapped key must be a 128/192/256 bit key.

10860

# Authorization requires the following IAM permissions when sending a request

10861

# to perform a crypto transformation using a kms-wrapped crypto key:

10862

# dlp.kms.encrypt

10863

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

10864

"wrappedKey": "A String", # Required. The wrapped data crypto key.

},

},

},

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

10869

# replacement values are dynamically provided by the user for custom behavior,

10870

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

10871

# This can be used on

10872

# data of type: number, long, string, timestamp.

10873

# If the bound `Value` type differs from the type of data being transformed, we

10874

# will first attempt converting the type of the data to be transformed to match

10875

# the type of the bound before comparing.

10876

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

10877

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

10878

{ # Bucket is represented as a range, along with replacement values.

10879

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

10880

# the default behavior will be to hyphenate the min-max range.

10881

# Note that for the purposes of inspection or transformation, the number

10882

# of bytes considered to comprise a 'Value' is based on its representation

10883

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

10884

# 123456789, the number of bytes would be counted as 9, even though an

10885

# int64 only holds up to 8 bytes of data.

10886

"timestampValue": "A String", # timestamp

10887

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

10888

# and time zone are either specified elsewhere or are not significant. The date

10889

# is relative to the Proleptic Gregorian Calendar. This can represent:

10890

#

10891

# * A full date, with non-zero year, month and day values

10892

# * A month and day value, with a zero year, e.g. an anniversary

10893

# * A year on its own, with zero month and day values

10894

# * A year and month value, with a zero day, e.g. a credit card expiration date

10895

#

10896

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

10897

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

10898

# a year.

10899

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

10900

# month and day.

10901

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

10902

# if specifying a year by itself or a year and month where the day is not

10903

# significant.

10904

},

10905

"stringValue": "A String", # string

10906

"integerValue": "A String", # integer

10907

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

10908

# or are specified elsewhere. An API may choose to allow leap seconds. Related

10909

# types are google.type.Date and `google.protobuf.Timestamp`.

10910

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

10911

# to allow the value "24:00:00" for scenarios like business closing time.

10912

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

10913

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

10914

# allow the value 60 if it allows leap-seconds.

10915

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

10916

},

10917

"booleanValue": True or False, # boolean

10918

"floatValue": 3.14, # float

10919

"dayOfWeekValue": "A String", # day of week

10920

},

10921

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

10922

# used.

10923

# Note that for the purposes of inspection or transformation, the number

10924

# of bytes considered to comprise a 'Value' is based on its representation

10925

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

10926

# 123456789, the number of bytes would be counted as 9, even though an

10927

# int64 only holds up to 8 bytes of data.

10928

"timestampValue": "A String", # timestamp

10929

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

10930

# and time zone are either specified elsewhere or are not significant. The date

10931

# is relative to the Proleptic Gregorian Calendar. This can represent:

10932

#

10933

# * A full date, with non-zero year, month and day values

10934

# * A month and day value, with a zero year, e.g. an anniversary

10935

# * A year on its own, with zero month and day values

10936

# * A year and month value, with a zero day, e.g. a credit card expiration date

10937

#

10938

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

10939

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

10940

# a year.

10941

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

10942

# month and day.

10943

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

10944

# if specifying a year by itself or a year and month where the day is not

10945

# significant.

10946

},

10947

"stringValue": "A String", # string

10948

"integerValue": "A String", # integer

10949

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

10950

# or are specified elsewhere. An API may choose to allow leap seconds. Related

10951

# types are google.type.Date and `google.protobuf.Timestamp`.

10952

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

10953

# to allow the value "24:00:00" for scenarios like business closing time.

10954

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

10955

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

10956

# allow the value 60 if it allows leap-seconds.

10957

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

10958

},

10959

"booleanValue": True or False, # boolean

10960

"floatValue": 3.14, # float

10961

"dayOfWeekValue": "A String", # day of week

10962

},

10963

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

10964

# Note that for the purposes of inspection or transformation, the number

10965

# of bytes considered to comprise a 'Value' is based on its representation

10966

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

10967

# 123456789, the number of bytes would be counted as 9, even though an

10968

# int64 only holds up to 8 bytes of data.

10969

"timestampValue": "A String", # timestamp

10970

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

10971

# and time zone are either specified elsewhere or are not significant. The date

10972

# is relative to the Proleptic Gregorian Calendar. This can represent:

10973

#

10974

# * A full date, with non-zero year, month and day values

10975

# * A month and day value, with a zero year, e.g. an anniversary

10976

# * A year on its own, with zero month and day values

10977

# * A year and month value, with a zero day, e.g. a credit card expiration date

10978

#

10979

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

10980

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

10981

# a year.

10982

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

10983

# month and day.

10984

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

10985

# if specifying a year by itself or a year and month where the day is not

10986

# significant.

10987

},

10988

"stringValue": "A String", # string

10989

"integerValue": "A String", # integer

10990

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

10991

# or are specified elsewhere. An API may choose to allow leap seconds. Related

10992

# types are google.type.Date and `google.protobuf.Timestamp`.

10993

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

10994

# to allow the value "24:00:00" for scenarios like business closing time.

10995

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

10996

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

10997

# allow the value 60 if it allows leap-seconds.

10998

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

10999

},

11000

"booleanValue": True or False, # boolean

11001

"floatValue": 3.14, # float

11002

"dayOfWeekValue": "A String", # day of week

},

},

],

},

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

11008

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

11009

# output would be 'My phone number is '.

11010

},

11011

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

11012

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

11013

# Note that for the purposes of inspection or transformation, the number

11014

# of bytes considered to comprise a 'Value' is based on its representation

11015

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11016

# 123456789, the number of bytes would be counted as 9, even though an

11017

# int64 only holds up to 8 bytes of data.

11018

"timestampValue": "A String", # timestamp

11019

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11020

# and time zone are either specified elsewhere or are not significant. The date

11021

# is relative to the Proleptic Gregorian Calendar. This can represent:

11022

#

11023

# * A full date, with non-zero year, month and day values

11024

# * A month and day value, with a zero year, e.g. an anniversary

11025

# * A year on its own, with zero month and day values

11026

# * A year and month value, with a zero day, e.g. a credit card expiration date

11027

#

11028

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11029

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11030

# a year.

11031

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11032

# month and day.

11033

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11034

# if specifying a year by itself or a year and month where the day is not

11035

# significant.

11036

},

11037

"stringValue": "A String", # string

11038

"integerValue": "A String", # integer

11039

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11040

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11041

# types are google.type.Date and `google.protobuf.Timestamp`.

11042

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11043

# to allow the value "24:00:00" for scenarios like business closing time.

11044

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

11045

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11046

# allow the value 60 if it allows leap-seconds.

11047

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

11048

},

11049

"booleanValue": True or False, # boolean

11050

"floatValue": 3.14, # float

11051

"dayOfWeekValue": "A String", # day of week

11052

},

11053

},

11054

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

11055

# Bucketing transformation can provide all of this functionality,

11056

# but requires more configuration. This message is provided as a convenience to

11057

# the user for simple bucketing strategies.

11058

#

11059

# The transformed value will be a hyphenated string of

11060

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

11061

# all values that are within this bucket will be replaced with "10-20".

11062

#

11063

# This can be used on data of type: double, long.

11064

#

11065

# If the bound Value type differs from the type of data

11066

# being transformed, we will first attempt converting the type of the data to

11067

# be transformed to match the type of the bound before comparing.

11068

#

11069

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

11070

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

11071

# grouped together into a single bucket; for example if `upper_bound` = 89,

11072

# then all values greater than 89 are replaced with the value "89+".

11073

# Note that for the purposes of inspection or transformation, the number

11074

# of bytes considered to comprise a 'Value' is based on its representation

11075

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11076

# 123456789, the number of bytes would be counted as 9, even though an

11077

# int64 only holds up to 8 bytes of data.

11078

"timestampValue": "A String", # timestamp

11079

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11080

# and time zone are either specified elsewhere or are not significant. The date

11081

# is relative to the Proleptic Gregorian Calendar. This can represent:

11082

#

11083

# * A full date, with non-zero year, month and day values

11084

# * A month and day value, with a zero year, e.g. an anniversary

11085

# * A year on its own, with zero month and day values

11086

# * A year and month value, with a zero day, e.g. a credit card expiration date

11087

#

11088

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11089

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11090

# a year.

11091

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11092

# month and day.

11093

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11094

# if specifying a year by itself or a year and month where the day is not

11095

# significant.

11096

},

11097

"stringValue": "A String", # string

11098

"integerValue": "A String", # integer

11099

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11100

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11101

# types are google.type.Date and `google.protobuf.Timestamp`.

11102

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11103

# to allow the value "24:00:00" for scenarios like business closing time.

11104

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

11105

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11106

# allow the value 60 if it allows leap-seconds.

11107

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

11108

},

11109

"booleanValue": True or False, # boolean

11110

"floatValue": 3.14, # float

11111

"dayOfWeekValue": "A String", # day of week

11112

},

11113

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

11114

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

11115

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

11116

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

11117

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

11118

# grouped together into a single bucket; for example if `lower_bound` = 10,

11119

# then all values less than 10 are replaced with the value "-10".

11120

# Note that for the purposes of inspection or transformation, the number

11121

# of bytes considered to comprise a 'Value' is based on its representation

11122

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11123

# 123456789, the number of bytes would be counted as 9, even though an

11124

# int64 only holds up to 8 bytes of data.

11125

"timestampValue": "A String", # timestamp

11126

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11127

# and time zone are either specified elsewhere or are not significant. The date

11128

# is relative to the Proleptic Gregorian Calendar. This can represent:

11129

#

11130

# * A full date, with non-zero year, month and day values

11131

# * A month and day value, with a zero year, e.g. an anniversary

11132

# * A year on its own, with zero month and day values

11133

# * A year and month value, with a zero day, e.g. a credit card expiration date

11134

#

11135

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11136

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11137

# a year.

11138

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11139

# month and day.

11140

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11141

# if specifying a year by itself or a year and month where the day is not

11142

# significant.

11143

},

11144

"stringValue": "A String", # string

11145

"integerValue": "A String", # integer

11146

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11147

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11148

# types are google.type.Date and `google.protobuf.Timestamp`.

11149

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11150

# to allow the value "24:00:00" for scenarios like business closing time.

11151

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

11152

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11153

# allow the value 60 if it allows leap-seconds.

11154

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

11155

},

11156

"booleanValue": True or False, # boolean

11157

"floatValue": 3.14, # float

11158

"dayOfWeekValue": "A String", # day of week

11159

},

11160

},

11161

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

11162

# fixed character. Masking can start from the beginning or end of the string.

11163

# This can be used on data of any type (numbers, longs, and so on) and when

11164

# de-identifying structured data we'll attempt to preserve the original data's

11165

# type. (This allows you to take a long like 123 and modify it to a string like

11166

# **3.

11167

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

11168

# characters. For example, if the input string is `555-555-5555` and you

11169

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

11170

# returns `***-**5-5555`.

11171

{ # Characters to skip when doing deidentification of a value. These will be left

11172

# alone and skipped.

11173

"charactersToSkip": "A String", # Characters to not transform when masking.

11174

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

11179

# masked. Skipped characters do not count towards this tally.

11180

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

11181

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

11182

# code or credit card number. This string must have a length of 1. If not

11183

# supplied, this value defaults to `*` for strings, and `0` for digits.

11184

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

11185

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

11186

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

11187

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

11188

# is `true`, then the string `12345` is masked as `12***`.

11189

},

11190

},

11191

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

11192

# this transformation to apply to all findings that correspond to

11193

# infoTypes that were requested in `InspectConfig`.

11194

{ # Type of information detected by the API.

11195

"name": "A String", # Name of the information type. Either a name of your choosing when

11196

# creating a CustomInfoType, or one of the names listed

11197

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

11198

# a built-in type. InfoType names should conform to the pattern

11199

# `[a-zA-Z0-9_]{1,64}`.

},

],

},

],

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

11205

"transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default

11206

# mode is `TransformationErrorHandling.ThrowError`.

11207

# transformation error occurs when the requested transformation is incompatible

11208

# with the data. For example, trying to de-identify an IP address using a

11209

# `DateShift` transformation would result in a transformation error, since date

11210

# info cannot be extracted from an IP address.

11211

# Information about any incompatible transformations, and how they were

11212

# handled, is returned in the response as part of the

11213

# `TransformationOverviews`.

11214

"throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error

11215

},

11216

"leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors

11217

# cause an error. For example, if a `DateShift` transformation were applied

11218

# an an IP address, this mode would leave the IP address unchanged in the

# response.

},

},

"recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to

11223

# specific locations within structured datasets, such as transforming

11224

# a column within a table.

11225

# table.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

11226

"fieldTransformations": [ # Transform the record by applying various field transformations.

11227

{ # The transformation to apply to the field.

11228

"fields": [ # Required. Input field(s) to apply the transformation to.

11229

{ # General identifier of a data field in a storage service.

11230

"name": "A String", # Name describing the field.

11231

},

11232

],

11233

"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively

11234

# transform content that matches an `InfoType`.

11235

# apply various `PrimitiveTransformation`s to each finding, where the

11236

# transformation is applied to only values that were identified as a specific

11237

# info_type.

11238

"transformations": [ # Required. Transformation for each infoType. Cannot specify more than one

11239

# for a given infoType.

11240

{ # A transformation to apply to text that is identified as a specific

11241

# info_type.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

11242

"primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.

11243

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

11244

# portion of the value.

11245

"partToExtract": "A String", # The part of the time to keep.

11246

},

11247

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

11248

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

11249

# to learn more.

11250

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

11251

# If set, must also set cryptoKey. If set, shift will be consistent for the

11252

# given context.

11253

"name": "A String", # Name describing the field.

11254

},

11255

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

11256

# range (inclusive ends). Negative means shift to earlier in time. Must not

11257

# be more than 365250 days (1000 years) each direction.

11258

#

11259

# For example, 3 means shift date to at most 3 days into the future.

11260

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

11261

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

11262

# results in the same shift for the same context and crypto_key. If

11263

# set, must also set context. Can only be applied to table items.

11264

# a key encryption key (KEK) stored by KMS).

11265

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

11266

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

11267

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

11268

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

11269

# leaking the key. Choose another type of key if possible.

11270

"key": "A String", # Required. A 128/192/256 bit key.

11271

},

11272

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

11273

# It will be discarded after the request finishes.

11274

"name": "A String", # Required. Name of the key.

11275

# This is an arbitrary string used to differentiate different keys.

11276

# A unique key is generated per name: two separate `TransientCryptoKey`

11277

# protos share the same generated key if their names are the same.

11278

# When the data crypto key is generated, this name is not used in any way

11279

# (repeating the api call will result in a different key being generated).

11280

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

11281

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

11282

# The wrapped key must be a 128/192/256 bit key.

11283

# Authorization requires the following IAM permissions when sending a request

11284

# to perform a crypto transformation using a kms-wrapped crypto key:

11285

# dlp.kms.encrypt

11286

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

11287

"wrappedKey": "A String", # Required. The wrapped data crypto key.

11288

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

11289

},

11290

},

11291

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

11292

},

11293

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

11294

# Uses SHA-256.

11295

# The key size must be either 32 or 64 bytes.

11296

# Outputs a base64 encoded representation of the hashed output

11297

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

11298

# Currently, only string and integer values can be hashed.

11299

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

11300

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

11301

# a key encryption key (KEK) stored by KMS).

11302

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

11303

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

11304

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

11305

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

11306

# leaking the key. Choose another type of key if possible.

11307

"key": "A String", # Required. A 128/192/256 bit key.

11308

},

11309

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

11310

# It will be discarded after the request finishes.

11311

"name": "A String", # Required. Name of the key.

11312

# This is an arbitrary string used to differentiate different keys.

11313

# A unique key is generated per name: two separate `TransientCryptoKey`

11314

# protos share the same generated key if their names are the same.

11315

# When the data crypto key is generated, this name is not used in any way

11316

# (repeating the api call will result in a different key being generated).

11317

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

11318

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

11319

# The wrapped key must be a 128/192/256 bit key.

11320

# Authorization requires the following IAM permissions when sending a request

11321

# to perform a crypto transformation using a kms-wrapped crypto key:

11322

# dlp.kms.encrypt

11323

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

11324

"wrappedKey": "A String", # Required. The wrapped data crypto key.

11325

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

11326

},

11327

},

11328

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

11329

# (FPE) with the FFX mode of operation; however when used in the

11330

# `ReidentifyContent` API method, it serves the opposite function by reversing

11331

# the surrogate back into the original identifier. The identifier must be

11332

# encoded as ASCII. For a given crypto key and context, the same identifier

11333

# will be replaced with the same surrogate. Identifiers must be at least two

11334

# characters long. In the case that the identifier is the empty string, it will

11335

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

11336

# more.

11337

#

11338

# Note: We recommend using CryptoDeterministicConfig for all use cases which

11339

# do not require preserving the input alphabet space and size, plus warrant

11340

# referential integrity.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

11341

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

11342

# This annotation will be applied to the surrogate by prefixing it with

11343

# the name of the custom infoType followed by the number of

11344

# characters comprising the surrogate. The following scheme defines the

11345

# format: info_type_name(surrogate_character_count):surrogate

11346

#

11347

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

11348

# the surrogate is 'abc', the full replacement value

11349

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

11350

#

11351

# This annotation identifies the surrogate when inspecting content using the

11352

# custom infoType

11353

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

11354

# This facilitates reversal of the surrogate when it occurs in free text.

11355

#

11356

# In order for inspection to work properly, the name of this infoType must

11357

# not occur naturally anywhere in your data; otherwise, inspection may

11358

# find a surrogate that does not correspond to an actual identifier.

11359

# Therefore, choose your custom infoType name carefully after considering

11360

# what your data looks like. One way to select a name that has a high chance

11361

# of yielding reliable detection is to include one or more unicode characters

11362

# that are highly improbable to exist in your data.

11363

# For example, assuming your data is entered from a regular ASCII keyboard,

11364

# the symbol with the hex code point 29DD might be used like so:

11365

# ⧝MY_TOKEN_TYPE

11366

"name": "A String", # Name of the information type. Either a name of your choosing when

11367

# creating a CustomInfoType, or one of the names listed

11368

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

11369

# a built-in type. InfoType names should conform to the pattern

11370

# `[a-zA-Z0-9_]{1,64}`.

11371

},

11372

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

11373

# identifier in two different contexts won't be given the same surrogate. If

11374

# the context is not set, a default tweak will be used.

11375

#

11376

# If the context is set but:

11377

#

11378

# 1. there is no record present when transforming a given value or

11379

# 1. the field is not present when transforming a given value,

11380

#

11381

# a default tweak will be used.

11382

#

11383

# Note that case (1) is expected when an `InfoTypeTransformation` is

11384

# applied to both structured and non-structured `ContentItem`s.

11385

# Currently, the referenced field may be of value type integer or string.

11386

#

11387

# The tweak is constructed as a sequence of bytes in big endian byte order

11388

# such that:

11389

#

11390

# - a 64 bit integer is encoded followed by a single byte of value 1

11391

# - a string is encoded in UTF-8 format followed by a single byte of value 2

11392

"name": "A String", # Name describing the field.

11393

},

11394

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

11395

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

11396

# a key encryption key (KEK) stored by KMS).

11397

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

11398

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

11399

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

11400

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

11401

# leaking the key. Choose another type of key if possible.

11402

"key": "A String", # Required. A 128/192/256 bit key.

11403

},

11404

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

11405

# It will be discarded after the request finishes.

11406

"name": "A String", # Required. Name of the key.

11407

# This is an arbitrary string used to differentiate different keys.

11408

# A unique key is generated per name: two separate `TransientCryptoKey`

11409

# protos share the same generated key if their names are the same.

11410

# When the data crypto key is generated, this name is not used in any way

11411

# (repeating the api call will result in a different key being generated).

11412

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

11413

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

11414

# The wrapped key must be a 128/192/256 bit key.

11415

# Authorization requires the following IAM permissions when sending a request

11416

# to perform a crypto transformation using a kms-wrapped crypto key:

11417

# dlp.kms.encrypt

11418

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

11419

"wrappedKey": "A String", # Required. The wrapped data crypto key.

11420

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

11421

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

11422

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

11423

# that the FFX mode natively supports. This happens before/after

11424

# encryption/decryption.

11425

# Each character listed must appear only once.

11426

# Number of characters must be in the range [2, 95].

11427

# This must be encoded as ASCII.

11428

# The order of characters does not matter.

11429

"commonAlphabet": "A String", # Common alphabets.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

11430

},

11431

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

11432

# input. Outputs a base64 encoded representation of the encrypted output.

11433

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

11434

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

11435

# This annotation will be applied to the surrogate by prefixing it with

11436

# the name of the custom info type followed by the number of

11437

# characters comprising the surrogate. The following scheme defines the

11438

# format: {info type name}({surrogate character count}):{surrogate}

11439

#

11440

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

11441

# the surrogate is 'abc', the full replacement value

11442

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

11443

#

11444

# This annotation identifies the surrogate when inspecting content using the

11445

# custom info type 'Surrogate'. This facilitates reversal of the

11446

# surrogate when it occurs in free text.

11447

#

11448

# Note: For record transformations where the entire cell in a table is being

11449

# transformed, surrogates are not mandatory. Surrogates are used to denote

11450

# the location of the token and are necessary for re-identification in free

11451

# form text.

11452

#

11453

# In order for inspection to work properly, the name of this info type must

11454

# not occur naturally anywhere in your data; otherwise, inspection may either

11455

#

11456

# - reverse a surrogate that does not correspond to an actual identifier

11457

# - be unable to parse the surrogate and result in an error

11458

#

11459

# Therefore, choose your custom info type name carefully after considering

11460

# what your data looks like. One way to select a name that has a high chance

11461

# of yielding reliable detection is to include one or more unicode characters

11462

# that are highly improbable to exist in your data.

11463

# For example, assuming your data is entered from a regular ASCII keyboard,

11464

# the symbol with the hex code point 29DD might be used like so:

11465

# ⧝MY_TOKEN_TYPE.

11466

"name": "A String", # Name of the information type. Either a name of your choosing when

11467

# creating a CustomInfoType, or one of the names listed

11468

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

11469

# a built-in type. InfoType names should conform to the pattern

11470

# `[a-zA-Z0-9_]{1,64}`.

11471

},

11472

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

11473

# referential integrity such that the same identifier in two different

11474

# contexts will be given a distinct surrogate. The context is appended to

11475

# plaintext value being encrypted. On decryption the provided context is

11476

# validated against the value used during encryption. If a context was

11477

# provided during encryption, same context must be provided during decryption

11478

# as well.

11479

#

11480

# If the context is not set, plaintext would be used as is for encryption.

11481

# If the context is set but:

11482

#

11483

# 1. there is no record present when transforming a given value or

11484

# 2. the field is not present when transforming a given value,

11485

#

11486

# plaintext would be used as is for encryption.

11487

#

11488

# Note that case (1) is expected when an `InfoTypeTransformation` is

11489

# applied to both structured and non-structured `ContentItem`s.

11490

"name": "A String", # Name describing the field.

11491

},

11492

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

11493

# a key encryption key (KEK) stored by KMS).

11494

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

11495

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

11496

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

11497

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

11498

# leaking the key. Choose another type of key if possible.

11499

"key": "A String", # Required. A 128/192/256 bit key.

11500

},

11501

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

11502

# It will be discarded after the request finishes.

11503

"name": "A String", # Required. Name of the key.

11504

# This is an arbitrary string used to differentiate different keys.

11505

# A unique key is generated per name: two separate `TransientCryptoKey`

11506

# protos share the same generated key if their names are the same.

11507

# When the data crypto key is generated, this name is not used in any way

11508

# (repeating the api call will result in a different key being generated).

11509

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

11510

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

11511

# The wrapped key must be a 128/192/256 bit key.

11512

# Authorization requires the following IAM permissions when sending a request

11513

# to perform a crypto transformation using a kms-wrapped crypto key:

11514

# dlp.kms.encrypt

11515

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

11516

"wrappedKey": "A String", # Required. The wrapped data crypto key.

11517

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

11518

},

11519

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

11520

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

11521

# replacement values are dynamically provided by the user for custom behavior,

11522

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

11523

# This can be used on

11524

# data of type: number, long, string, timestamp.

11525

# If the bound `Value` type differs from the type of data being transformed, we

11526

# will first attempt converting the type of the data to be transformed to match

11527

# the type of the bound before comparing.

11528

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

11529

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

11530

{ # Bucket is represented as a range, along with replacement values.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

11531

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

11532

# the default behavior will be to hyphenate the min-max range.

11533

# Note that for the purposes of inspection or transformation, the number

11534

# of bytes considered to comprise a 'Value' is based on its representation

11535

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11536

# 123456789, the number of bytes would be counted as 9, even though an

11537

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

11538

"timestampValue": "A String", # timestamp

11539

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11540

# and time zone are either specified elsewhere or are not significant. The date

11541

# is relative to the Proleptic Gregorian Calendar. This can represent:

11542

#

11543

# * A full date, with non-zero year, month and day values

11544

# * A month and day value, with a zero year, e.g. an anniversary

11545

# * A year on its own, with zero month and day values

11546

# * A year and month value, with a zero day, e.g. a credit card expiration date

11547

#

11548

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11549

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11550

# a year.

11551

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11552

# month and day.

11553

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11554

# if specifying a year by itself or a year and month where the day is not

11555

# significant.

11556

},

11557

"stringValue": "A String", # string

11558

"integerValue": "A String", # integer

11559

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11560

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11561

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

11562

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11563

# to allow the value "24:00:00" for scenarios like business closing time.

11564

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

11565

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11566

# allow the value 60 if it allows leap-seconds.

11567

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

11568

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

11569

"booleanValue": True or False, # boolean

11570

"floatValue": 3.14, # float

11571

"dayOfWeekValue": "A String", # day of week

11572

},

11573

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

11574

# used.

11575

# Note that for the purposes of inspection or transformation, the number

11576

# of bytes considered to comprise a 'Value' is based on its representation

11577

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11578

# 123456789, the number of bytes would be counted as 9, even though an

11579

# int64 only holds up to 8 bytes of data.

11580

"timestampValue": "A String", # timestamp

11581

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11582

# and time zone are either specified elsewhere or are not significant. The date

11583

# is relative to the Proleptic Gregorian Calendar. This can represent:

11584

#

11585

# * A full date, with non-zero year, month and day values

11586

# * A month and day value, with a zero year, e.g. an anniversary

11587

# * A year on its own, with zero month and day values

11588

# * A year and month value, with a zero day, e.g. a credit card expiration date

11589

#

11590

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11591

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11592

# a year.

11593

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11594

# month and day.

11595

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11596

# if specifying a year by itself or a year and month where the day is not

11597

# significant.

11598

},

11599

"stringValue": "A String", # string

11600

"integerValue": "A String", # integer

11601

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11602

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11603

# types are google.type.Date and `google.protobuf.Timestamp`.

11604

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11605

# to allow the value "24:00:00" for scenarios like business closing time.

11606

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

11607

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11608

# allow the value 60 if it allows leap-seconds.

11609

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

11610

},

11611

"booleanValue": True or False, # boolean

11612

"floatValue": 3.14, # float

11613

"dayOfWeekValue": "A String", # day of week

11614

},

11615

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

11616

# Note that for the purposes of inspection or transformation, the number

11617

# of bytes considered to comprise a 'Value' is based on its representation

11618

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11619

# 123456789, the number of bytes would be counted as 9, even though an

11620

# int64 only holds up to 8 bytes of data.

11621

"timestampValue": "A String", # timestamp

11622

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11623

# and time zone are either specified elsewhere or are not significant. The date

11624

# is relative to the Proleptic Gregorian Calendar. This can represent:

11625

#

11626

# * A full date, with non-zero year, month and day values

11627

# * A month and day value, with a zero year, e.g. an anniversary

11628

# * A year on its own, with zero month and day values

11629

# * A year and month value, with a zero day, e.g. a credit card expiration date

11630

#

11631

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11632

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11633

# a year.

11634

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11635

# month and day.

11636

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11637

# if specifying a year by itself or a year and month where the day is not

11638

# significant.

11639

},

11640

"stringValue": "A String", # string

11641

"integerValue": "A String", # integer

11642

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11643

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11644

# types are google.type.Date and `google.protobuf.Timestamp`.

11645

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11646

# to allow the value "24:00:00" for scenarios like business closing time.

11647

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

11648

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11649

# allow the value 60 if it allows leap-seconds.

11650

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

11651

},

11652

"booleanValue": True or False, # boolean

11653

"floatValue": 3.14, # float

11654

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

},

},

],

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

11659

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

11660

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

11661

# output would be 'My phone number is '.

11662

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

11663

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

11664

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

11665

# Note that for the purposes of inspection or transformation, the number

11666

# of bytes considered to comprise a 'Value' is based on its representation

11667

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11668

# 123456789, the number of bytes would be counted as 9, even though an

11669

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

11670

"timestampValue": "A String", # timestamp

11671

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11672

# and time zone are either specified elsewhere or are not significant. The date

11673

# is relative to the Proleptic Gregorian Calendar. This can represent:

11674

#

11675

# * A full date, with non-zero year, month and day values

11676

# * A month and day value, with a zero year, e.g. an anniversary

11677

# * A year on its own, with zero month and day values

11678

# * A year and month value, with a zero day, e.g. a credit card expiration date

11679

#

11680

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11681

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11682

# a year.

11683

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11684

# month and day.

11685

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11686

# if specifying a year by itself or a year and month where the day is not

11687

# significant.

11688

},

11689

"stringValue": "A String", # string

11690

"integerValue": "A String", # integer

11691

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11692

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11693

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

11694

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11695

# to allow the value "24:00:00" for scenarios like business closing time.

11696

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

11697

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11698

# allow the value 60 if it allows leap-seconds.

11699

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

11700

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

11701

"booleanValue": True or False, # boolean

11702

"floatValue": 3.14, # float

11703

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

11704

},

11705

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

11706

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

11707

# Bucketing transformation can provide all of this functionality,

11708

# but requires more configuration. This message is provided as a convenience to

11709

# the user for simple bucketing strategies.

11710

#

11711

# The transformed value will be a hyphenated string of

11712

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

11713

# all values that are within this bucket will be replaced with "10-20".

11714

#

11715

# This can be used on data of type: double, long.

11716

#

11717

# If the bound Value type differs from the type of data

11718

# being transformed, we will first attempt converting the type of the data to

11719

# be transformed to match the type of the bound before comparing.

11720

#

11721

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

11722

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

11723

# grouped together into a single bucket; for example if `upper_bound` = 89,

11724

# then all values greater than 89 are replaced with the value "89+".

11725

# Note that for the purposes of inspection or transformation, the number

11726

# of bytes considered to comprise a 'Value' is based on its representation

11727

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11728

# 123456789, the number of bytes would be counted as 9, even though an

11729

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

11730

"timestampValue": "A String", # timestamp

11731

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11732

# and time zone are either specified elsewhere or are not significant. The date

11733

# is relative to the Proleptic Gregorian Calendar. This can represent:

11734

#

11735

# * A full date, with non-zero year, month and day values

11736

# * A month and day value, with a zero year, e.g. an anniversary

11737

# * A year on its own, with zero month and day values

11738

# * A year and month value, with a zero day, e.g. a credit card expiration date

11739

#

11740

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11741

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11742

# a year.

11743

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11744

# month and day.

11745

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11746

# if specifying a year by itself or a year and month where the day is not

11747

# significant.

11748

},

11749

"stringValue": "A String", # string

11750

"integerValue": "A String", # integer

11751

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11752

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11753

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

11754

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11755

# to allow the value "24:00:00" for scenarios like business closing time.

11756

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

11757

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11758

# allow the value 60 if it allows leap-seconds.

11759

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

11760

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

11761

"booleanValue": True or False, # boolean

11762

"floatValue": 3.14, # float

11763

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

11764

},

11765

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

11766

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

11767

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

11768

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

11769

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

11770

# grouped together into a single bucket; for example if `lower_bound` = 10,

11771

# then all values less than 10 are replaced with the value "-10".

11772

# Note that for the purposes of inspection or transformation, the number

11773

# of bytes considered to comprise a 'Value' is based on its representation

11774

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

11775

# 123456789, the number of bytes would be counted as 9, even though an

11776

# int64 only holds up to 8 bytes of data.

11777

"timestampValue": "A String", # timestamp

11778

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

11779

# and time zone are either specified elsewhere or are not significant. The date

11780

# is relative to the Proleptic Gregorian Calendar. This can represent:

11781

#

11782

# * A full date, with non-zero year, month and day values

11783

# * A month and day value, with a zero year, e.g. an anniversary

11784

# * A year on its own, with zero month and day values

11785

# * A year and month value, with a zero day, e.g. a credit card expiration date

11786

#

11787

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

11788

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

11789

# a year.

11790

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

11791

# month and day.

11792

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

11793

# if specifying a year by itself or a year and month where the day is not

11794

# significant.

11795

},

11796

"stringValue": "A String", # string

11797

"integerValue": "A String", # integer

11798

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

11799

# or are specified elsewhere. An API may choose to allow leap seconds. Related

11800

# types are google.type.Date and `google.protobuf.Timestamp`.

11801

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

11802

# to allow the value "24:00:00" for scenarios like business closing time.

11803

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

11804

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

11805

# allow the value 60 if it allows leap-seconds.

11806

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

11807

},

11808

"booleanValue": True or False, # boolean

11809

"floatValue": 3.14, # float

11810

"dayOfWeekValue": "A String", # day of week

11811

},

11812

},

11813

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

11814

# fixed character. Masking can start from the beginning or end of the string.

11815

# This can be used on data of any type (numbers, longs, and so on) and when

11816

# de-identifying structured data we'll attempt to preserve the original data's

11817

# type. (This allows you to take a long like 123 and modify it to a string like

11818

# **3.

11819

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

11820

# characters. For example, if the input string is `555-555-5555` and you

11821

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

11822

# returns `***-**5-5555`.

11823

{ # Characters to skip when doing deidentification of a value. These will be left

11824

# alone and skipped.

11825

"charactersToSkip": "A String", # Characters to not transform when masking.

11826

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

11831

# masked. Skipped characters do not count towards this tally.

11832

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

11833

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

11834

# code or credit card number. This string must have a length of 1. If not

11835

# supplied, this value defaults to `*` for strings, and `0` for digits.

11836

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

11837

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

11838

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

11839

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

11840

# is `true`, then the string `12345` is masked as `12***`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

11841

},

11842

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

11843

"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause

11844

# this transformation to apply to all findings that correspond to

11845

# infoTypes that were requested in `InspectConfig`.

11846

{ # Type of information detected by the API.

11847

"name": "A String", # Name of the information type. Either a name of your choosing when

11848

# creating a CustomInfoType, or one of the names listed

11849

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

11850

# a built-in type. InfoType names should conform to the pattern

11851

# `[a-zA-Z0-9_]{1,64}`.

11852

},

11853

],

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

},

],

},

"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.

11858

"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction

11859

# portion of the value.

11860

"partToExtract": "A String", # The part of the time to keep.

11861

},

11862

"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift

11863

# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting

11864

# to learn more.

11865

"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.

11866

# If set, must also set cryptoKey. If set, shift will be consistent for the

11867

# given context.

11868

"name": "A String", # Name describing the field.

11869

},

11870

"upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this

11871

# range (inclusive ends). Negative means shift to earlier in time. Must not

11872

# be more than 365250 days (1000 years) each direction.

11873

#

11874

# For example, 3 means shift date to at most 3 days into the future.

11875

"lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.

11876

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This

11877

# results in the same shift for the same context and crypto_key. If

11878

# set, must also set context. Can only be applied to table items.

11879

# a key encryption key (KEK) stored by KMS).

11880

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

11881

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

11882

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

11883

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

11884

# leaking the key. Choose another type of key if possible.

11885

"key": "A String", # Required. A 128/192/256 bit key.

11886

},

11887

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

11888

# It will be discarded after the request finishes.

11889

"name": "A String", # Required. Name of the key.

11890

# This is an arbitrary string used to differentiate different keys.

11891

# A unique key is generated per name: two separate `TransientCryptoKey`

11892

# protos share the same generated key if their names are the same.

11893

# When the data crypto key is generated, this name is not used in any way

11894

# (repeating the api call will result in a different key being generated).

11895

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

11896

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

11897

# The wrapped key must be a 128/192/256 bit key.

11898

# Authorization requires the following IAM permissions when sending a request

11899

# to perform a crypto transformation using a kms-wrapped crypto key:

11900

# dlp.kms.encrypt

11901

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

11902

"wrappedKey": "A String", # Required. The wrapped data crypto key.

11903

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

11904

},

11905

},

11906

"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype

11907

},

11908

"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto

11909

# Uses SHA-256.

11910

# The key size must be either 32 or 64 bytes.

11911

# Outputs a base64 encoded representation of the hashed output

11912

# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).

11913

# Currently, only string and integer values can be hashed.

11914

# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.

11915

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.

11916

# a key encryption key (KEK) stored by KMS).

11917

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

11918

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

11919

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

11920

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

11921

# leaking the key. Choose another type of key if possible.

11922

"key": "A String", # Required. A 128/192/256 bit key.

11923

},

11924

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

11925

# It will be discarded after the request finishes.

11926

"name": "A String", # Required. Name of the key.

11927

# This is an arbitrary string used to differentiate different keys.

11928

# A unique key is generated per name: two separate `TransientCryptoKey`

11929

# protos share the same generated key if their names are the same.

11930

# When the data crypto key is generated, this name is not used in any way

11931

# (repeating the api call will result in a different key being generated).

11932

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

11933

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

11934

# The wrapped key must be a 128/192/256 bit key.

11935

# Authorization requires the following IAM permissions when sending a request

11936

# to perform a crypto transformation using a kms-wrapped crypto key:

11937

# dlp.kms.encrypt

11938

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

11939

"wrappedKey": "A String", # Required. The wrapped data crypto key.

11940

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

11941

},

11942

},

11943

"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe

11944

# (FPE) with the FFX mode of operation; however when used in the

11945

# `ReidentifyContent` API method, it serves the opposite function by reversing

11946

# the surrogate back into the original identifier. The identifier must be

11947

# encoded as ASCII. For a given crypto key and context, the same identifier

11948

# will be replaced with the same surrogate. Identifiers must be at least two

11949

# characters long. In the case that the identifier is the empty string, it will

11950

# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn

11951

# more.

11952

#

11953

# Note: We recommend using CryptoDeterministicConfig for all use cases which

11954

# do not require preserving the input alphabet space and size, plus warrant

11955

# referential integrity.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

11956

"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.

11957

# This annotation will be applied to the surrogate by prefixing it with

11958

# the name of the custom infoType followed by the number of

11959

# characters comprising the surrogate. The following scheme defines the

11960

# format: info_type_name(surrogate_character_count):surrogate

11961

#

11962

# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and

11963

# the surrogate is 'abc', the full replacement value

11964

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

11965

#

11966

# This annotation identifies the surrogate when inspecting content using the

11967

# custom infoType

11968

# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).

11969

# This facilitates reversal of the surrogate when it occurs in free text.

11970

#

11971

# In order for inspection to work properly, the name of this infoType must

11972

# not occur naturally anywhere in your data; otherwise, inspection may

11973

# find a surrogate that does not correspond to an actual identifier.

11974

# Therefore, choose your custom infoType name carefully after considering

11975

# what your data looks like. One way to select a name that has a high chance

11976

# of yielding reliable detection is to include one or more unicode characters

11977

# that are highly improbable to exist in your data.

11978

# For example, assuming your data is entered from a regular ASCII keyboard,

11979

# the symbol with the hex code point 29DD might be used like so:

11980

# ⧝MY_TOKEN_TYPE

11981

"name": "A String", # Name of the information type. Either a name of your choosing when

11982

# creating a CustomInfoType, or one of the names listed

11983

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

11984

# a built-in type. InfoType names should conform to the pattern

11985

# `[a-zA-Z0-9_]{1,64}`.

11986

},

11987

"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same

11988

# identifier in two different contexts won't be given the same surrogate. If

11989

# the context is not set, a default tweak will be used.

11990

#

11991

# If the context is set but:

11992

#

11993

# 1. there is no record present when transforming a given value or

11994

# 1. the field is not present when transforming a given value,

11995

#

11996

# a default tweak will be used.

11997

#

11998

# Note that case (1) is expected when an `InfoTypeTransformation` is

11999

# applied to both structured and non-structured `ContentItem`s.

12000

# Currently, the referenced field may be of value type integer or string.

12001

#

12002

# The tweak is constructed as a sequence of bytes in big endian byte order

12003

# such that:

12004

#

12005

# - a 64 bit integer is encoded followed by a single byte of value 1

12006

# - a string is encoded in UTF-8 format followed by a single byte of value 2

12007

"name": "A String", # Name describing the field.

12008

},

12009

"radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].

12010

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.

12011

# a key encryption key (KEK) stored by KMS).

12012

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

12013

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

12014

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

12015

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

12016

# leaking the key. Choose another type of key if possible.

12017

"key": "A String", # Required. A 128/192/256 bit key.

12018

},

12019

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

12020

# It will be discarded after the request finishes.

12021

"name": "A String", # Required. Name of the key.

12022

# This is an arbitrary string used to differentiate different keys.

12023

# A unique key is generated per name: two separate `TransientCryptoKey`

12024

# protos share the same generated key if their names are the same.

12025

# When the data crypto key is generated, this name is not used in any way

12026

# (repeating the api call will result in a different key being generated).

12027

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

12028

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

12029

# The wrapped key must be a 128/192/256 bit key.

12030

# Authorization requires the following IAM permissions when sending a request

12031

# to perform a crypto transformation using a kms-wrapped crypto key:

12032

# dlp.kms.encrypt

12033

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

12034

"wrappedKey": "A String", # Required. The wrapped data crypto key.

12035

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

12036

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

12037

"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters

12038

# that the FFX mode natively supports. This happens before/after

12039

# encryption/decryption.

12040

# Each character listed must appear only once.

12041

# Number of characters must be in the range [2, 95].

12042

# This must be encoded as ASCII.

12043

# The order of characters does not matter.

12044

"commonAlphabet": "A String", # Common alphabets.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

12045

},

12046

"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto

12047

# input. Outputs a base64 encoded representation of the encrypted output.

12048

# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.

12049

"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.

12050

# This annotation will be applied to the surrogate by prefixing it with

12051

# the name of the custom info type followed by the number of

12052

# characters comprising the surrogate. The following scheme defines the

12053

# format: {info type name}({surrogate character count}):{surrogate}

12054

#

12055

# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and

12056

# the surrogate is 'abc', the full replacement value

12057

# will be: 'MY_TOKEN_INFO_TYPE(3):abc'

12058

#

12059

# This annotation identifies the surrogate when inspecting content using the

12060

# custom info type 'Surrogate'. This facilitates reversal of the

12061

# surrogate when it occurs in free text.

12062

#

12063

# Note: For record transformations where the entire cell in a table is being

12064

# transformed, surrogates are not mandatory. Surrogates are used to denote

12065

# the location of the token and are necessary for re-identification in free

12066

# form text.

12067

#

12068

# In order for inspection to work properly, the name of this info type must

12069

# not occur naturally anywhere in your data; otherwise, inspection may either

12070

#

12071

# - reverse a surrogate that does not correspond to an actual identifier

12072

# - be unable to parse the surrogate and result in an error

12073

#

12074

# Therefore, choose your custom info type name carefully after considering

12075

# what your data looks like. One way to select a name that has a high chance

12076

# of yielding reliable detection is to include one or more unicode characters

12077

# that are highly improbable to exist in your data.

12078

# For example, assuming your data is entered from a regular ASCII keyboard,

12079

# the symbol with the hex code point 29DD might be used like so:

12080

# ⧝MY_TOKEN_TYPE.

12081

"name": "A String", # Name of the information type. Either a name of your choosing when

12082

# creating a CustomInfoType, or one of the names listed

12083

# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying

12084

# a built-in type. InfoType names should conform to the pattern

12085

# `[a-zA-Z0-9_]{1,64}`.

12086

},

12087

"context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining

12088

# referential integrity such that the same identifier in two different

12089

# contexts will be given a distinct surrogate. The context is appended to

12090

# plaintext value being encrypted. On decryption the provided context is

12091

# validated against the value used during encryption. If a context was

12092

# provided during encryption, same context must be provided during decryption

12093

# as well.

12094

#

12095

# If the context is not set, plaintext would be used as is for encryption.

12096

# If the context is set but:

12097

#

12098

# 1. there is no record present when transforming a given value or

12099

# 2. the field is not present when transforming a given value,

12100

#

12101

# plaintext would be used as is for encryption.

12102

#

12103

# Note that case (1) is expected when an `InfoTypeTransformation` is

12104

# applied to both structured and non-structured `ContentItem`s.

12105

"name": "A String", # Name describing the field.

12106

},

12107

"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.

12108

# a key encryption key (KEK) stored by KMS).

12109

# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate

12110

# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot

12111

# unwrap the data crypto key.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

12112

"unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key

12113

# leaking the key. Choose another type of key if possible.

12114

"key": "A String", # Required. A 128/192/256 bit key.

12115

},

12116

"transient": { # Use this to have a random data crypto key generated. # Transient crypto key

12117

# It will be discarded after the request finishes.

12118

"name": "A String", # Required. Name of the key.

12119

# This is an arbitrary string used to differentiate different keys.

12120

# A unique key is generated per name: two separate `TransientCryptoKey`

12121

# protos share the same generated key if their names are the same.

12122

# When the data crypto key is generated, this name is not used in any way

12123

# (repeating the api call will result in a different key being generated).

12124

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

12125

"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key

12126

# The wrapped key must be a 128/192/256 bit key.

12127

# Authorization requires the following IAM permissions when sending a request

12128

# to perform a crypto transformation using a kms-wrapped crypto key:

12129

# dlp.kms.encrypt

12130

"cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.

12131

"wrappedKey": "A String", # Required. The wrapped data crypto key.

12132

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

12133

},

12134

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

12135

"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing

12136

# replacement values are dynamically provided by the user for custom behavior,

12137

# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH

12138

# This can be used on

12139

# data of type: number, long, string, timestamp.

12140

# If the bound `Value` type differs from the type of data being transformed, we

12141

# will first attempt converting the type of the data to be transformed to match

12142

# the type of the bound before comparing.

12143

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

12144

"buckets": [ # Set of buckets. Ranges must be non-overlapping.

12145

{ # Bucket is represented as a range, along with replacement values.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

12146

"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided

12147

# the default behavior will be to hyphenate the min-max range.

12148

# Note that for the purposes of inspection or transformation, the number

12149

# of bytes considered to comprise a 'Value' is based on its representation

12150

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

12151

# 123456789, the number of bytes would be counted as 9, even though an

12152

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

12153

"timestampValue": "A String", # timestamp

12154

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

12155

# and time zone are either specified elsewhere or are not significant. The date

12156

# is relative to the Proleptic Gregorian Calendar. This can represent:

12157

#

12158

# * A full date, with non-zero year, month and day values

12159

# * A month and day value, with a zero year, e.g. an anniversary

12160

# * A year on its own, with zero month and day values

12161

# * A year and month value, with a zero day, e.g. a credit card expiration date

12162

#

12163

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

12164

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

12165

# a year.

12166

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

12167

# month and day.

12168

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

12169

# if specifying a year by itself or a year and month where the day is not

12170

# significant.

12171

},

12172

"stringValue": "A String", # string

12173

"integerValue": "A String", # integer

12174

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

12175

# or are specified elsewhere. An API may choose to allow leap seconds. Related

12176

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

12177

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

12178

# to allow the value "24:00:00" for scenarios like business closing time.

12179

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

12180

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

12181

# allow the value 60 if it allows leap-seconds.

12182

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

12183

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

12184

"booleanValue": True or False, # boolean

12185

"floatValue": 3.14, # float

12186

"dayOfWeekValue": "A String", # day of week

12187

},

12188

"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if

12189

# used.

12190

# Note that for the purposes of inspection or transformation, the number

12191

# of bytes considered to comprise a 'Value' is based on its representation

12192

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

12193

# 123456789, the number of bytes would be counted as 9, even though an

12194

# int64 only holds up to 8 bytes of data.

12195

"timestampValue": "A String", # timestamp

12196

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

12197

# and time zone are either specified elsewhere or are not significant. The date

12198

# is relative to the Proleptic Gregorian Calendar. This can represent:

12199

#

12200

# * A full date, with non-zero year, month and day values

12201

# * A month and day value, with a zero year, e.g. an anniversary

12202

# * A year on its own, with zero month and day values

12203

# * A year and month value, with a zero day, e.g. a credit card expiration date

12204

#

12205

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

12206

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

12207

# a year.

12208

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

12209

# month and day.

12210

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

12211

# if specifying a year by itself or a year and month where the day is not

12212

# significant.

12213

},

12214

"stringValue": "A String", # string

12215

"integerValue": "A String", # integer

12216

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

12217

# or are specified elsewhere. An API may choose to allow leap seconds. Related

12218

# types are google.type.Date and `google.protobuf.Timestamp`.

12219

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

12220

# to allow the value "24:00:00" for scenarios like business closing time.

12221

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

12222

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

12223

# allow the value 60 if it allows leap-seconds.

12224

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

12225

},

12226

"booleanValue": True or False, # boolean

12227

"floatValue": 3.14, # float

12228

"dayOfWeekValue": "A String", # day of week

12229

},

12230

"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.

12231

# Note that for the purposes of inspection or transformation, the number

12232

# of bytes considered to comprise a 'Value' is based on its representation

12233

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

12234

# 123456789, the number of bytes would be counted as 9, even though an

12235

# int64 only holds up to 8 bytes of data.

12236

"timestampValue": "A String", # timestamp

12237

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

12238

# and time zone are either specified elsewhere or are not significant. The date

12239

# is relative to the Proleptic Gregorian Calendar. This can represent:

12240

#

12241

# * A full date, with non-zero year, month and day values

12242

# * A month and day value, with a zero year, e.g. an anniversary

12243

# * A year on its own, with zero month and day values

12244

# * A year and month value, with a zero day, e.g. a credit card expiration date

12245

#

12246

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

12247

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

12248

# a year.

12249

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

12250

# month and day.

12251

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

12252

# if specifying a year by itself or a year and month where the day is not

12253

# significant.

12254

},

12255

"stringValue": "A String", # string

12256

"integerValue": "A String", # integer

12257

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

12258

# or are specified elsewhere. An API may choose to allow leap seconds. Related

12259

# types are google.type.Date and `google.protobuf.Timestamp`.

12260

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

12261

# to allow the value "24:00:00" for scenarios like business closing time.

12262

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

12263

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

12264

# allow the value 60 if it allows leap-seconds.

12265

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

12266

},

12267

"booleanValue": True or False, # boolean

12268

"floatValue": 3.14, # float

12269

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

},

},

],

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

12274

"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact

12275

# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the

12276

# output would be 'My phone number is '.

12277

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

12278

"replaceConfig": { # Replace each input value with a given `Value`. # Replace

12279

"newValue": { # Set of primitive values supported by the system. # Value to replace it with.

12280

# Note that for the purposes of inspection or transformation, the number

12281

# of bytes considered to comprise a 'Value' is based on its representation

12282

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

12283

# 123456789, the number of bytes would be counted as 9, even though an

12284

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

12285

"timestampValue": "A String", # timestamp

12286

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

12287

# and time zone are either specified elsewhere or are not significant. The date

12288

# is relative to the Proleptic Gregorian Calendar. This can represent:

12289

#

12290

# * A full date, with non-zero year, month and day values

12291

# * A month and day value, with a zero year, e.g. an anniversary

12292

# * A year on its own, with zero month and day values

12293

# * A year and month value, with a zero day, e.g. a credit card expiration date

12294

#

12295

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

12296

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

12297

# a year.

12298

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

12299

# month and day.

12300

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

12301

# if specifying a year by itself or a year and month where the day is not

12302

# significant.

12303

},

12304

"stringValue": "A String", # string

12305

"integerValue": "A String", # integer

12306

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

12307

# or are specified elsewhere. An API may choose to allow leap seconds. Related

12308

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

12309

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

12310

# to allow the value "24:00:00" for scenarios like business closing time.

12311

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

12312

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

12313

# allow the value 60 if it allows leap-seconds.

12314

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

12315

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

12316

"booleanValue": True or False, # boolean

12317

"floatValue": 3.14, # float

12318

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

12319

},

12320

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

12321

"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing

12322

# Bucketing transformation can provide all of this functionality,

12323

# but requires more configuration. This message is provided as a convenience to

12324

# the user for simple bucketing strategies.

12325

#

12326

# The transformed value will be a hyphenated string of

12327

# {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20

12328

# all values that are within this bucket will be replaced with "10-20".

12329

#

12330

# This can be used on data of type: double, long.

12331

#

12332

# If the bound Value type differs from the type of data

12333

# being transformed, we will first attempt converting the type of the data to

12334

# be transformed to match the type of the bound before comparing.

12335

#

12336

# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

12337

"upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are

12338

# grouped together into a single bucket; for example if `upper_bound` = 89,

12339

# then all values greater than 89 are replaced with the value "89+".

12340

# Note that for the purposes of inspection or transformation, the number

12341

# of bytes considered to comprise a 'Value' is based on its representation

12342

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

12343

# 123456789, the number of bytes would be counted as 9, even though an

12344

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

12345

"timestampValue": "A String", # timestamp

12346

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

12347

# and time zone are either specified elsewhere or are not significant. The date

12348

# is relative to the Proleptic Gregorian Calendar. This can represent:

12349

#

12350

# * A full date, with non-zero year, month and day values

12351

# * A month and day value, with a zero year, e.g. an anniversary

12352

# * A year on its own, with zero month and day values

12353

# * A year and month value, with a zero day, e.g. a credit card expiration date

12354

#

12355

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

12356

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

12357

# a year.

12358

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

12359

# month and day.

12360

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

12361

# if specifying a year by itself or a year and month where the day is not

12362

# significant.

12363

},

12364

"stringValue": "A String", # string

12365

"integerValue": "A String", # integer

12366

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

12367

# or are specified elsewhere. An API may choose to allow leap seconds. Related

12368

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

12369

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

12370

# to allow the value "24:00:00" for scenarios like business closing time.

12371

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

12372

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

12373

# allow the value 60 if it allows leap-seconds.

12374

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

12375

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

12376

"booleanValue": True or False, # boolean

12377

"floatValue": 3.14, # float

12378

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

12379

},

12380

"bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if

12381

# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the

12382

# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,

12383

# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

12384

"lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are

12385

# grouped together into a single bucket; for example if `lower_bound` = 10,

12386

# then all values less than 10 are replaced with the value "-10".

12387

# Note that for the purposes of inspection or transformation, the number

12388

# of bytes considered to comprise a 'Value' is based on its representation

12389

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

12390

# 123456789, the number of bytes would be counted as 9, even though an

12391

# int64 only holds up to 8 bytes of data.

12392

"timestampValue": "A String", # timestamp

12393

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

12394

# and time zone are either specified elsewhere or are not significant. The date

12395

# is relative to the Proleptic Gregorian Calendar. This can represent:

12396

#

12397

# * A full date, with non-zero year, month and day values

12398

# * A month and day value, with a zero year, e.g. an anniversary

12399

# * A year on its own, with zero month and day values

12400

# * A year and month value, with a zero day, e.g. a credit card expiration date

12401

#

12402

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

12403

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

12404

# a year.

12405

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

12406

# month and day.

12407

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

12408

# if specifying a year by itself or a year and month where the day is not

12409

# significant.

12410

},

12411

"stringValue": "A String", # string

12412

"integerValue": "A String", # integer

12413

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

12414

# or are specified elsewhere. An API may choose to allow leap seconds. Related

12415

# types are google.type.Date and `google.protobuf.Timestamp`.

12416

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

12417

# to allow the value "24:00:00" for scenarios like business closing time.

12418

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

12419

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

12420

# allow the value 60 if it allows leap-seconds.

12421

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

12422

},

12423

"booleanValue": True or False, # boolean

12424

"floatValue": 3.14, # float

12425

"dayOfWeekValue": "A String", # day of week

12426

},

12427

},

12428

"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask

12429

# fixed character. Masking can start from the beginning or end of the string.

12430

# This can be used on data of any type (numbers, longs, and so on) and when

12431

# de-identifying structured data we'll attempt to preserve the original data's

12432

# type. (This allows you to take a long like 123 and modify it to a string like

12433

# **3.

12434

"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing

12435

# characters. For example, if the input string is `555-555-5555` and you

12436

# instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP

12437

# returns `***-**5-5555`.

12438

{ # Characters to skip when doing deidentification of a value. These will be left

12439

# alone and skipped.

12440

"charactersToSkip": "A String", # Characters to not transform when masking.

12441

"commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing

# punctuation.

},

],

"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be

12446

# masked. Skipped characters do not count towards this tally.

12447

"maskingCharacter": "A String", # Character to use to mask the sensitive values&mdash;for example, `*` for an

12448

# alphabetic string such as a name, or `0` for a numeric string such as ZIP

12449

# code or credit card number. This string must have a length of 1. If not

12450

# supplied, this value defaults to `*` for strings, and `0` for digits.

12451

"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is

12452

# `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the

12453

# input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.

12454

# If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`

12455

# is `true`, then the string `12345` is masked as `12***`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

12456

},

12457

},

12458

"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the

12459

# given `RecordCondition`. The conditions are allowed to reference fields

12460

# that are not used in the actual transformation.

#

# Example Use Cases:

#

# - Apply a different bucket transformation to an age column if the zip code

12465

# column for the same record is within a specific range.

12466

# - Redact a field if the date of birth field is greater than 85.

12467

# a field.

12468

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

12469

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

12470

# only supported value is `AND`.

12471

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

12472

"conditions": [ # A collection of conditions.

12473

{ # The field type of `value` and `field` do not need to match to be

12474

# considered equal, but not all comparisons are possible.

12475

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

12476

# but all other comparisons are invalid with incompatible types.

12477

# A `value` of type:

12478

#

12479

# - `string` can be compared against all other types

12480

# - `boolean` can only be compared against other booleans

12481

# - `integer` can be compared against doubles or a string if the string value

12482

# can be parsed as an integer.

12483

# - `double` can be compared against integers or a string if the string can

12484

# be parsed as a double.

12485

# - `Timestamp` can be compared against strings in RFC 3339 date string

12486

# format.

12487

# - `TimeOfDay` can be compared against timestamps and strings in the format

12488

# of 'HH:mm:ss'.

12489

#

12490

# If we fail to compare do to type mismatch, a warning will be given and

12491

# the condition will evaluate to false.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

12492

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

12493

# Note that for the purposes of inspection or transformation, the number

12494

# of bytes considered to comprise a 'Value' is based on its representation

12495

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

12496

# 123456789, the number of bytes would be counted as 9, even though an

12497

# int64 only holds up to 8 bytes of data.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

12498

"timestampValue": "A String", # timestamp

12499

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

12500

# and time zone are either specified elsewhere or are not significant. The date

12501

# is relative to the Proleptic Gregorian Calendar. This can represent:

12502

#

12503

# * A full date, with non-zero year, month and day values

12504

# * A month and day value, with a zero year, e.g. an anniversary

12505

# * A year on its own, with zero month and day values

12506

# * A year and month value, with a zero day, e.g. a credit card expiration date

12507

#

12508

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

12509

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

12510

# a year.

12511

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

12512

# month and day.

12513

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

12514

# if specifying a year by itself or a year and month where the day is not

12515

# significant.

12516

},

12517

"stringValue": "A String", # string

12518

"integerValue": "A String", # integer

12519

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

12520

# or are specified elsewhere. An API may choose to allow leap seconds. Related

12521

# types are google.type.Date and `google.protobuf.Timestamp`.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

12522

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

12523

# to allow the value "24:00:00" for scenarios like business closing time.

12524

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

12525

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

12526

# allow the value 60 if it allows leap-seconds.

12527

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

12528

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

12529

"booleanValue": True or False, # boolean

12530

"floatValue": 3.14, # float

12531

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

12532

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

12533

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

12534

"name": "A String", # Name describing the field.

12535

},

12536

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

},

],

},

},

},

},

],

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

12544

"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that

12545

# match any suppression rule are omitted from the output.

12546

{ # Configuration to suppress records whose suppression conditions evaluate to

12547

# true.

12548

"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being

12549

# evaluated to be suppressed from the transformed content.

12550

# a field.

12551

"expressions": { # An expression, consisting or an operator and conditions. # An expression.

12552

"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently

12553

# only supported value is `AND`.

12554

"conditions": { # A collection of conditions. # Conditions to apply to the expression.

12555

"conditions": [ # A collection of conditions.

12556

{ # The field type of `value` and `field` do not need to match to be

12557

# considered equal, but not all comparisons are possible.

12558

# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,

12559

# but all other comparisons are invalid with incompatible types.

12560

# A `value` of type:

12561

#

12562

# - `string` can be compared against all other types

12563

# - `boolean` can only be compared against other booleans

12564

# - `integer` can be compared against doubles or a string if the string value

12565

# can be parsed as an integer.

12566

# - `double` can be compared against integers or a string if the string can

12567

# be parsed as a double.

12568

# - `Timestamp` can be compared against strings in RFC 3339 date string

12569

# format.

12570

# - `TimeOfDay` can be compared against timestamps and strings in the format

12571

# of 'HH:mm:ss'.

12572

#

12573

# If we fail to compare do to type mismatch, a warning will be given and

12574

# the condition will evaluate to false.

12575

"value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]

12576

# Note that for the purposes of inspection or transformation, the number

12577

# of bytes considered to comprise a 'Value' is based on its representation

12578

# as a UTF-8 encoded string. For example, if 'integer_value' is set to

12579

# 123456789, the number of bytes would be counted as 9, even though an

12580

# int64 only holds up to 8 bytes of data.

12581

"timestampValue": "A String", # timestamp

12582

"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date

12583

# and time zone are either specified elsewhere or are not significant. The date

12584

# is relative to the Proleptic Gregorian Calendar. This can represent:

12585

#

12586

# * A full date, with non-zero year, month and day values

12587

# * A month and day value, with a zero year, e.g. an anniversary

12588

# * A year on its own, with zero month and day values

12589

# * A year and month value, with a zero day, e.g. a credit card expiration date

12590

#

12591

# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.

12592

"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without

12593

# a year.

12594

"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a

12595

# month and day.

12596

"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0

12597

# if specifying a year by itself or a year and month where the day is not

12598

# significant.

12599

},

12600

"stringValue": "A String", # string

12601

"integerValue": "A String", # integer

12602

"timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day

12603

# or are specified elsewhere. An API may choose to allow leap seconds. Related

12604

# types are google.type.Date and `google.protobuf.Timestamp`.

12605

"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose

12606

# to allow the value "24:00:00" for scenarios like business closing time.

12607

"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.

12608

"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may

12609

# allow the value 60 if it allows leap-seconds.

12610

"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.

12611

},

12612

"booleanValue": True or False, # boolean

12613

"floatValue": 3.14, # float

12614

"dayOfWeekValue": "A String", # day of week

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

12615

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

12616

"field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.

12617

"name": "A String", # Name describing the field.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

12618

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

12619

"operator": "A String", # Required. Operator used to compare the field or infoType to the value.

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

12620

},

Bu Sun Kim

4ed7d3f

2020-05-27 12:20:54 -0700

[diff] [blame]

12621

],

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

12622

},

12623

},

Bu Sun Kim

6502091

2020-05-20 12:08:20 -0700

[diff] [blame]

},

},

],

},

},

}</pre>

</div>

</body></html>