Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / google-api-python-client / dd49464a6262c0d1f71efcf11f131e2f591fe5f6 / . / docs / dyn / dlp_v2.projects.deidentifyTemplates.html
blob: 79abd28d194b4653302fdee84713b4550c08d552 [file] [log] [blame]
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1<html><body>
2<style>
3
4body, h1, h2, h3, div, span, p, pre, a {
5 margin: 0;
6 padding: 0;
7 border: 0;
8 font-weight: inherit;
9 font-style: inherit;
10 font-size: 100%;
11 font-family: inherit;
12 vertical-align: baseline;
13}
14
15body {
16 font-size: 13px;
17 padding: 1em;
18}
19
20h1 {
21 font-size: 26px;
22 margin-bottom: 1em;
23}
24
25h2 {
26 font-size: 24px;
27 margin-bottom: 1em;
28}
29
30h3 {
31 font-size: 20px;
32 margin-bottom: 1em;
33 margin-top: 1em;
34}
35
36pre, code {
37 line-height: 1.5;
38 font-family: Monaco, 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', 'Lucida Console', monospace;
39}
40
41pre {
42 margin-top: 0.5em;
43}
44
45h1, h2, h3, p {
46 font-family: Arial, sans serif;
47}
48
49h1, h2, h3 {
50 border-bottom: solid #CCC 1px;
51}
52
53.toc_element {
54 margin-top: 0.5em;
55}
56
57.firstline {
58 margin-left: 2 em;
59}
60
61.method {
62 margin-top: 1em;
63 border: solid 1px #CCC;
64 padding: 1em;
65 background: #EEE;
66}
67
68.details {
69 font-weight: bold;
70 font-size: 14px;
71}
72
73</style>
74
75<h1><a href="dlp_v2.html">Cloud Data Loss Prevention (DLP) API</a> . <a href="dlp_v2.projects.html">projects</a> . <a href="dlp_v2.projects.deidentifyTemplates.html">deidentifyTemplates</a></h1>
76<h2>Instance Methods</h2>
77<p class="toc_element">
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]78 <code><a href="#create">create(parent, body=None, x__xgafv=None)</a></code></p>
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]79<p class="firstline">Creates a DeidentifyTemplate for re-using frequently used configuration</p>
80<p class="toc_element">
81 <code><a href="#delete">delete(name, x__xgafv=None)</a></code></p>
82<p class="firstline">Deletes a DeidentifyTemplate.</p>
83<p class="toc_element">
84 <code><a href="#get">get(name, x__xgafv=None)</a></code></p>
85<p class="firstline">Gets a DeidentifyTemplate.</p>
86<p class="toc_element">
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]87 <code><a href="#list">list(parent, orderBy=None, pageSize=None, locationId=None, pageToken=None, x__xgafv=None)</a></code></p>
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]88<p class="firstline">Lists DeidentifyTemplates.</p>
89<p class="toc_element">
90 <code><a href="#list_next">list_next(previous_request, previous_response)</a></code></p>
91<p class="firstline">Retrieves the next page of results.</p>
92<p class="toc_element">
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]93 <code><a href="#patch">patch(name, body=None, x__xgafv=None)</a></code></p>
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]94<p class="firstline">Updates the DeidentifyTemplate.</p>
95<h3>Method Details</h3>
96<div class="method">
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]97 <code class="details" id="create">create(parent, body=None, x__xgafv=None)</code>
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]98 <pre>Creates a DeidentifyTemplate for re-using frequently used configuration
99for de-identifying content, images, and storage.
100See https://cloud.google.com/dlp/docs/creating-templates-deid to learn
101more.
102
103Args:
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]104 parent: string, Required. The parent resource name, for example projects/my-project-id or
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]105organizations/my-org-id. (required)
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]106 body: object, The request body.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]107 The object takes the form of:
108
109{ # Request message for CreateDeidentifyTemplate.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]110 "deidentifyTemplate": { # DeidentifyTemplates contains instructions on how to de-identify content. # Required. The DeidentifyTemplate to create.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]111 # See https://cloud.google.com/dlp/docs/concepts-templates to learn more.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]112 "updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]113 "displayName": "A String", # Display name (max 256 chars).
114 "description": "A String", # Short description (max 256 chars).
115 "deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////
116 "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text
117 # transformation everywhere.
118 # apply various `PrimitiveTransformation`s to each finding, where the
119 # transformation is applied to only values that were identified as a specific
120 # info_type.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]121 "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one
122 # for a given infoType.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]123 { # A transformation to apply to text that is identified as a specific
124 # info_type.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]125 "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
126 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]127 # input. Outputs a base64 encoded representation of the encrypted output.
128 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
129 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
130 # a key encryption key (KEK) stored by KMS).
131 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
132 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
133 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]134 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]135 # The wrapped key must be a 128/192/256 bit key.
136 # Authorization requires the following IAM permissions when sending a request
137 # to perform a crypto transformation using a kms-wrapped crypto key:
138 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]139 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
140 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]141 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]142 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]143 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]144 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]145 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]146 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]147 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]148 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]149 # This is an arbitrary string used to differentiate different keys.
150 # A unique key is generated per name: two separate `TransientCryptoKey`
151 # protos share the same generated key if their names are the same.
152 # When the data crypto key is generated, this name is not used in any way
153 # (repeating the api call will result in a different key being generated).
154 },
155 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]156 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]157 # referential integrity such that the same identifier in two different
158 # contexts will be given a distinct surrogate. The context is appended to
159 # plaintext value being encrypted. On decryption the provided context is
160 # validated against the value used during encryption. If a context was
161 # provided during encryption, same context must be provided during decryption
162 # as well.
163 #
164 # If the context is not set, plaintext would be used as is for encryption.
165 # If the context is set but:
166 #
167 # 1. there is no record present when transforming a given value or
168 # 2. the field is not present when transforming a given value,
169 #
170 # plaintext would be used as is for encryption.
171 #
172 # Note that case (1) is expected when an `InfoTypeTransformation` is
173 # applied to both structured and non-structured `ContentItem`s.
174 "name": "A String", # Name describing the field.
175 },
176 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
177 # This annotation will be applied to the surrogate by prefixing it with
178 # the name of the custom info type followed by the number of
179 # characters comprising the surrogate. The following scheme defines the
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]180 # format: {info type name}({surrogate character count}):{surrogate}
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]181 #
182 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
183 # the surrogate is 'abc', the full replacement value
184 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
185 #
186 # This annotation identifies the surrogate when inspecting content using the
187 # custom info type 'Surrogate'. This facilitates reversal of the
188 # surrogate when it occurs in free text.
189 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]190 # Note: For record transformations where the entire cell in a table is being
191 # transformed, surrogates are not mandatory. Surrogates are used to denote
192 # the location of the token and are necessary for re-identification in free
193 # form text.
194 #
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]195 # In order for inspection to work properly, the name of this info type must
196 # not occur naturally anywhere in your data; otherwise, inspection may either
197 #
198 # - reverse a surrogate that does not correspond to an actual identifier
199 # - be unable to parse the surrogate and result in an error
200 #
201 # Therefore, choose your custom info type name carefully after considering
202 # what your data looks like. One way to select a name that has a high chance
203 # of yielding reliable detection is to include one or more unicode characters
204 # that are highly improbable to exist in your data.
205 # For example, assuming your data is entered from a regular ASCII keyboard,
206 # the symbol with the hex code point 29DD might be used like so:
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]207 # ⧝MY_TOKEN_TYPE.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]208 "name": "A String", # Name of the information type. Either a name of your choosing when
209 # creating a CustomInfoType, or one of the names listed
210 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
211 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]212 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]213 },
214 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]215 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
216 # fixed character. Masking can start from the beginning or end of the string.
217 # This can be used on data of any type (numbers, longs, and so on) and when
218 # de-identifying structured data we'll attempt to preserve the original data's
219 # type. (This allows you to take a long like 123 and modify it to a string like
220 # **3.
221 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
222 # characters. For example, if the input string is `555-555-5555` and you
223 # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
224 # returns `***-**5-5555`.
225 { # Characters to skip when doing deidentification of a value. These will be left
226 # alone and skipped.
227 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
228 # punctuation.
229 "charactersToSkip": "A String", # Characters to not transform when masking.
230 },
231 ],
232 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
233 # masked. Skipped characters do not count towards this tally.
234 "maskingCharacter": "A String", # Character to use to mask the sensitive values&amp;mdash;for example, `*` for an
235 # alphabetic string such as a name, or `0` for a numeric string such as ZIP
236 # code or credit card number. This string must have a length of 1. If not
237 # supplied, this value defaults to `*` for strings, and `0` for digits.
238 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
239 # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
240 # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
241 # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
242 # is `true`, then the string `12345` is masked as `12***`.
243 },
244 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
245 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
246 # output would be 'My phone number is '.
247 },
248 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
249 },
250 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]251 # Bucketing transformation can provide all of this functionality,
252 # but requires more configuration. This message is provided as a convenience to
253 # the user for simple bucketing strategies.
254 #
255 # The transformed value will be a hyphenated string of
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]256 # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]257 # all values that are within this bucket will be replaced with "10-20".
258 #
259 # This can be used on data of type: double, long.
260 #
261 # If the bound Value type differs from the type of data
262 # being transformed, we will first attempt converting the type of the data to
263 # be transformed to match the type of the bound before comparing.
264 #
265 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]266 "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]267 # grouped together into a single bucket; for example if `lower_bound` = 10,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]268 # then all values less than 10 are replaced with the value “-10”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]269 # Note that for the purposes of inspection or transformation, the number
270 # of bytes considered to comprise a 'Value' is based on its representation
271 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
272 # 123456789, the number of bytes would be counted as 9, even though an
273 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]274 "floatValue": 3.14, # float
275 "timestampValue": "A String", # timestamp
276 "dayOfWeekValue": "A String", # day of week
277 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]278 # or are specified elsewhere. An API may choose to allow leap seconds. Related
279 # types are google.type.Date and `google.protobuf.Timestamp`.
280 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
281 # to allow the value "24:00:00" for scenarios like business closing time.
282 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
283 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
284 # allow the value 60 if it allows leap-seconds.
285 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
286 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]287 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]288 # and time zone are either specified elsewhere or are not significant. The date
289 # is relative to the Proleptic Gregorian Calendar. This can represent:
290 #
291 # * A full date, with non-zero year, month and day values
292 # * A month and day value, with a zero year, e.g. an anniversary
293 # * A year on its own, with zero month and day values
294 # * A year and month value, with a zero day, e.g. a credit card expiration date
295 #
296 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]297 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
298 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]299 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
300 # if specifying a year by itself or a year and month where the day is not
301 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]302 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
303 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]304 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]305 "stringValue": "A String", # string
306 "booleanValue": True or False, # boolean
307 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]308 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]309 "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]310 # grouped together into a single bucket; for example if `upper_bound` = 89,
311 # then all values greater than 89 are replaced with the value “89+”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]312 # Note that for the purposes of inspection or transformation, the number
313 # of bytes considered to comprise a 'Value' is based on its representation
314 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
315 # 123456789, the number of bytes would be counted as 9, even though an
316 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]317 "floatValue": 3.14, # float
318 "timestampValue": "A String", # timestamp
319 "dayOfWeekValue": "A String", # day of week
320 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]321 # or are specified elsewhere. An API may choose to allow leap seconds. Related
322 # types are google.type.Date and `google.protobuf.Timestamp`.
323 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
324 # to allow the value "24:00:00" for scenarios like business closing time.
325 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
326 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
327 # allow the value 60 if it allows leap-seconds.
328 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
329 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]330 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]331 # and time zone are either specified elsewhere or are not significant. The date
332 # is relative to the Proleptic Gregorian Calendar. This can represent:
333 #
334 # * A full date, with non-zero year, month and day values
335 # * A month and day value, with a zero year, e.g. an anniversary
336 # * A year on its own, with zero month and day values
337 # * A year and month value, with a zero day, e.g. a credit card expiration date
338 #
339 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]340 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
341 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]342 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
343 # if specifying a year by itself or a year and month where the day is not
344 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]345 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
346 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]347 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]348 "stringValue": "A String", # string
349 "booleanValue": True or False, # boolean
350 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]351 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]352 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]353 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
354 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]355 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]356 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]357 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]358 # portion of the value.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]359 "partToExtract": "A String", # The part of the time to keep.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]360 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]361 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]362 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
363 # to learn more.
364 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]365 # results in the same shift for the same context and crypto_key. If
366 # set, must also set context. Can only be applied to table items.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]367 # a key encryption key (KEK) stored by KMS).
368 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
369 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
370 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]371 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]372 # The wrapped key must be a 128/192/256 bit key.
373 # Authorization requires the following IAM permissions when sending a request
374 # to perform a crypto transformation using a kms-wrapped crypto key:
375 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]376 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
377 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]378 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]379 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]380 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]381 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]382 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]383 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]384 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]385 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]386 # This is an arbitrary string used to differentiate different keys.
387 # A unique key is generated per name: two separate `TransientCryptoKey`
388 # protos share the same generated key if their names are the same.
389 # When the data crypto key is generated, this name is not used in any way
390 # (repeating the api call will result in a different key being generated).
391 },
392 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]393 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
394 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]395 # range (inclusive ends). Negative means shift to earlier in time. Must not
396 # be more than 365250 days (1000 years) each direction.
397 #
398 # For example, 3 means shift date to at most 3 days into the future.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]399 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]400 # If set, must also set cryptoKey. If set, shift will be consistent for the
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]401 # given context.
402 "name": "A String", # Name describing the field.
403 },
404 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]405 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]406 # (FPE) with the FFX mode of operation; however when used in the
407 # `ReidentifyContent` API method, it serves the opposite function by reversing
408 # the surrogate back into the original identifier. The identifier must be
409 # encoded as ASCII. For a given crypto key and context, the same identifier
410 # will be replaced with the same surrogate. Identifiers must be at least two
411 # characters long. In the case that the identifier is the empty string, it will
412 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
413 # more.
414 #
415 # Note: We recommend using CryptoDeterministicConfig for all use cases which
416 # do not require preserving the input alphabet space and size, plus warrant
417 # referential integrity.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]418 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]419 # a key encryption key (KEK) stored by KMS).
420 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
421 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
422 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]423 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]424 # The wrapped key must be a 128/192/256 bit key.
425 # Authorization requires the following IAM permissions when sending a request
426 # to perform a crypto transformation using a kms-wrapped crypto key:
427 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]428 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
429 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]430 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]431 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]432 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]433 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]434 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]435 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]436 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]437 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]438 # This is an arbitrary string used to differentiate different keys.
439 # A unique key is generated per name: two separate `TransientCryptoKey`
440 # protos share the same generated key if their names are the same.
441 # When the data crypto key is generated, this name is not used in any way
442 # (repeating the api call will result in a different key being generated).
443 },
444 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]445 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
446 "commonAlphabet": "A String", # Common alphabets.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]447 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
448 # that the FFX mode natively supports. This happens before/after
449 # encryption/decryption.
450 # Each character listed must appear only once.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]451 # Number of characters must be in the range [2, 95].
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]452 # This must be encoded as ASCII.
453 # The order of characters does not matter.
454 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
455 # identifier in two different contexts won't be given the same surrogate. If
456 # the context is not set, a default tweak will be used.
457 #
458 # If the context is set but:
459 #
460 # 1. there is no record present when transforming a given value or
461 # 1. the field is not present when transforming a given value,
462 #
463 # a default tweak will be used.
464 #
465 # Note that case (1) is expected when an `InfoTypeTransformation` is
466 # applied to both structured and non-structured `ContentItem`s.
467 # Currently, the referenced field may be of value type integer or string.
468 #
469 # The tweak is constructed as a sequence of bytes in big endian byte order
470 # such that:
471 #
472 # - a 64 bit integer is encoded followed by a single byte of value 1
473 # - a string is encoded in UTF-8 format followed by a single byte of value 2
474 "name": "A String", # Name describing the field.
475 },
476 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
477 # This annotation will be applied to the surrogate by prefixing it with
478 # the name of the custom infoType followed by the number of
479 # characters comprising the surrogate. The following scheme defines the
480 # format: info_type_name(surrogate_character_count):surrogate
481 #
482 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
483 # the surrogate is 'abc', the full replacement value
484 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
485 #
486 # This annotation identifies the surrogate when inspecting content using the
487 # custom infoType
488 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
489 # This facilitates reversal of the surrogate when it occurs in free text.
490 #
491 # In order for inspection to work properly, the name of this infoType must
492 # not occur naturally anywhere in your data; otherwise, inspection may
493 # find a surrogate that does not correspond to an actual identifier.
494 # Therefore, choose your custom infoType name carefully after considering
495 # what your data looks like. One way to select a name that has a high chance
496 # of yielding reliable detection is to include one or more unicode characters
497 # that are highly improbable to exist in your data.
498 # For example, assuming your data is entered from a regular ASCII keyboard,
499 # the symbol with the hex code point 29DD might be used like so:
500 # ⧝MY_TOKEN_TYPE
501 "name": "A String", # Name of the information type. Either a name of your choosing when
502 # creating a CustomInfoType, or one of the names listed
503 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
504 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]505 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]506 },
507 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]508 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
509 # replacement values are dynamically provided by the user for custom behavior,
510 # such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH
511 # This can be used on
512 # data of type: number, long, string, timestamp.
513 # If the bound `Value` type differs from the type of data being transformed, we
514 # will first attempt converting the type of the data to be transformed to match
515 # the type of the bound before comparing.
516 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
517 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
518 { # Bucket is represented as a range, along with replacement values.
519 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
520 # Note that for the purposes of inspection or transformation, the number
521 # of bytes considered to comprise a 'Value' is based on its representation
522 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
523 # 123456789, the number of bytes would be counted as 9, even though an
524 # int64 only holds up to 8 bytes of data.
525 "floatValue": 3.14, # float
526 "timestampValue": "A String", # timestamp
527 "dayOfWeekValue": "A String", # day of week
528 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
529 # or are specified elsewhere. An API may choose to allow leap seconds. Related
530 # types are google.type.Date and `google.protobuf.Timestamp`.
531 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
532 # to allow the value "24:00:00" for scenarios like business closing time.
533 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
534 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
535 # allow the value 60 if it allows leap-seconds.
536 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
537 },
538 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
539 # and time zone are either specified elsewhere or are not significant. The date
540 # is relative to the Proleptic Gregorian Calendar. This can represent:
541 #
542 # * A full date, with non-zero year, month and day values
543 # * A month and day value, with a zero year, e.g. an anniversary
544 # * A year on its own, with zero month and day values
545 # * A year and month value, with a zero day, e.g. a credit card expiration date
546 #
547 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
548 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
549 # month and day.
550 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
551 # if specifying a year by itself or a year and month where the day is not
552 # significant.
553 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
554 # a year.
555 },
556 "stringValue": "A String", # string
557 "booleanValue": True or False, # boolean
558 "integerValue": "A String", # integer
559 },
560 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
561 # the default behavior will be to hyphenate the min-max range.
562 # Note that for the purposes of inspection or transformation, the number
563 # of bytes considered to comprise a 'Value' is based on its representation
564 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
565 # 123456789, the number of bytes would be counted as 9, even though an
566 # int64 only holds up to 8 bytes of data.
567 "floatValue": 3.14, # float
568 "timestampValue": "A String", # timestamp
569 "dayOfWeekValue": "A String", # day of week
570 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
571 # or are specified elsewhere. An API may choose to allow leap seconds. Related
572 # types are google.type.Date and `google.protobuf.Timestamp`.
573 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
574 # to allow the value "24:00:00" for scenarios like business closing time.
575 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
576 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
577 # allow the value 60 if it allows leap-seconds.
578 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
579 },
580 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
581 # and time zone are either specified elsewhere or are not significant. The date
582 # is relative to the Proleptic Gregorian Calendar. This can represent:
583 #
584 # * A full date, with non-zero year, month and day values
585 # * A month and day value, with a zero year, e.g. an anniversary
586 # * A year on its own, with zero month and day values
587 # * A year and month value, with a zero day, e.g. a credit card expiration date
588 #
589 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
590 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
591 # month and day.
592 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
593 # if specifying a year by itself or a year and month where the day is not
594 # significant.
595 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
596 # a year.
597 },
598 "stringValue": "A String", # string
599 "booleanValue": True or False, # boolean
600 "integerValue": "A String", # integer
601 },
602 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
603 # used.
604 # Note that for the purposes of inspection or transformation, the number
605 # of bytes considered to comprise a 'Value' is based on its representation
606 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
607 # 123456789, the number of bytes would be counted as 9, even though an
608 # int64 only holds up to 8 bytes of data.
609 "floatValue": 3.14, # float
610 "timestampValue": "A String", # timestamp
611 "dayOfWeekValue": "A String", # day of week
612 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
613 # or are specified elsewhere. An API may choose to allow leap seconds. Related
614 # types are google.type.Date and `google.protobuf.Timestamp`.
615 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
616 # to allow the value "24:00:00" for scenarios like business closing time.
617 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
618 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
619 # allow the value 60 if it allows leap-seconds.
620 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
621 },
622 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
623 # and time zone are either specified elsewhere or are not significant. The date
624 # is relative to the Proleptic Gregorian Calendar. This can represent:
625 #
626 # * A full date, with non-zero year, month and day values
627 # * A month and day value, with a zero year, e.g. an anniversary
628 # * A year on its own, with zero month and day values
629 # * A year and month value, with a zero day, e.g. a credit card expiration date
630 #
631 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
632 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
633 # month and day.
634 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
635 # if specifying a year by itself or a year and month where the day is not
636 # significant.
637 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
638 # a year.
639 },
640 "stringValue": "A String", # string
641 "booleanValue": True or False, # boolean
642 "integerValue": "A String", # integer
643 },
644 },
645 ],
646 },
647 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
648 # Uses SHA-256.
649 # The key size must be either 32 or 64 bytes.
650 # Outputs a base64 encoded representation of the hashed output
651 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
652 # Currently, only string and integer values can be hashed.
653 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
654 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
655 # a key encryption key (KEK) stored by KMS).
656 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
657 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
658 # unwrap the data crypto key.
659 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
660 # The wrapped key must be a 128/192/256 bit key.
661 # Authorization requires the following IAM permissions when sending a request
662 # to perform a crypto transformation using a kms-wrapped crypto key:
663 # dlp.kms.encrypt
664 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
665 "wrappedKey": "A String", # Required. The wrapped data crypto key.
666 },
667 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
668 # leaking the key. Choose another type of key if possible.
669 "key": "A String", # Required. A 128/192/256 bit key.
670 },
671 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
672 # It will be discarded after the request finishes.
673 "name": "A String", # Required. Name of the key.
674 # This is an arbitrary string used to differentiate different keys.
675 # A unique key is generated per name: two separate `TransientCryptoKey`
676 # protos share the same generated key if their names are the same.
677 # When the data crypto key is generated, this name is not used in any way
678 # (repeating the api call will result in a different key being generated).
679 },
680 },
681 },
682 "replaceConfig": { # Replace each input value with a given `Value`. # Replace
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]683 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
684 # Note that for the purposes of inspection or transformation, the number
685 # of bytes considered to comprise a 'Value' is based on its representation
686 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
687 # 123456789, the number of bytes would be counted as 9, even though an
688 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]689 "floatValue": 3.14, # float
690 "timestampValue": "A String", # timestamp
691 "dayOfWeekValue": "A String", # day of week
692 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]693 # or are specified elsewhere. An API may choose to allow leap seconds. Related
694 # types are google.type.Date and `google.protobuf.Timestamp`.
695 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
696 # to allow the value "24:00:00" for scenarios like business closing time.
697 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
698 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
699 # allow the value 60 if it allows leap-seconds.
700 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
701 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]702 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]703 # and time zone are either specified elsewhere or are not significant. The date
704 # is relative to the Proleptic Gregorian Calendar. This can represent:
705 #
706 # * A full date, with non-zero year, month and day values
707 # * A month and day value, with a zero year, e.g. an anniversary
708 # * A year on its own, with zero month and day values
709 # * A year and month value, with a zero day, e.g. a credit card expiration date
710 #
711 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]712 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
713 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]714 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
715 # if specifying a year by itself or a year and month where the day is not
716 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]717 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
718 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]719 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]720 "stringValue": "A String", # string
721 "booleanValue": True or False, # boolean
722 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]723 },
724 },
725 },
726 "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
727 # this transformation to apply to all findings that correspond to
728 # infoTypes that were requested in `InspectConfig`.
729 { # Type of information detected by the API.
730 "name": "A String", # Name of the information type. Either a name of your choosing when
731 # creating a CustomInfoType, or one of the names listed
732 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
733 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]734 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]735 },
736 ],
737 },
738 ],
739 },
740 "recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to
741 # specific locations within structured datasets, such as transforming
742 # a column within a table.
743 # table.
744 "recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]745 # match any suppression rule are omitted from the output.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]746 { # Configuration to suppress records whose suppression conditions evaluate to
747 # true.
748 "condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
749 # evaluated to be suppressed from the transformed content.
750 # a field.
751 "expressions": { # An expression, consisting or an operator and conditions. # An expression.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]752 "conditions": { # A collection of conditions. # Conditions to apply to the expression.
753 "conditions": [ # A collection of conditions.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]754 { # The field type of `value` and `field` do not need to match to be
755 # considered equal, but not all comparisons are possible.
756 # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
757 # but all other comparisons are invalid with incompatible types.
758 # A `value` of type:
759 #
760 # - `string` can be compared against all other types
761 # - `boolean` can only be compared against other booleans
762 # - `integer` can be compared against doubles or a string if the string value
763 # can be parsed as an integer.
764 # - `double` can be compared against integers or a string if the string can
765 # be parsed as a double.
766 # - `Timestamp` can be compared against strings in RFC 3339 date string
767 # format.
768 # - `TimeOfDay` can be compared against timestamps and strings in the format
769 # of 'HH:mm:ss'.
770 #
771 # If we fail to compare do to type mismatch, a warning will be given and
772 # the condition will evaluate to false.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]773 "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
774 "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]775 "name": "A String", # Name describing the field.
776 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]777 "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]778 # Note that for the purposes of inspection or transformation, the number
779 # of bytes considered to comprise a 'Value' is based on its representation
780 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
781 # 123456789, the number of bytes would be counted as 9, even though an
782 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]783 "floatValue": 3.14, # float
784 "timestampValue": "A String", # timestamp
785 "dayOfWeekValue": "A String", # day of week
786 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]787 # or are specified elsewhere. An API may choose to allow leap seconds. Related
788 # types are google.type.Date and `google.protobuf.Timestamp`.
789 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
790 # to allow the value "24:00:00" for scenarios like business closing time.
791 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
792 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
793 # allow the value 60 if it allows leap-seconds.
794 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
795 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]796 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]797 # and time zone are either specified elsewhere or are not significant. The date
798 # is relative to the Proleptic Gregorian Calendar. This can represent:
799 #
800 # * A full date, with non-zero year, month and day values
801 # * A month and day value, with a zero year, e.g. an anniversary
802 # * A year on its own, with zero month and day values
803 # * A year and month value, with a zero day, e.g. a credit card expiration date
804 #
805 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]806 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
807 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]808 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
809 # if specifying a year by itself or a year and month where the day is not
810 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]811 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
812 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]813 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]814 "stringValue": "A String", # string
815 "booleanValue": True or False, # boolean
816 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]817 },
818 },
819 ],
820 },
821 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
822 # only supported value is `AND`.
823 },
824 },
825 },
826 ],
827 "fieldTransformations": [ # Transform the record by applying various field transformations.
828 { # The transformation to apply to the field.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]829 "fields": [ # Required. Input field(s) to apply the transformation to.
830 { # General identifier of a data field in a storage service.
831 "name": "A String", # Name describing the field.
832 },
833 ],
834 "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
835 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
836 # input. Outputs a base64 encoded representation of the encrypted output.
837 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
838 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
839 # a key encryption key (KEK) stored by KMS).
840 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
841 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
842 # unwrap the data crypto key.
843 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
844 # The wrapped key must be a 128/192/256 bit key.
845 # Authorization requires the following IAM permissions when sending a request
846 # to perform a crypto transformation using a kms-wrapped crypto key:
847 # dlp.kms.encrypt
848 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
849 "wrappedKey": "A String", # Required. The wrapped data crypto key.
850 },
851 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
852 # leaking the key. Choose another type of key if possible.
853 "key": "A String", # Required. A 128/192/256 bit key.
854 },
855 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
856 # It will be discarded after the request finishes.
857 "name": "A String", # Required. Name of the key.
858 # This is an arbitrary string used to differentiate different keys.
859 # A unique key is generated per name: two separate `TransientCryptoKey`
860 # protos share the same generated key if their names are the same.
861 # When the data crypto key is generated, this name is not used in any way
862 # (repeating the api call will result in a different key being generated).
863 },
864 },
865 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
866 # referential integrity such that the same identifier in two different
867 # contexts will be given a distinct surrogate. The context is appended to
868 # plaintext value being encrypted. On decryption the provided context is
869 # validated against the value used during encryption. If a context was
870 # provided during encryption, same context must be provided during decryption
871 # as well.
872 #
873 # If the context is not set, plaintext would be used as is for encryption.
874 # If the context is set but:
875 #
876 # 1. there is no record present when transforming a given value or
877 # 2. the field is not present when transforming a given value,
878 #
879 # plaintext would be used as is for encryption.
880 #
881 # Note that case (1) is expected when an `InfoTypeTransformation` is
882 # applied to both structured and non-structured `ContentItem`s.
883 "name": "A String", # Name describing the field.
884 },
885 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
886 # This annotation will be applied to the surrogate by prefixing it with
887 # the name of the custom info type followed by the number of
888 # characters comprising the surrogate. The following scheme defines the
889 # format: {info type name}({surrogate character count}):{surrogate}
890 #
891 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
892 # the surrogate is 'abc', the full replacement value
893 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
894 #
895 # This annotation identifies the surrogate when inspecting content using the
896 # custom info type 'Surrogate'. This facilitates reversal of the
897 # surrogate when it occurs in free text.
898 #
899 # Note: For record transformations where the entire cell in a table is being
900 # transformed, surrogates are not mandatory. Surrogates are used to denote
901 # the location of the token and are necessary for re-identification in free
902 # form text.
903 #
904 # In order for inspection to work properly, the name of this info type must
905 # not occur naturally anywhere in your data; otherwise, inspection may either
906 #
907 # - reverse a surrogate that does not correspond to an actual identifier
908 # - be unable to parse the surrogate and result in an error
909 #
910 # Therefore, choose your custom info type name carefully after considering
911 # what your data looks like. One way to select a name that has a high chance
912 # of yielding reliable detection is to include one or more unicode characters
913 # that are highly improbable to exist in your data.
914 # For example, assuming your data is entered from a regular ASCII keyboard,
915 # the symbol with the hex code point 29DD might be used like so:
916 # ⧝MY_TOKEN_TYPE.
917 "name": "A String", # Name of the information type. Either a name of your choosing when
918 # creating a CustomInfoType, or one of the names listed
919 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
920 # a built-in type. InfoType names should conform to the pattern
921 # `[a-zA-Z0-9_]{1,64}`.
922 },
923 },
924 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
925 # fixed character. Masking can start from the beginning or end of the string.
926 # This can be used on data of any type (numbers, longs, and so on) and when
927 # de-identifying structured data we'll attempt to preserve the original data's
928 # type. (This allows you to take a long like 123 and modify it to a string like
929 # **3.
930 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
931 # characters. For example, if the input string is `555-555-5555` and you
932 # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
933 # returns `***-**5-5555`.
934 { # Characters to skip when doing deidentification of a value. These will be left
935 # alone and skipped.
936 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
937 # punctuation.
938 "charactersToSkip": "A String", # Characters to not transform when masking.
939 },
940 ],
941 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
942 # masked. Skipped characters do not count towards this tally.
943 "maskingCharacter": "A String", # Character to use to mask the sensitive values&amp;mdash;for example, `*` for an
944 # alphabetic string such as a name, or `0` for a numeric string such as ZIP
945 # code or credit card number. This string must have a length of 1. If not
946 # supplied, this value defaults to `*` for strings, and `0` for digits.
947 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
948 # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
949 # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
950 # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
951 # is `true`, then the string `12345` is masked as `12***`.
952 },
953 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
954 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
955 # output would be 'My phone number is '.
956 },
957 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
958 },
959 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
960 # Bucketing transformation can provide all of this functionality,
961 # but requires more configuration. This message is provided as a convenience to
962 # the user for simple bucketing strategies.
963 #
964 # The transformed value will be a hyphenated string of
965 # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
966 # all values that are within this bucket will be replaced with "10-20".
967 #
968 # This can be used on data of type: double, long.
969 #
970 # If the bound Value type differs from the type of data
971 # being transformed, we will first attempt converting the type of the data to
972 # be transformed to match the type of the bound before comparing.
973 #
974 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
975 "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
976 # grouped together into a single bucket; for example if `lower_bound` = 10,
977 # then all values less than 10 are replaced with the value “-10”.
978 # Note that for the purposes of inspection or transformation, the number
979 # of bytes considered to comprise a 'Value' is based on its representation
980 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
981 # 123456789, the number of bytes would be counted as 9, even though an
982 # int64 only holds up to 8 bytes of data.
983 "floatValue": 3.14, # float
984 "timestampValue": "A String", # timestamp
985 "dayOfWeekValue": "A String", # day of week
986 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
987 # or are specified elsewhere. An API may choose to allow leap seconds. Related
988 # types are google.type.Date and `google.protobuf.Timestamp`.
989 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
990 # to allow the value "24:00:00" for scenarios like business closing time.
991 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
992 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
993 # allow the value 60 if it allows leap-seconds.
994 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
995 },
996 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
997 # and time zone are either specified elsewhere or are not significant. The date
998 # is relative to the Proleptic Gregorian Calendar. This can represent:
999 #
1000 # * A full date, with non-zero year, month and day values
1001 # * A month and day value, with a zero year, e.g. an anniversary
1002 # * A year on its own, with zero month and day values
1003 # * A year and month value, with a zero day, e.g. a credit card expiration date
1004 #
1005 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
1006 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
1007 # month and day.
1008 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
1009 # if specifying a year by itself or a year and month where the day is not
1010 # significant.
1011 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
1012 # a year.
1013 },
1014 "stringValue": "A String", # string
1015 "booleanValue": True or False, # boolean
1016 "integerValue": "A String", # integer
1017 },
1018 "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
1019 # grouped together into a single bucket; for example if `upper_bound` = 89,
1020 # then all values greater than 89 are replaced with the value “89+”.
1021 # Note that for the purposes of inspection or transformation, the number
1022 # of bytes considered to comprise a 'Value' is based on its representation
1023 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
1024 # 123456789, the number of bytes would be counted as 9, even though an
1025 # int64 only holds up to 8 bytes of data.
1026 "floatValue": 3.14, # float
1027 "timestampValue": "A String", # timestamp
1028 "dayOfWeekValue": "A String", # day of week
1029 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
1030 # or are specified elsewhere. An API may choose to allow leap seconds. Related
1031 # types are google.type.Date and `google.protobuf.Timestamp`.
1032 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
1033 # to allow the value "24:00:00" for scenarios like business closing time.
1034 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1035 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
1036 # allow the value 60 if it allows leap-seconds.
1037 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
1038 },
1039 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
1040 # and time zone are either specified elsewhere or are not significant. The date
1041 # is relative to the Proleptic Gregorian Calendar. This can represent:
1042 #
1043 # * A full date, with non-zero year, month and day values
1044 # * A month and day value, with a zero year, e.g. an anniversary
1045 # * A year on its own, with zero month and day values
1046 # * A year and month value, with a zero day, e.g. a credit card expiration date
1047 #
1048 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
1049 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
1050 # month and day.
1051 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
1052 # if specifying a year by itself or a year and month where the day is not
1053 # significant.
1054 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
1055 # a year.
1056 },
1057 "stringValue": "A String", # string
1058 "booleanValue": True or False, # boolean
1059 "integerValue": "A String", # integer
1060 },
1061 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
1062 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
1063 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
1064 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
1065 },
1066 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
1067 # portion of the value.
1068 "partToExtract": "A String", # The part of the time to keep.
1069 },
1070 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
1071 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
1072 # to learn more.
1073 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
1074 # results in the same shift for the same context and crypto_key. If
1075 # set, must also set context. Can only be applied to table items.
1076 # a key encryption key (KEK) stored by KMS).
1077 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
1078 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
1079 # unwrap the data crypto key.
1080 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
1081 # The wrapped key must be a 128/192/256 bit key.
1082 # Authorization requires the following IAM permissions when sending a request
1083 # to perform a crypto transformation using a kms-wrapped crypto key:
1084 # dlp.kms.encrypt
1085 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
1086 "wrappedKey": "A String", # Required. The wrapped data crypto key.
1087 },
1088 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
1089 # leaking the key. Choose another type of key if possible.
1090 "key": "A String", # Required. A 128/192/256 bit key.
1091 },
1092 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
1093 # It will be discarded after the request finishes.
1094 "name": "A String", # Required. Name of the key.
1095 # This is an arbitrary string used to differentiate different keys.
1096 # A unique key is generated per name: two separate `TransientCryptoKey`
1097 # protos share the same generated key if their names are the same.
1098 # When the data crypto key is generated, this name is not used in any way
1099 # (repeating the api call will result in a different key being generated).
1100 },
1101 },
1102 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
1103 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
1104 # range (inclusive ends). Negative means shift to earlier in time. Must not
1105 # be more than 365250 days (1000 years) each direction.
1106 #
1107 # For example, 3 means shift date to at most 3 days into the future.
1108 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
1109 # If set, must also set cryptoKey. If set, shift will be consistent for the
1110 # given context.
1111 "name": "A String", # Name describing the field.
1112 },
1113 },
1114 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
1115 # (FPE) with the FFX mode of operation; however when used in the
1116 # `ReidentifyContent` API method, it serves the opposite function by reversing
1117 # the surrogate back into the original identifier. The identifier must be
1118 # encoded as ASCII. For a given crypto key and context, the same identifier
1119 # will be replaced with the same surrogate. Identifiers must be at least two
1120 # characters long. In the case that the identifier is the empty string, it will
1121 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
1122 # more.
1123 #
1124 # Note: We recommend using CryptoDeterministicConfig for all use cases which
1125 # do not require preserving the input alphabet space and size, plus warrant
1126 # referential integrity.
1127 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
1128 # a key encryption key (KEK) stored by KMS).
1129 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
1130 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
1131 # unwrap the data crypto key.
1132 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
1133 # The wrapped key must be a 128/192/256 bit key.
1134 # Authorization requires the following IAM permissions when sending a request
1135 # to perform a crypto transformation using a kms-wrapped crypto key:
1136 # dlp.kms.encrypt
1137 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
1138 "wrappedKey": "A String", # Required. The wrapped data crypto key.
1139 },
1140 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
1141 # leaking the key. Choose another type of key if possible.
1142 "key": "A String", # Required. A 128/192/256 bit key.
1143 },
1144 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
1145 # It will be discarded after the request finishes.
1146 "name": "A String", # Required. Name of the key.
1147 # This is an arbitrary string used to differentiate different keys.
1148 # A unique key is generated per name: two separate `TransientCryptoKey`
1149 # protos share the same generated key if their names are the same.
1150 # When the data crypto key is generated, this name is not used in any way
1151 # (repeating the api call will result in a different key being generated).
1152 },
1153 },
1154 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
1155 "commonAlphabet": "A String", # Common alphabets.
1156 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
1157 # that the FFX mode natively supports. This happens before/after
1158 # encryption/decryption.
1159 # Each character listed must appear only once.
1160 # Number of characters must be in the range [2, 95].
1161 # This must be encoded as ASCII.
1162 # The order of characters does not matter.
1163 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
1164 # identifier in two different contexts won't be given the same surrogate. If
1165 # the context is not set, a default tweak will be used.
1166 #
1167 # If the context is set but:
1168 #
1169 # 1. there is no record present when transforming a given value or
1170 # 1. the field is not present when transforming a given value,
1171 #
1172 # a default tweak will be used.
1173 #
1174 # Note that case (1) is expected when an `InfoTypeTransformation` is
1175 # applied to both structured and non-structured `ContentItem`s.
1176 # Currently, the referenced field may be of value type integer or string.
1177 #
1178 # The tweak is constructed as a sequence of bytes in big endian byte order
1179 # such that:
1180 #
1181 # - a 64 bit integer is encoded followed by a single byte of value 1
1182 # - a string is encoded in UTF-8 format followed by a single byte of value 2
1183 "name": "A String", # Name describing the field.
1184 },
1185 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
1186 # This annotation will be applied to the surrogate by prefixing it with
1187 # the name of the custom infoType followed by the number of
1188 # characters comprising the surrogate. The following scheme defines the
1189 # format: info_type_name(surrogate_character_count):surrogate
1190 #
1191 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
1192 # the surrogate is 'abc', the full replacement value
1193 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
1194 #
1195 # This annotation identifies the surrogate when inspecting content using the
1196 # custom infoType
1197 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
1198 # This facilitates reversal of the surrogate when it occurs in free text.
1199 #
1200 # In order for inspection to work properly, the name of this infoType must
1201 # not occur naturally anywhere in your data; otherwise, inspection may
1202 # find a surrogate that does not correspond to an actual identifier.
1203 # Therefore, choose your custom infoType name carefully after considering
1204 # what your data looks like. One way to select a name that has a high chance
1205 # of yielding reliable detection is to include one or more unicode characters
1206 # that are highly improbable to exist in your data.
1207 # For example, assuming your data is entered from a regular ASCII keyboard,
1208 # the symbol with the hex code point 29DD might be used like so:
1209 # ⧝MY_TOKEN_TYPE
1210 "name": "A String", # Name of the information type. Either a name of your choosing when
1211 # creating a CustomInfoType, or one of the names listed
1212 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
1213 # a built-in type. InfoType names should conform to the pattern
1214 # `[a-zA-Z0-9_]{1,64}`.
1215 },
1216 },
1217 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
1218 # replacement values are dynamically provided by the user for custom behavior,
1219 # such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH
1220 # This can be used on
1221 # data of type: number, long, string, timestamp.
1222 # If the bound `Value` type differs from the type of data being transformed, we
1223 # will first attempt converting the type of the data to be transformed to match
1224 # the type of the bound before comparing.
1225 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
1226 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
1227 { # Bucket is represented as a range, along with replacement values.
1228 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
1229 # Note that for the purposes of inspection or transformation, the number
1230 # of bytes considered to comprise a 'Value' is based on its representation
1231 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
1232 # 123456789, the number of bytes would be counted as 9, even though an
1233 # int64 only holds up to 8 bytes of data.
1234 "floatValue": 3.14, # float
1235 "timestampValue": "A String", # timestamp
1236 "dayOfWeekValue": "A String", # day of week
1237 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
1238 # or are specified elsewhere. An API may choose to allow leap seconds. Related
1239 # types are google.type.Date and `google.protobuf.Timestamp`.
1240 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
1241 # to allow the value "24:00:00" for scenarios like business closing time.
1242 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1243 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
1244 # allow the value 60 if it allows leap-seconds.
1245 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
1246 },
1247 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
1248 # and time zone are either specified elsewhere or are not significant. The date
1249 # is relative to the Proleptic Gregorian Calendar. This can represent:
1250 #
1251 # * A full date, with non-zero year, month and day values
1252 # * A month and day value, with a zero year, e.g. an anniversary
1253 # * A year on its own, with zero month and day values
1254 # * A year and month value, with a zero day, e.g. a credit card expiration date
1255 #
1256 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
1257 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
1258 # month and day.
1259 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
1260 # if specifying a year by itself or a year and month where the day is not
1261 # significant.
1262 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
1263 # a year.
1264 },
1265 "stringValue": "A String", # string
1266 "booleanValue": True or False, # boolean
1267 "integerValue": "A String", # integer
1268 },
1269 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
1270 # the default behavior will be to hyphenate the min-max range.
1271 # Note that for the purposes of inspection or transformation, the number
1272 # of bytes considered to comprise a 'Value' is based on its representation
1273 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
1274 # 123456789, the number of bytes would be counted as 9, even though an
1275 # int64 only holds up to 8 bytes of data.
1276 "floatValue": 3.14, # float
1277 "timestampValue": "A String", # timestamp
1278 "dayOfWeekValue": "A String", # day of week
1279 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
1280 # or are specified elsewhere. An API may choose to allow leap seconds. Related
1281 # types are google.type.Date and `google.protobuf.Timestamp`.
1282 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
1283 # to allow the value "24:00:00" for scenarios like business closing time.
1284 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1285 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
1286 # allow the value 60 if it allows leap-seconds.
1287 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
1288 },
1289 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
1290 # and time zone are either specified elsewhere or are not significant. The date
1291 # is relative to the Proleptic Gregorian Calendar. This can represent:
1292 #
1293 # * A full date, with non-zero year, month and day values
1294 # * A month and day value, with a zero year, e.g. an anniversary
1295 # * A year on its own, with zero month and day values
1296 # * A year and month value, with a zero day, e.g. a credit card expiration date
1297 #
1298 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
1299 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
1300 # month and day.
1301 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
1302 # if specifying a year by itself or a year and month where the day is not
1303 # significant.
1304 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
1305 # a year.
1306 },
1307 "stringValue": "A String", # string
1308 "booleanValue": True or False, # boolean
1309 "integerValue": "A String", # integer
1310 },
1311 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
1312 # used.
1313 # Note that for the purposes of inspection or transformation, the number
1314 # of bytes considered to comprise a 'Value' is based on its representation
1315 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
1316 # 123456789, the number of bytes would be counted as 9, even though an
1317 # int64 only holds up to 8 bytes of data.
1318 "floatValue": 3.14, # float
1319 "timestampValue": "A String", # timestamp
1320 "dayOfWeekValue": "A String", # day of week
1321 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
1322 # or are specified elsewhere. An API may choose to allow leap seconds. Related
1323 # types are google.type.Date and `google.protobuf.Timestamp`.
1324 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
1325 # to allow the value "24:00:00" for scenarios like business closing time.
1326 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1327 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
1328 # allow the value 60 if it allows leap-seconds.
1329 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
1330 },
1331 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
1332 # and time zone are either specified elsewhere or are not significant. The date
1333 # is relative to the Proleptic Gregorian Calendar. This can represent:
1334 #
1335 # * A full date, with non-zero year, month and day values
1336 # * A month and day value, with a zero year, e.g. an anniversary
1337 # * A year on its own, with zero month and day values
1338 # * A year and month value, with a zero day, e.g. a credit card expiration date
1339 #
1340 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
1341 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
1342 # month and day.
1343 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
1344 # if specifying a year by itself or a year and month where the day is not
1345 # significant.
1346 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
1347 # a year.
1348 },
1349 "stringValue": "A String", # string
1350 "booleanValue": True or False, # boolean
1351 "integerValue": "A String", # integer
1352 },
1353 },
1354 ],
1355 },
1356 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
1357 # Uses SHA-256.
1358 # The key size must be either 32 or 64 bytes.
1359 # Outputs a base64 encoded representation of the hashed output
1360 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
1361 # Currently, only string and integer values can be hashed.
1362 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
1363 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
1364 # a key encryption key (KEK) stored by KMS).
1365 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
1366 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
1367 # unwrap the data crypto key.
1368 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
1369 # The wrapped key must be a 128/192/256 bit key.
1370 # Authorization requires the following IAM permissions when sending a request
1371 # to perform a crypto transformation using a kms-wrapped crypto key:
1372 # dlp.kms.encrypt
1373 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
1374 "wrappedKey": "A String", # Required. The wrapped data crypto key.
1375 },
1376 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
1377 # leaking the key. Choose another type of key if possible.
1378 "key": "A String", # Required. A 128/192/256 bit key.
1379 },
1380 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
1381 # It will be discarded after the request finishes.
1382 "name": "A String", # Required. Name of the key.
1383 # This is an arbitrary string used to differentiate different keys.
1384 # A unique key is generated per name: two separate `TransientCryptoKey`
1385 # protos share the same generated key if their names are the same.
1386 # When the data crypto key is generated, this name is not used in any way
1387 # (repeating the api call will result in a different key being generated).
1388 },
1389 },
1390 },
1391 "replaceConfig": { # Replace each input value with a given `Value`. # Replace
1392 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
1393 # Note that for the purposes of inspection or transformation, the number
1394 # of bytes considered to comprise a 'Value' is based on its representation
1395 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
1396 # 123456789, the number of bytes would be counted as 9, even though an
1397 # int64 only holds up to 8 bytes of data.
1398 "floatValue": 3.14, # float
1399 "timestampValue": "A String", # timestamp
1400 "dayOfWeekValue": "A String", # day of week
1401 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
1402 # or are specified elsewhere. An API may choose to allow leap seconds. Related
1403 # types are google.type.Date and `google.protobuf.Timestamp`.
1404 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
1405 # to allow the value "24:00:00" for scenarios like business closing time.
1406 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1407 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
1408 # allow the value 60 if it allows leap-seconds.
1409 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
1410 },
1411 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
1412 # and time zone are either specified elsewhere or are not significant. The date
1413 # is relative to the Proleptic Gregorian Calendar. This can represent:
1414 #
1415 # * A full date, with non-zero year, month and day values
1416 # * A month and day value, with a zero year, e.g. an anniversary
1417 # * A year on its own, with zero month and day values
1418 # * A year and month value, with a zero day, e.g. a credit card expiration date
1419 #
1420 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
1421 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
1422 # month and day.
1423 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
1424 # if specifying a year by itself or a year and month where the day is not
1425 # significant.
1426 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
1427 # a year.
1428 },
1429 "stringValue": "A String", # string
1430 "booleanValue": True or False, # boolean
1431 "integerValue": "A String", # integer
1432 },
1433 },
1434 },
1435 "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
1436 # given `RecordCondition`. The conditions are allowed to reference fields
1437 # that are not used in the actual transformation.
1438 #
1439 # Example Use Cases:
1440 #
1441 # - Apply a different bucket transformation to an age column if the zip code
1442 # column for the same record is within a specific range.
1443 # - Redact a field if the date of birth field is greater than 85.
1444 # a field.
1445 "expressions": { # An expression, consisting or an operator and conditions. # An expression.
1446 "conditions": { # A collection of conditions. # Conditions to apply to the expression.
1447 "conditions": [ # A collection of conditions.
1448 { # The field type of `value` and `field` do not need to match to be
1449 # considered equal, but not all comparisons are possible.
1450 # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
1451 # but all other comparisons are invalid with incompatible types.
1452 # A `value` of type:
1453 #
1454 # - `string` can be compared against all other types
1455 # - `boolean` can only be compared against other booleans
1456 # - `integer` can be compared against doubles or a string if the string value
1457 # can be parsed as an integer.
1458 # - `double` can be compared against integers or a string if the string can
1459 # be parsed as a double.
1460 # - `Timestamp` can be compared against strings in RFC 3339 date string
1461 # format.
1462 # - `TimeOfDay` can be compared against timestamps and strings in the format
1463 # of 'HH:mm:ss'.
1464 #
1465 # If we fail to compare do to type mismatch, a warning will be given and
1466 # the condition will evaluate to false.
1467 "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
1468 "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
1469 "name": "A String", # Name describing the field.
1470 },
1471 "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
1472 # Note that for the purposes of inspection or transformation, the number
1473 # of bytes considered to comprise a 'Value' is based on its representation
1474 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
1475 # 123456789, the number of bytes would be counted as 9, even though an
1476 # int64 only holds up to 8 bytes of data.
1477 "floatValue": 3.14, # float
1478 "timestampValue": "A String", # timestamp
1479 "dayOfWeekValue": "A String", # day of week
1480 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
1481 # or are specified elsewhere. An API may choose to allow leap seconds. Related
1482 # types are google.type.Date and `google.protobuf.Timestamp`.
1483 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
1484 # to allow the value "24:00:00" for scenarios like business closing time.
1485 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1486 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
1487 # allow the value 60 if it allows leap-seconds.
1488 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
1489 },
1490 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
1491 # and time zone are either specified elsewhere or are not significant. The date
1492 # is relative to the Proleptic Gregorian Calendar. This can represent:
1493 #
1494 # * A full date, with non-zero year, month and day values
1495 # * A month and day value, with a zero year, e.g. an anniversary
1496 # * A year on its own, with zero month and day values
1497 # * A year and month value, with a zero day, e.g. a credit card expiration date
1498 #
1499 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
1500 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
1501 # month and day.
1502 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
1503 # if specifying a year by itself or a year and month where the day is not
1504 # significant.
1505 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
1506 # a year.
1507 },
1508 "stringValue": "A String", # string
1509 "booleanValue": True or False, # boolean
1510 "integerValue": "A String", # integer
1511 },
1512 },
1513 ],
1514 },
1515 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
1516 # only supported value is `AND`.
1517 },
1518 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1519 "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
1520 # transform content that matches an `InfoType`.
1521 # apply various `PrimitiveTransformation`s to each finding, where the
1522 # transformation is applied to only values that were identified as a specific
1523 # info_type.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1524 "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one
1525 # for a given infoType.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1526 { # A transformation to apply to text that is identified as a specific
1527 # info_type.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1528 "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
1529 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1530 # input. Outputs a base64 encoded representation of the encrypted output.
1531 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
1532 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
1533 # a key encryption key (KEK) stored by KMS).
1534 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
1535 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
1536 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1537 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1538 # The wrapped key must be a 128/192/256 bit key.
1539 # Authorization requires the following IAM permissions when sending a request
1540 # to perform a crypto transformation using a kms-wrapped crypto key:
1541 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1542 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
1543 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1544 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1545 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1546 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1547 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1548 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1549 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1550 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1551 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1552 # This is an arbitrary string used to differentiate different keys.
1553 # A unique key is generated per name: two separate `TransientCryptoKey`
1554 # protos share the same generated key if their names are the same.
1555 # When the data crypto key is generated, this name is not used in any way
1556 # (repeating the api call will result in a different key being generated).
1557 },
1558 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1559 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1560 # referential integrity such that the same identifier in two different
1561 # contexts will be given a distinct surrogate. The context is appended to
1562 # plaintext value being encrypted. On decryption the provided context is
1563 # validated against the value used during encryption. If a context was
1564 # provided during encryption, same context must be provided during decryption
1565 # as well.
1566 #
1567 # If the context is not set, plaintext would be used as is for encryption.
1568 # If the context is set but:
1569 #
1570 # 1. there is no record present when transforming a given value or
1571 # 2. the field is not present when transforming a given value,
1572 #
1573 # plaintext would be used as is for encryption.
1574 #
1575 # Note that case (1) is expected when an `InfoTypeTransformation` is
1576 # applied to both structured and non-structured `ContentItem`s.
1577 "name": "A String", # Name describing the field.
1578 },
1579 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
1580 # This annotation will be applied to the surrogate by prefixing it with
1581 # the name of the custom info type followed by the number of
1582 # characters comprising the surrogate. The following scheme defines the
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1583 # format: {info type name}({surrogate character count}):{surrogate}
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1584 #
1585 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
1586 # the surrogate is 'abc', the full replacement value
1587 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
1588 #
1589 # This annotation identifies the surrogate when inspecting content using the
1590 # custom info type 'Surrogate'. This facilitates reversal of the
1591 # surrogate when it occurs in free text.
1592 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1593 # Note: For record transformations where the entire cell in a table is being
1594 # transformed, surrogates are not mandatory. Surrogates are used to denote
1595 # the location of the token and are necessary for re-identification in free
1596 # form text.
1597 #
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1598 # In order for inspection to work properly, the name of this info type must
1599 # not occur naturally anywhere in your data; otherwise, inspection may either
1600 #
1601 # - reverse a surrogate that does not correspond to an actual identifier
1602 # - be unable to parse the surrogate and result in an error
1603 #
1604 # Therefore, choose your custom info type name carefully after considering
1605 # what your data looks like. One way to select a name that has a high chance
1606 # of yielding reliable detection is to include one or more unicode characters
1607 # that are highly improbable to exist in your data.
1608 # For example, assuming your data is entered from a regular ASCII keyboard,
1609 # the symbol with the hex code point 29DD might be used like so:
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1610 # ⧝MY_TOKEN_TYPE.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1611 "name": "A String", # Name of the information type. Either a name of your choosing when
1612 # creating a CustomInfoType, or one of the names listed
1613 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
1614 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1615 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1616 },
1617 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1618 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
1619 # fixed character. Masking can start from the beginning or end of the string.
1620 # This can be used on data of any type (numbers, longs, and so on) and when
1621 # de-identifying structured data we'll attempt to preserve the original data's
1622 # type. (This allows you to take a long like 123 and modify it to a string like
1623 # **3.
1624 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
1625 # characters. For example, if the input string is `555-555-5555` and you
1626 # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
1627 # returns `***-**5-5555`.
1628 { # Characters to skip when doing deidentification of a value. These will be left
1629 # alone and skipped.
1630 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
1631 # punctuation.
1632 "charactersToSkip": "A String", # Characters to not transform when masking.
1633 },
1634 ],
1635 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
1636 # masked. Skipped characters do not count towards this tally.
1637 "maskingCharacter": "A String", # Character to use to mask the sensitive values&amp;mdash;for example, `*` for an
1638 # alphabetic string such as a name, or `0` for a numeric string such as ZIP
1639 # code or credit card number. This string must have a length of 1. If not
1640 # supplied, this value defaults to `*` for strings, and `0` for digits.
1641 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
1642 # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
1643 # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
1644 # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
1645 # is `true`, then the string `12345` is masked as `12***`.
1646 },
1647 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
1648 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
1649 # output would be 'My phone number is '.
1650 },
1651 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
1652 },
1653 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1654 # Bucketing transformation can provide all of this functionality,
1655 # but requires more configuration. This message is provided as a convenience to
1656 # the user for simple bucketing strategies.
1657 #
1658 # The transformed value will be a hyphenated string of
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1659 # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1660 # all values that are within this bucket will be replaced with "10-20".
1661 #
1662 # This can be used on data of type: double, long.
1663 #
1664 # If the bound Value type differs from the type of data
1665 # being transformed, we will first attempt converting the type of the data to
1666 # be transformed to match the type of the bound before comparing.
1667 #
1668 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1669 "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1670 # grouped together into a single bucket; for example if `lower_bound` = 10,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1671 # then all values less than 10 are replaced with the value “-10”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1672 # Note that for the purposes of inspection or transformation, the number
1673 # of bytes considered to comprise a 'Value' is based on its representation
1674 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
1675 # 123456789, the number of bytes would be counted as 9, even though an
1676 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1677 "floatValue": 3.14, # float
1678 "timestampValue": "A String", # timestamp
1679 "dayOfWeekValue": "A String", # day of week
1680 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1681 # or are specified elsewhere. An API may choose to allow leap seconds. Related
1682 # types are google.type.Date and `google.protobuf.Timestamp`.
1683 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
1684 # to allow the value "24:00:00" for scenarios like business closing time.
1685 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1686 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
1687 # allow the value 60 if it allows leap-seconds.
1688 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
1689 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1690 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1691 # and time zone are either specified elsewhere or are not significant. The date
1692 # is relative to the Proleptic Gregorian Calendar. This can represent:
1693 #
1694 # * A full date, with non-zero year, month and day values
1695 # * A month and day value, with a zero year, e.g. an anniversary
1696 # * A year on its own, with zero month and day values
1697 # * A year and month value, with a zero day, e.g. a credit card expiration date
1698 #
1699 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1700 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
1701 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1702 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
1703 # if specifying a year by itself or a year and month where the day is not
1704 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1705 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
1706 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1707 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1708 "stringValue": "A String", # string
1709 "booleanValue": True or False, # boolean
1710 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1711 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1712 "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1713 # grouped together into a single bucket; for example if `upper_bound` = 89,
1714 # then all values greater than 89 are replaced with the value “89+”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1715 # Note that for the purposes of inspection or transformation, the number
1716 # of bytes considered to comprise a 'Value' is based on its representation
1717 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
1718 # 123456789, the number of bytes would be counted as 9, even though an
1719 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1720 "floatValue": 3.14, # float
1721 "timestampValue": "A String", # timestamp
1722 "dayOfWeekValue": "A String", # day of week
1723 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1724 # or are specified elsewhere. An API may choose to allow leap seconds. Related
1725 # types are google.type.Date and `google.protobuf.Timestamp`.
1726 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
1727 # to allow the value "24:00:00" for scenarios like business closing time.
1728 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1729 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
1730 # allow the value 60 if it allows leap-seconds.
1731 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
1732 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1733 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1734 # and time zone are either specified elsewhere or are not significant. The date
1735 # is relative to the Proleptic Gregorian Calendar. This can represent:
1736 #
1737 # * A full date, with non-zero year, month and day values
1738 # * A month and day value, with a zero year, e.g. an anniversary
1739 # * A year on its own, with zero month and day values
1740 # * A year and month value, with a zero day, e.g. a credit card expiration date
1741 #
1742 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1743 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
1744 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1745 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
1746 # if specifying a year by itself or a year and month where the day is not
1747 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1748 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
1749 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1750 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1751 "stringValue": "A String", # string
1752 "booleanValue": True or False, # boolean
1753 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1754 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1755 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1756 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
1757 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1758 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1759 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1760 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1761 # portion of the value.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1762 "partToExtract": "A String", # The part of the time to keep.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1763 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1764 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1765 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
1766 # to learn more.
1767 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1768 # results in the same shift for the same context and crypto_key. If
1769 # set, must also set context. Can only be applied to table items.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1770 # a key encryption key (KEK) stored by KMS).
1771 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
1772 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
1773 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1774 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1775 # The wrapped key must be a 128/192/256 bit key.
1776 # Authorization requires the following IAM permissions when sending a request
1777 # to perform a crypto transformation using a kms-wrapped crypto key:
1778 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1779 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
1780 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1781 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1782 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1783 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1784 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1785 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1786 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1787 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1788 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1789 # This is an arbitrary string used to differentiate different keys.
1790 # A unique key is generated per name: two separate `TransientCryptoKey`
1791 # protos share the same generated key if their names are the same.
1792 # When the data crypto key is generated, this name is not used in any way
1793 # (repeating the api call will result in a different key being generated).
1794 },
1795 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1796 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
1797 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1798 # range (inclusive ends). Negative means shift to earlier in time. Must not
1799 # be more than 365250 days (1000 years) each direction.
1800 #
1801 # For example, 3 means shift date to at most 3 days into the future.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1802 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1803 # If set, must also set cryptoKey. If set, shift will be consistent for the
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1804 # given context.
1805 "name": "A String", # Name describing the field.
1806 },
1807 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1808 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1809 # (FPE) with the FFX mode of operation; however when used in the
1810 # `ReidentifyContent` API method, it serves the opposite function by reversing
1811 # the surrogate back into the original identifier. The identifier must be
1812 # encoded as ASCII. For a given crypto key and context, the same identifier
1813 # will be replaced with the same surrogate. Identifiers must be at least two
1814 # characters long. In the case that the identifier is the empty string, it will
1815 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
1816 # more.
1817 #
1818 # Note: We recommend using CryptoDeterministicConfig for all use cases which
1819 # do not require preserving the input alphabet space and size, plus warrant
1820 # referential integrity.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1821 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1822 # a key encryption key (KEK) stored by KMS).
1823 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
1824 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
1825 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1826 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1827 # The wrapped key must be a 128/192/256 bit key.
1828 # Authorization requires the following IAM permissions when sending a request
1829 # to perform a crypto transformation using a kms-wrapped crypto key:
1830 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1831 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
1832 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1833 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1834 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1835 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1836 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1837 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1838 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1839 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1840 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1841 # This is an arbitrary string used to differentiate different keys.
1842 # A unique key is generated per name: two separate `TransientCryptoKey`
1843 # protos share the same generated key if their names are the same.
1844 # When the data crypto key is generated, this name is not used in any way
1845 # (repeating the api call will result in a different key being generated).
1846 },
1847 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1848 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
1849 "commonAlphabet": "A String", # Common alphabets.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1850 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
1851 # that the FFX mode natively supports. This happens before/after
1852 # encryption/decryption.
1853 # Each character listed must appear only once.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1854 # Number of characters must be in the range [2, 95].
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1855 # This must be encoded as ASCII.
1856 # The order of characters does not matter.
1857 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
1858 # identifier in two different contexts won't be given the same surrogate. If
1859 # the context is not set, a default tweak will be used.
1860 #
1861 # If the context is set but:
1862 #
1863 # 1. there is no record present when transforming a given value or
1864 # 1. the field is not present when transforming a given value,
1865 #
1866 # a default tweak will be used.
1867 #
1868 # Note that case (1) is expected when an `InfoTypeTransformation` is
1869 # applied to both structured and non-structured `ContentItem`s.
1870 # Currently, the referenced field may be of value type integer or string.
1871 #
1872 # The tweak is constructed as a sequence of bytes in big endian byte order
1873 # such that:
1874 #
1875 # - a 64 bit integer is encoded followed by a single byte of value 1
1876 # - a string is encoded in UTF-8 format followed by a single byte of value 2
1877 "name": "A String", # Name describing the field.
1878 },
1879 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
1880 # This annotation will be applied to the surrogate by prefixing it with
1881 # the name of the custom infoType followed by the number of
1882 # characters comprising the surrogate. The following scheme defines the
1883 # format: info_type_name(surrogate_character_count):surrogate
1884 #
1885 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
1886 # the surrogate is 'abc', the full replacement value
1887 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
1888 #
1889 # This annotation identifies the surrogate when inspecting content using the
1890 # custom infoType
1891 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
1892 # This facilitates reversal of the surrogate when it occurs in free text.
1893 #
1894 # In order for inspection to work properly, the name of this infoType must
1895 # not occur naturally anywhere in your data; otherwise, inspection may
1896 # find a surrogate that does not correspond to an actual identifier.
1897 # Therefore, choose your custom infoType name carefully after considering
1898 # what your data looks like. One way to select a name that has a high chance
1899 # of yielding reliable detection is to include one or more unicode characters
1900 # that are highly improbable to exist in your data.
1901 # For example, assuming your data is entered from a regular ASCII keyboard,
1902 # the symbol with the hex code point 29DD might be used like so:
1903 # ⧝MY_TOKEN_TYPE
1904 "name": "A String", # Name of the information type. Either a name of your choosing when
1905 # creating a CustomInfoType, or one of the names listed
1906 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
1907 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1908 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]1909 },
1910 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]1911 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
1912 # replacement values are dynamically provided by the user for custom behavior,
1913 # such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH
1914 # This can be used on
1915 # data of type: number, long, string, timestamp.
1916 # If the bound `Value` type differs from the type of data being transformed, we
1917 # will first attempt converting the type of the data to be transformed to match
1918 # the type of the bound before comparing.
1919 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
1920 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
1921 { # Bucket is represented as a range, along with replacement values.
1922 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
1923 # Note that for the purposes of inspection or transformation, the number
1924 # of bytes considered to comprise a 'Value' is based on its representation
1925 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
1926 # 123456789, the number of bytes would be counted as 9, even though an
1927 # int64 only holds up to 8 bytes of data.
1928 "floatValue": 3.14, # float
1929 "timestampValue": "A String", # timestamp
1930 "dayOfWeekValue": "A String", # day of week
1931 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
1932 # or are specified elsewhere. An API may choose to allow leap seconds. Related
1933 # types are google.type.Date and `google.protobuf.Timestamp`.
1934 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
1935 # to allow the value "24:00:00" for scenarios like business closing time.
1936 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1937 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
1938 # allow the value 60 if it allows leap-seconds.
1939 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
1940 },
1941 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
1942 # and time zone are either specified elsewhere or are not significant. The date
1943 # is relative to the Proleptic Gregorian Calendar. This can represent:
1944 #
1945 # * A full date, with non-zero year, month and day values
1946 # * A month and day value, with a zero year, e.g. an anniversary
1947 # * A year on its own, with zero month and day values
1948 # * A year and month value, with a zero day, e.g. a credit card expiration date
1949 #
1950 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
1951 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
1952 # month and day.
1953 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
1954 # if specifying a year by itself or a year and month where the day is not
1955 # significant.
1956 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
1957 # a year.
1958 },
1959 "stringValue": "A String", # string
1960 "booleanValue": True or False, # boolean
1961 "integerValue": "A String", # integer
1962 },
1963 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
1964 # the default behavior will be to hyphenate the min-max range.
1965 # Note that for the purposes of inspection or transformation, the number
1966 # of bytes considered to comprise a 'Value' is based on its representation
1967 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
1968 # 123456789, the number of bytes would be counted as 9, even though an
1969 # int64 only holds up to 8 bytes of data.
1970 "floatValue": 3.14, # float
1971 "timestampValue": "A String", # timestamp
1972 "dayOfWeekValue": "A String", # day of week
1973 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
1974 # or are specified elsewhere. An API may choose to allow leap seconds. Related
1975 # types are google.type.Date and `google.protobuf.Timestamp`.
1976 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
1977 # to allow the value "24:00:00" for scenarios like business closing time.
1978 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
1979 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
1980 # allow the value 60 if it allows leap-seconds.
1981 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
1982 },
1983 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
1984 # and time zone are either specified elsewhere or are not significant. The date
1985 # is relative to the Proleptic Gregorian Calendar. This can represent:
1986 #
1987 # * A full date, with non-zero year, month and day values
1988 # * A month and day value, with a zero year, e.g. an anniversary
1989 # * A year on its own, with zero month and day values
1990 # * A year and month value, with a zero day, e.g. a credit card expiration date
1991 #
1992 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
1993 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
1994 # month and day.
1995 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
1996 # if specifying a year by itself or a year and month where the day is not
1997 # significant.
1998 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
1999 # a year.
2000 },
2001 "stringValue": "A String", # string
2002 "booleanValue": True or False, # boolean
2003 "integerValue": "A String", # integer
2004 },
2005 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
2006 # used.
2007 # Note that for the purposes of inspection or transformation, the number
2008 # of bytes considered to comprise a 'Value' is based on its representation
2009 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
2010 # 123456789, the number of bytes would be counted as 9, even though an
2011 # int64 only holds up to 8 bytes of data.
2012 "floatValue": 3.14, # float
2013 "timestampValue": "A String", # timestamp
2014 "dayOfWeekValue": "A String", # day of week
2015 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
2016 # or are specified elsewhere. An API may choose to allow leap seconds. Related
2017 # types are google.type.Date and `google.protobuf.Timestamp`.
2018 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
2019 # to allow the value "24:00:00" for scenarios like business closing time.
2020 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2021 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
2022 # allow the value 60 if it allows leap-seconds.
2023 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
2024 },
2025 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
2026 # and time zone are either specified elsewhere or are not significant. The date
2027 # is relative to the Proleptic Gregorian Calendar. This can represent:
2028 #
2029 # * A full date, with non-zero year, month and day values
2030 # * A month and day value, with a zero year, e.g. an anniversary
2031 # * A year on its own, with zero month and day values
2032 # * A year and month value, with a zero day, e.g. a credit card expiration date
2033 #
2034 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
2035 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
2036 # month and day.
2037 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
2038 # if specifying a year by itself or a year and month where the day is not
2039 # significant.
2040 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
2041 # a year.
2042 },
2043 "stringValue": "A String", # string
2044 "booleanValue": True or False, # boolean
2045 "integerValue": "A String", # integer
2046 },
2047 },
2048 ],
2049 },
2050 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
2051 # Uses SHA-256.
2052 # The key size must be either 32 or 64 bytes.
2053 # Outputs a base64 encoded representation of the hashed output
2054 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
2055 # Currently, only string and integer values can be hashed.
2056 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
2057 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
2058 # a key encryption key (KEK) stored by KMS).
2059 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
2060 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
2061 # unwrap the data crypto key.
2062 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
2063 # The wrapped key must be a 128/192/256 bit key.
2064 # Authorization requires the following IAM permissions when sending a request
2065 # to perform a crypto transformation using a kms-wrapped crypto key:
2066 # dlp.kms.encrypt
2067 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
2068 "wrappedKey": "A String", # Required. The wrapped data crypto key.
2069 },
2070 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
2071 # leaking the key. Choose another type of key if possible.
2072 "key": "A String", # Required. A 128/192/256 bit key.
2073 },
2074 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
2075 # It will be discarded after the request finishes.
2076 "name": "A String", # Required. Name of the key.
2077 # This is an arbitrary string used to differentiate different keys.
2078 # A unique key is generated per name: two separate `TransientCryptoKey`
2079 # protos share the same generated key if their names are the same.
2080 # When the data crypto key is generated, this name is not used in any way
2081 # (repeating the api call will result in a different key being generated).
2082 },
2083 },
2084 },
2085 "replaceConfig": { # Replace each input value with a given `Value`. # Replace
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2086 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
2087 # Note that for the purposes of inspection or transformation, the number
2088 # of bytes considered to comprise a 'Value' is based on its representation
2089 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
2090 # 123456789, the number of bytes would be counted as 9, even though an
2091 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2092 "floatValue": 3.14, # float
2093 "timestampValue": "A String", # timestamp
2094 "dayOfWeekValue": "A String", # day of week
2095 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2096 # or are specified elsewhere. An API may choose to allow leap seconds. Related
2097 # types are google.type.Date and `google.protobuf.Timestamp`.
2098 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
2099 # to allow the value "24:00:00" for scenarios like business closing time.
2100 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2101 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
2102 # allow the value 60 if it allows leap-seconds.
2103 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
2104 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2105 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2106 # and time zone are either specified elsewhere or are not significant. The date
2107 # is relative to the Proleptic Gregorian Calendar. This can represent:
2108 #
2109 # * A full date, with non-zero year, month and day values
2110 # * A month and day value, with a zero year, e.g. an anniversary
2111 # * A year on its own, with zero month and day values
2112 # * A year and month value, with a zero day, e.g. a credit card expiration date
2113 #
2114 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2115 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
2116 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2117 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
2118 # if specifying a year by itself or a year and month where the day is not
2119 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2120 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
2121 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2122 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2123 "stringValue": "A String", # string
2124 "booleanValue": True or False, # boolean
2125 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2126 },
2127 },
2128 },
2129 "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
2130 # this transformation to apply to all findings that correspond to
2131 # infoTypes that were requested in `InspectConfig`.
2132 { # Type of information detected by the API.
2133 "name": "A String", # Name of the information type. Either a name of your choosing when
2134 # creating a CustomInfoType, or one of the names listed
2135 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
2136 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2137 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2138 },
2139 ],
2140 },
2141 ],
2142 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2143 },
2144 ],
2145 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2146 "transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default
2147 # mode is `TransformationErrorHandling.ThrowError`.
2148 # transformation error occurs when the requested transformation is incompatible
2149 # with the data. For example, trying to de-identify an IP address using a
2150 # `DateShift` transformation would result in a transformation error, since date
2151 # info cannot be extracted from an IP address.
2152 # Information about any incompatible transformations, and how they were
2153 # handled, is returned in the response as part of the
2154 # `TransformationOverviews`.
2155 "throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error
2156 },
2157 "leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors
2158 # cause an error. For example, if a `DateShift` transformation were applied
2159 # an an IP address, this mode would leave the IP address unchanged in the
2160 # response.
2161 },
2162 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2163 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2164 "createTime": "A String", # Output only. The creation timestamp of an inspectTemplate.
2165 "name": "A String", # Output only. The template name.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2166 #
2167 # The template will have one of the following formats:
2168 # `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR
2169 # `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`
2170 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2171 "locationId": "A String", # The geographic location to store the deidentification template. Reserved
2172 # for future extensions.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2173 "templateId": "A String", # The template id can contain uppercase and lowercase letters,
2174 # numbers, and hyphens; that is, it must match the regular
2175 # expression: `[a-zA-Z\\d-_]+`. The maximum length is 100
2176 # characters. Can be empty to allow the system to generate one.
2177 }
2178
2179 x__xgafv: string, V1 error format.
2180 Allowed values
2181 1 - v1 error format
2182 2 - v2 error format
2183
2184Returns:
2185 An object of the form:
2186
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2187 { # DeidentifyTemplates contains instructions on how to de-identify content.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2188 # See https://cloud.google.com/dlp/docs/concepts-templates to learn more.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2189 "updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2190 "displayName": "A String", # Display name (max 256 chars).
2191 "description": "A String", # Short description (max 256 chars).
2192 "deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////
2193 "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text
2194 # transformation everywhere.
2195 # apply various `PrimitiveTransformation`s to each finding, where the
2196 # transformation is applied to only values that were identified as a specific
2197 # info_type.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2198 "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one
2199 # for a given infoType.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2200 { # A transformation to apply to text that is identified as a specific
2201 # info_type.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2202 "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
2203 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2204 # input. Outputs a base64 encoded representation of the encrypted output.
2205 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
2206 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
2207 # a key encryption key (KEK) stored by KMS).
2208 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
2209 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
2210 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2211 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2212 # The wrapped key must be a 128/192/256 bit key.
2213 # Authorization requires the following IAM permissions when sending a request
2214 # to perform a crypto transformation using a kms-wrapped crypto key:
2215 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2216 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
2217 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2218 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2219 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2220 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2221 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2222 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2223 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2224 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2225 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2226 # This is an arbitrary string used to differentiate different keys.
2227 # A unique key is generated per name: two separate `TransientCryptoKey`
2228 # protos share the same generated key if their names are the same.
2229 # When the data crypto key is generated, this name is not used in any way
2230 # (repeating the api call will result in a different key being generated).
2231 },
2232 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2233 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2234 # referential integrity such that the same identifier in two different
2235 # contexts will be given a distinct surrogate. The context is appended to
2236 # plaintext value being encrypted. On decryption the provided context is
2237 # validated against the value used during encryption. If a context was
2238 # provided during encryption, same context must be provided during decryption
2239 # as well.
2240 #
2241 # If the context is not set, plaintext would be used as is for encryption.
2242 # If the context is set but:
2243 #
2244 # 1. there is no record present when transforming a given value or
2245 # 2. the field is not present when transforming a given value,
2246 #
2247 # plaintext would be used as is for encryption.
2248 #
2249 # Note that case (1) is expected when an `InfoTypeTransformation` is
2250 # applied to both structured and non-structured `ContentItem`s.
2251 "name": "A String", # Name describing the field.
2252 },
2253 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
2254 # This annotation will be applied to the surrogate by prefixing it with
2255 # the name of the custom info type followed by the number of
2256 # characters comprising the surrogate. The following scheme defines the
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2257 # format: {info type name}({surrogate character count}):{surrogate}
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2258 #
2259 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
2260 # the surrogate is 'abc', the full replacement value
2261 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
2262 #
2263 # This annotation identifies the surrogate when inspecting content using the
2264 # custom info type 'Surrogate'. This facilitates reversal of the
2265 # surrogate when it occurs in free text.
2266 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2267 # Note: For record transformations where the entire cell in a table is being
2268 # transformed, surrogates are not mandatory. Surrogates are used to denote
2269 # the location of the token and are necessary for re-identification in free
2270 # form text.
2271 #
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2272 # In order for inspection to work properly, the name of this info type must
2273 # not occur naturally anywhere in your data; otherwise, inspection may either
2274 #
2275 # - reverse a surrogate that does not correspond to an actual identifier
2276 # - be unable to parse the surrogate and result in an error
2277 #
2278 # Therefore, choose your custom info type name carefully after considering
2279 # what your data looks like. One way to select a name that has a high chance
2280 # of yielding reliable detection is to include one or more unicode characters
2281 # that are highly improbable to exist in your data.
2282 # For example, assuming your data is entered from a regular ASCII keyboard,
2283 # the symbol with the hex code point 29DD might be used like so:
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2284 # ⧝MY_TOKEN_TYPE.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2285 "name": "A String", # Name of the information type. Either a name of your choosing when
2286 # creating a CustomInfoType, or one of the names listed
2287 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
2288 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2289 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2290 },
2291 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2292 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
2293 # fixed character. Masking can start from the beginning or end of the string.
2294 # This can be used on data of any type (numbers, longs, and so on) and when
2295 # de-identifying structured data we'll attempt to preserve the original data's
2296 # type. (This allows you to take a long like 123 and modify it to a string like
2297 # **3.
2298 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
2299 # characters. For example, if the input string is `555-555-5555` and you
2300 # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
2301 # returns `***-**5-5555`.
2302 { # Characters to skip when doing deidentification of a value. These will be left
2303 # alone and skipped.
2304 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
2305 # punctuation.
2306 "charactersToSkip": "A String", # Characters to not transform when masking.
2307 },
2308 ],
2309 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
2310 # masked. Skipped characters do not count towards this tally.
2311 "maskingCharacter": "A String", # Character to use to mask the sensitive values&amp;mdash;for example, `*` for an
2312 # alphabetic string such as a name, or `0` for a numeric string such as ZIP
2313 # code or credit card number. This string must have a length of 1. If not
2314 # supplied, this value defaults to `*` for strings, and `0` for digits.
2315 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
2316 # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
2317 # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
2318 # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
2319 # is `true`, then the string `12345` is masked as `12***`.
2320 },
2321 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
2322 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
2323 # output would be 'My phone number is '.
2324 },
2325 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
2326 },
2327 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2328 # Bucketing transformation can provide all of this functionality,
2329 # but requires more configuration. This message is provided as a convenience to
2330 # the user for simple bucketing strategies.
2331 #
2332 # The transformed value will be a hyphenated string of
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2333 # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2334 # all values that are within this bucket will be replaced with "10-20".
2335 #
2336 # This can be used on data of type: double, long.
2337 #
2338 # If the bound Value type differs from the type of data
2339 # being transformed, we will first attempt converting the type of the data to
2340 # be transformed to match the type of the bound before comparing.
2341 #
2342 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2343 "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2344 # grouped together into a single bucket; for example if `lower_bound` = 10,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2345 # then all values less than 10 are replaced with the value “-10”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2346 # Note that for the purposes of inspection or transformation, the number
2347 # of bytes considered to comprise a 'Value' is based on its representation
2348 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
2349 # 123456789, the number of bytes would be counted as 9, even though an
2350 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2351 "floatValue": 3.14, # float
2352 "timestampValue": "A String", # timestamp
2353 "dayOfWeekValue": "A String", # day of week
2354 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2355 # or are specified elsewhere. An API may choose to allow leap seconds. Related
2356 # types are google.type.Date and `google.protobuf.Timestamp`.
2357 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
2358 # to allow the value "24:00:00" for scenarios like business closing time.
2359 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2360 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
2361 # allow the value 60 if it allows leap-seconds.
2362 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
2363 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2364 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2365 # and time zone are either specified elsewhere or are not significant. The date
2366 # is relative to the Proleptic Gregorian Calendar. This can represent:
2367 #
2368 # * A full date, with non-zero year, month and day values
2369 # * A month and day value, with a zero year, e.g. an anniversary
2370 # * A year on its own, with zero month and day values
2371 # * A year and month value, with a zero day, e.g. a credit card expiration date
2372 #
2373 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2374 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
2375 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2376 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
2377 # if specifying a year by itself or a year and month where the day is not
2378 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2379 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
2380 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2381 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2382 "stringValue": "A String", # string
2383 "booleanValue": True or False, # boolean
2384 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2385 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2386 "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2387 # grouped together into a single bucket; for example if `upper_bound` = 89,
2388 # then all values greater than 89 are replaced with the value “89+”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2389 # Note that for the purposes of inspection or transformation, the number
2390 # of bytes considered to comprise a 'Value' is based on its representation
2391 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
2392 # 123456789, the number of bytes would be counted as 9, even though an
2393 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2394 "floatValue": 3.14, # float
2395 "timestampValue": "A String", # timestamp
2396 "dayOfWeekValue": "A String", # day of week
2397 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2398 # or are specified elsewhere. An API may choose to allow leap seconds. Related
2399 # types are google.type.Date and `google.protobuf.Timestamp`.
2400 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
2401 # to allow the value "24:00:00" for scenarios like business closing time.
2402 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2403 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
2404 # allow the value 60 if it allows leap-seconds.
2405 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
2406 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2407 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2408 # and time zone are either specified elsewhere or are not significant. The date
2409 # is relative to the Proleptic Gregorian Calendar. This can represent:
2410 #
2411 # * A full date, with non-zero year, month and day values
2412 # * A month and day value, with a zero year, e.g. an anniversary
2413 # * A year on its own, with zero month and day values
2414 # * A year and month value, with a zero day, e.g. a credit card expiration date
2415 #
2416 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2417 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
2418 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2419 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
2420 # if specifying a year by itself or a year and month where the day is not
2421 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2422 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
2423 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2424 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2425 "stringValue": "A String", # string
2426 "booleanValue": True or False, # boolean
2427 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2428 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2429 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2430 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
2431 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2432 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2433 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2434 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2435 # portion of the value.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2436 "partToExtract": "A String", # The part of the time to keep.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2437 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2438 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2439 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
2440 # to learn more.
2441 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2442 # results in the same shift for the same context and crypto_key. If
2443 # set, must also set context. Can only be applied to table items.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2444 # a key encryption key (KEK) stored by KMS).
2445 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
2446 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
2447 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2448 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2449 # The wrapped key must be a 128/192/256 bit key.
2450 # Authorization requires the following IAM permissions when sending a request
2451 # to perform a crypto transformation using a kms-wrapped crypto key:
2452 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2453 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
2454 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2455 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2456 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2457 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2458 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2459 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2460 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2461 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2462 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2463 # This is an arbitrary string used to differentiate different keys.
2464 # A unique key is generated per name: two separate `TransientCryptoKey`
2465 # protos share the same generated key if their names are the same.
2466 # When the data crypto key is generated, this name is not used in any way
2467 # (repeating the api call will result in a different key being generated).
2468 },
2469 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2470 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
2471 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2472 # range (inclusive ends). Negative means shift to earlier in time. Must not
2473 # be more than 365250 days (1000 years) each direction.
2474 #
2475 # For example, 3 means shift date to at most 3 days into the future.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2476 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2477 # If set, must also set cryptoKey. If set, shift will be consistent for the
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2478 # given context.
2479 "name": "A String", # Name describing the field.
2480 },
2481 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2482 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2483 # (FPE) with the FFX mode of operation; however when used in the
2484 # `ReidentifyContent` API method, it serves the opposite function by reversing
2485 # the surrogate back into the original identifier. The identifier must be
2486 # encoded as ASCII. For a given crypto key and context, the same identifier
2487 # will be replaced with the same surrogate. Identifiers must be at least two
2488 # characters long. In the case that the identifier is the empty string, it will
2489 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
2490 # more.
2491 #
2492 # Note: We recommend using CryptoDeterministicConfig for all use cases which
2493 # do not require preserving the input alphabet space and size, plus warrant
2494 # referential integrity.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2495 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2496 # a key encryption key (KEK) stored by KMS).
2497 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
2498 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
2499 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2500 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2501 # The wrapped key must be a 128/192/256 bit key.
2502 # Authorization requires the following IAM permissions when sending a request
2503 # to perform a crypto transformation using a kms-wrapped crypto key:
2504 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2505 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
2506 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2507 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2508 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2509 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2510 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2511 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2512 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2513 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2514 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2515 # This is an arbitrary string used to differentiate different keys.
2516 # A unique key is generated per name: two separate `TransientCryptoKey`
2517 # protos share the same generated key if their names are the same.
2518 # When the data crypto key is generated, this name is not used in any way
2519 # (repeating the api call will result in a different key being generated).
2520 },
2521 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2522 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
2523 "commonAlphabet": "A String", # Common alphabets.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2524 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
2525 # that the FFX mode natively supports. This happens before/after
2526 # encryption/decryption.
2527 # Each character listed must appear only once.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2528 # Number of characters must be in the range [2, 95].
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2529 # This must be encoded as ASCII.
2530 # The order of characters does not matter.
2531 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
2532 # identifier in two different contexts won't be given the same surrogate. If
2533 # the context is not set, a default tweak will be used.
2534 #
2535 # If the context is set but:
2536 #
2537 # 1. there is no record present when transforming a given value or
2538 # 1. the field is not present when transforming a given value,
2539 #
2540 # a default tweak will be used.
2541 #
2542 # Note that case (1) is expected when an `InfoTypeTransformation` is
2543 # applied to both structured and non-structured `ContentItem`s.
2544 # Currently, the referenced field may be of value type integer or string.
2545 #
2546 # The tweak is constructed as a sequence of bytes in big endian byte order
2547 # such that:
2548 #
2549 # - a 64 bit integer is encoded followed by a single byte of value 1
2550 # - a string is encoded in UTF-8 format followed by a single byte of value 2
2551 "name": "A String", # Name describing the field.
2552 },
2553 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
2554 # This annotation will be applied to the surrogate by prefixing it with
2555 # the name of the custom infoType followed by the number of
2556 # characters comprising the surrogate. The following scheme defines the
2557 # format: info_type_name(surrogate_character_count):surrogate
2558 #
2559 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
2560 # the surrogate is 'abc', the full replacement value
2561 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
2562 #
2563 # This annotation identifies the surrogate when inspecting content using the
2564 # custom infoType
2565 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
2566 # This facilitates reversal of the surrogate when it occurs in free text.
2567 #
2568 # In order for inspection to work properly, the name of this infoType must
2569 # not occur naturally anywhere in your data; otherwise, inspection may
2570 # find a surrogate that does not correspond to an actual identifier.
2571 # Therefore, choose your custom infoType name carefully after considering
2572 # what your data looks like. One way to select a name that has a high chance
2573 # of yielding reliable detection is to include one or more unicode characters
2574 # that are highly improbable to exist in your data.
2575 # For example, assuming your data is entered from a regular ASCII keyboard,
2576 # the symbol with the hex code point 29DD might be used like so:
2577 # ⧝MY_TOKEN_TYPE
2578 "name": "A String", # Name of the information type. Either a name of your choosing when
2579 # creating a CustomInfoType, or one of the names listed
2580 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
2581 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2582 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2583 },
2584 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2585 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
2586 # replacement values are dynamically provided by the user for custom behavior,
2587 # such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH
2588 # This can be used on
2589 # data of type: number, long, string, timestamp.
2590 # If the bound `Value` type differs from the type of data being transformed, we
2591 # will first attempt converting the type of the data to be transformed to match
2592 # the type of the bound before comparing.
2593 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
2594 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
2595 { # Bucket is represented as a range, along with replacement values.
2596 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
2597 # Note that for the purposes of inspection or transformation, the number
2598 # of bytes considered to comprise a 'Value' is based on its representation
2599 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
2600 # 123456789, the number of bytes would be counted as 9, even though an
2601 # int64 only holds up to 8 bytes of data.
2602 "floatValue": 3.14, # float
2603 "timestampValue": "A String", # timestamp
2604 "dayOfWeekValue": "A String", # day of week
2605 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
2606 # or are specified elsewhere. An API may choose to allow leap seconds. Related
2607 # types are google.type.Date and `google.protobuf.Timestamp`.
2608 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
2609 # to allow the value "24:00:00" for scenarios like business closing time.
2610 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2611 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
2612 # allow the value 60 if it allows leap-seconds.
2613 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
2614 },
2615 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
2616 # and time zone are either specified elsewhere or are not significant. The date
2617 # is relative to the Proleptic Gregorian Calendar. This can represent:
2618 #
2619 # * A full date, with non-zero year, month and day values
2620 # * A month and day value, with a zero year, e.g. an anniversary
2621 # * A year on its own, with zero month and day values
2622 # * A year and month value, with a zero day, e.g. a credit card expiration date
2623 #
2624 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
2625 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
2626 # month and day.
2627 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
2628 # if specifying a year by itself or a year and month where the day is not
2629 # significant.
2630 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
2631 # a year.
2632 },
2633 "stringValue": "A String", # string
2634 "booleanValue": True or False, # boolean
2635 "integerValue": "A String", # integer
2636 },
2637 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
2638 # the default behavior will be to hyphenate the min-max range.
2639 # Note that for the purposes of inspection or transformation, the number
2640 # of bytes considered to comprise a 'Value' is based on its representation
2641 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
2642 # 123456789, the number of bytes would be counted as 9, even though an
2643 # int64 only holds up to 8 bytes of data.
2644 "floatValue": 3.14, # float
2645 "timestampValue": "A String", # timestamp
2646 "dayOfWeekValue": "A String", # day of week
2647 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
2648 # or are specified elsewhere. An API may choose to allow leap seconds. Related
2649 # types are google.type.Date and `google.protobuf.Timestamp`.
2650 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
2651 # to allow the value "24:00:00" for scenarios like business closing time.
2652 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2653 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
2654 # allow the value 60 if it allows leap-seconds.
2655 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
2656 },
2657 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
2658 # and time zone are either specified elsewhere or are not significant. The date
2659 # is relative to the Proleptic Gregorian Calendar. This can represent:
2660 #
2661 # * A full date, with non-zero year, month and day values
2662 # * A month and day value, with a zero year, e.g. an anniversary
2663 # * A year on its own, with zero month and day values
2664 # * A year and month value, with a zero day, e.g. a credit card expiration date
2665 #
2666 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
2667 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
2668 # month and day.
2669 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
2670 # if specifying a year by itself or a year and month where the day is not
2671 # significant.
2672 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
2673 # a year.
2674 },
2675 "stringValue": "A String", # string
2676 "booleanValue": True or False, # boolean
2677 "integerValue": "A String", # integer
2678 },
2679 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
2680 # used.
2681 # Note that for the purposes of inspection or transformation, the number
2682 # of bytes considered to comprise a 'Value' is based on its representation
2683 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
2684 # 123456789, the number of bytes would be counted as 9, even though an
2685 # int64 only holds up to 8 bytes of data.
2686 "floatValue": 3.14, # float
2687 "timestampValue": "A String", # timestamp
2688 "dayOfWeekValue": "A String", # day of week
2689 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
2690 # or are specified elsewhere. An API may choose to allow leap seconds. Related
2691 # types are google.type.Date and `google.protobuf.Timestamp`.
2692 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
2693 # to allow the value "24:00:00" for scenarios like business closing time.
2694 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2695 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
2696 # allow the value 60 if it allows leap-seconds.
2697 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
2698 },
2699 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
2700 # and time zone are either specified elsewhere or are not significant. The date
2701 # is relative to the Proleptic Gregorian Calendar. This can represent:
2702 #
2703 # * A full date, with non-zero year, month and day values
2704 # * A month and day value, with a zero year, e.g. an anniversary
2705 # * A year on its own, with zero month and day values
2706 # * A year and month value, with a zero day, e.g. a credit card expiration date
2707 #
2708 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
2709 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
2710 # month and day.
2711 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
2712 # if specifying a year by itself or a year and month where the day is not
2713 # significant.
2714 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
2715 # a year.
2716 },
2717 "stringValue": "A String", # string
2718 "booleanValue": True or False, # boolean
2719 "integerValue": "A String", # integer
2720 },
2721 },
2722 ],
2723 },
2724 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
2725 # Uses SHA-256.
2726 # The key size must be either 32 or 64 bytes.
2727 # Outputs a base64 encoded representation of the hashed output
2728 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
2729 # Currently, only string and integer values can be hashed.
2730 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
2731 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
2732 # a key encryption key (KEK) stored by KMS).
2733 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
2734 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
2735 # unwrap the data crypto key.
2736 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
2737 # The wrapped key must be a 128/192/256 bit key.
2738 # Authorization requires the following IAM permissions when sending a request
2739 # to perform a crypto transformation using a kms-wrapped crypto key:
2740 # dlp.kms.encrypt
2741 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
2742 "wrappedKey": "A String", # Required. The wrapped data crypto key.
2743 },
2744 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
2745 # leaking the key. Choose another type of key if possible.
2746 "key": "A String", # Required. A 128/192/256 bit key.
2747 },
2748 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
2749 # It will be discarded after the request finishes.
2750 "name": "A String", # Required. Name of the key.
2751 # This is an arbitrary string used to differentiate different keys.
2752 # A unique key is generated per name: two separate `TransientCryptoKey`
2753 # protos share the same generated key if their names are the same.
2754 # When the data crypto key is generated, this name is not used in any way
2755 # (repeating the api call will result in a different key being generated).
2756 },
2757 },
2758 },
2759 "replaceConfig": { # Replace each input value with a given `Value`. # Replace
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2760 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
2761 # Note that for the purposes of inspection or transformation, the number
2762 # of bytes considered to comprise a 'Value' is based on its representation
2763 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
2764 # 123456789, the number of bytes would be counted as 9, even though an
2765 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2766 "floatValue": 3.14, # float
2767 "timestampValue": "A String", # timestamp
2768 "dayOfWeekValue": "A String", # day of week
2769 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2770 # or are specified elsewhere. An API may choose to allow leap seconds. Related
2771 # types are google.type.Date and `google.protobuf.Timestamp`.
2772 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
2773 # to allow the value "24:00:00" for scenarios like business closing time.
2774 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2775 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
2776 # allow the value 60 if it allows leap-seconds.
2777 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
2778 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2779 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2780 # and time zone are either specified elsewhere or are not significant. The date
2781 # is relative to the Proleptic Gregorian Calendar. This can represent:
2782 #
2783 # * A full date, with non-zero year, month and day values
2784 # * A month and day value, with a zero year, e.g. an anniversary
2785 # * A year on its own, with zero month and day values
2786 # * A year and month value, with a zero day, e.g. a credit card expiration date
2787 #
2788 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2789 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
2790 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2791 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
2792 # if specifying a year by itself or a year and month where the day is not
2793 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2794 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
2795 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2796 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2797 "stringValue": "A String", # string
2798 "booleanValue": True or False, # boolean
2799 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2800 },
2801 },
2802 },
2803 "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
2804 # this transformation to apply to all findings that correspond to
2805 # infoTypes that were requested in `InspectConfig`.
2806 { # Type of information detected by the API.
2807 "name": "A String", # Name of the information type. Either a name of your choosing when
2808 # creating a CustomInfoType, or one of the names listed
2809 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
2810 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2811 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2812 },
2813 ],
2814 },
2815 ],
2816 },
2817 "recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to
2818 # specific locations within structured datasets, such as transforming
2819 # a column within a table.
2820 # table.
2821 "recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2822 # match any suppression rule are omitted from the output.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2823 { # Configuration to suppress records whose suppression conditions evaluate to
2824 # true.
2825 "condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
2826 # evaluated to be suppressed from the transformed content.
2827 # a field.
2828 "expressions": { # An expression, consisting or an operator and conditions. # An expression.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2829 "conditions": { # A collection of conditions. # Conditions to apply to the expression.
2830 "conditions": [ # A collection of conditions.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2831 { # The field type of `value` and `field` do not need to match to be
2832 # considered equal, but not all comparisons are possible.
2833 # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
2834 # but all other comparisons are invalid with incompatible types.
2835 # A `value` of type:
2836 #
2837 # - `string` can be compared against all other types
2838 # - `boolean` can only be compared against other booleans
2839 # - `integer` can be compared against doubles or a string if the string value
2840 # can be parsed as an integer.
2841 # - `double` can be compared against integers or a string if the string can
2842 # be parsed as a double.
2843 # - `Timestamp` can be compared against strings in RFC 3339 date string
2844 # format.
2845 # - `TimeOfDay` can be compared against timestamps and strings in the format
2846 # of 'HH:mm:ss'.
2847 #
2848 # If we fail to compare do to type mismatch, a warning will be given and
2849 # the condition will evaluate to false.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2850 "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
2851 "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2852 "name": "A String", # Name describing the field.
2853 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2854 "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2855 # Note that for the purposes of inspection or transformation, the number
2856 # of bytes considered to comprise a 'Value' is based on its representation
2857 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
2858 # 123456789, the number of bytes would be counted as 9, even though an
2859 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2860 "floatValue": 3.14, # float
2861 "timestampValue": "A String", # timestamp
2862 "dayOfWeekValue": "A String", # day of week
2863 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2864 # or are specified elsewhere. An API may choose to allow leap seconds. Related
2865 # types are google.type.Date and `google.protobuf.Timestamp`.
2866 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
2867 # to allow the value "24:00:00" for scenarios like business closing time.
2868 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
2869 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
2870 # allow the value 60 if it allows leap-seconds.
2871 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
2872 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2873 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2874 # and time zone are either specified elsewhere or are not significant. The date
2875 # is relative to the Proleptic Gregorian Calendar. This can represent:
2876 #
2877 # * A full date, with non-zero year, month and day values
2878 # * A month and day value, with a zero year, e.g. an anniversary
2879 # * A year on its own, with zero month and day values
2880 # * A year and month value, with a zero day, e.g. a credit card expiration date
2881 #
2882 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2883 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
2884 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2885 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
2886 # if specifying a year by itself or a year and month where the day is not
2887 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2888 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
2889 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2890 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2891 "stringValue": "A String", # string
2892 "booleanValue": True or False, # boolean
2893 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]2894 },
2895 },
2896 ],
2897 },
2898 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
2899 # only supported value is `AND`.
2900 },
2901 },
2902 },
2903 ],
2904 "fieldTransformations": [ # Transform the record by applying various field transformations.
2905 { # The transformation to apply to the field.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]2906 "fields": [ # Required. Input field(s) to apply the transformation to.
2907 { # General identifier of a data field in a storage service.
2908 "name": "A String", # Name describing the field.
2909 },
2910 ],
2911 "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
2912 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
2913 # input. Outputs a base64 encoded representation of the encrypted output.
2914 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
2915 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
2916 # a key encryption key (KEK) stored by KMS).
2917 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
2918 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
2919 # unwrap the data crypto key.
2920 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
2921 # The wrapped key must be a 128/192/256 bit key.
2922 # Authorization requires the following IAM permissions when sending a request
2923 # to perform a crypto transformation using a kms-wrapped crypto key:
2924 # dlp.kms.encrypt
2925 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
2926 "wrappedKey": "A String", # Required. The wrapped data crypto key.
2927 },
2928 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
2929 # leaking the key. Choose another type of key if possible.
2930 "key": "A String", # Required. A 128/192/256 bit key.
2931 },
2932 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
2933 # It will be discarded after the request finishes.
2934 "name": "A String", # Required. Name of the key.
2935 # This is an arbitrary string used to differentiate different keys.
2936 # A unique key is generated per name: two separate `TransientCryptoKey`
2937 # protos share the same generated key if their names are the same.
2938 # When the data crypto key is generated, this name is not used in any way
2939 # (repeating the api call will result in a different key being generated).
2940 },
2941 },
2942 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
2943 # referential integrity such that the same identifier in two different
2944 # contexts will be given a distinct surrogate. The context is appended to
2945 # plaintext value being encrypted. On decryption the provided context is
2946 # validated against the value used during encryption. If a context was
2947 # provided during encryption, same context must be provided during decryption
2948 # as well.
2949 #
2950 # If the context is not set, plaintext would be used as is for encryption.
2951 # If the context is set but:
2952 #
2953 # 1. there is no record present when transforming a given value or
2954 # 2. the field is not present when transforming a given value,
2955 #
2956 # plaintext would be used as is for encryption.
2957 #
2958 # Note that case (1) is expected when an `InfoTypeTransformation` is
2959 # applied to both structured and non-structured `ContentItem`s.
2960 "name": "A String", # Name describing the field.
2961 },
2962 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
2963 # This annotation will be applied to the surrogate by prefixing it with
2964 # the name of the custom info type followed by the number of
2965 # characters comprising the surrogate. The following scheme defines the
2966 # format: {info type name}({surrogate character count}):{surrogate}
2967 #
2968 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
2969 # the surrogate is 'abc', the full replacement value
2970 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
2971 #
2972 # This annotation identifies the surrogate when inspecting content using the
2973 # custom info type 'Surrogate'. This facilitates reversal of the
2974 # surrogate when it occurs in free text.
2975 #
2976 # Note: For record transformations where the entire cell in a table is being
2977 # transformed, surrogates are not mandatory. Surrogates are used to denote
2978 # the location of the token and are necessary for re-identification in free
2979 # form text.
2980 #
2981 # In order for inspection to work properly, the name of this info type must
2982 # not occur naturally anywhere in your data; otherwise, inspection may either
2983 #
2984 # - reverse a surrogate that does not correspond to an actual identifier
2985 # - be unable to parse the surrogate and result in an error
2986 #
2987 # Therefore, choose your custom info type name carefully after considering
2988 # what your data looks like. One way to select a name that has a high chance
2989 # of yielding reliable detection is to include one or more unicode characters
2990 # that are highly improbable to exist in your data.
2991 # For example, assuming your data is entered from a regular ASCII keyboard,
2992 # the symbol with the hex code point 29DD might be used like so:
2993 # ⧝MY_TOKEN_TYPE.
2994 "name": "A String", # Name of the information type. Either a name of your choosing when
2995 # creating a CustomInfoType, or one of the names listed
2996 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
2997 # a built-in type. InfoType names should conform to the pattern
2998 # `[a-zA-Z0-9_]{1,64}`.
2999 },
3000 },
3001 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
3002 # fixed character. Masking can start from the beginning or end of the string.
3003 # This can be used on data of any type (numbers, longs, and so on) and when
3004 # de-identifying structured data we'll attempt to preserve the original data's
3005 # type. (This allows you to take a long like 123 and modify it to a string like
3006 # **3.
3007 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
3008 # characters. For example, if the input string is `555-555-5555` and you
3009 # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
3010 # returns `***-**5-5555`.
3011 { # Characters to skip when doing deidentification of a value. These will be left
3012 # alone and skipped.
3013 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
3014 # punctuation.
3015 "charactersToSkip": "A String", # Characters to not transform when masking.
3016 },
3017 ],
3018 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
3019 # masked. Skipped characters do not count towards this tally.
3020 "maskingCharacter": "A String", # Character to use to mask the sensitive values&amp;mdash;for example, `*` for an
3021 # alphabetic string such as a name, or `0` for a numeric string such as ZIP
3022 # code or credit card number. This string must have a length of 1. If not
3023 # supplied, this value defaults to `*` for strings, and `0` for digits.
3024 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
3025 # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
3026 # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
3027 # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
3028 # is `true`, then the string `12345` is masked as `12***`.
3029 },
3030 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
3031 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
3032 # output would be 'My phone number is '.
3033 },
3034 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
3035 },
3036 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
3037 # Bucketing transformation can provide all of this functionality,
3038 # but requires more configuration. This message is provided as a convenience to
3039 # the user for simple bucketing strategies.
3040 #
3041 # The transformed value will be a hyphenated string of
3042 # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
3043 # all values that are within this bucket will be replaced with "10-20".
3044 #
3045 # This can be used on data of type: double, long.
3046 #
3047 # If the bound Value type differs from the type of data
3048 # being transformed, we will first attempt converting the type of the data to
3049 # be transformed to match the type of the bound before comparing.
3050 #
3051 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
3052 "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
3053 # grouped together into a single bucket; for example if `lower_bound` = 10,
3054 # then all values less than 10 are replaced with the value “-10”.
3055 # Note that for the purposes of inspection or transformation, the number
3056 # of bytes considered to comprise a 'Value' is based on its representation
3057 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
3058 # 123456789, the number of bytes would be counted as 9, even though an
3059 # int64 only holds up to 8 bytes of data.
3060 "floatValue": 3.14, # float
3061 "timestampValue": "A String", # timestamp
3062 "dayOfWeekValue": "A String", # day of week
3063 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
3064 # or are specified elsewhere. An API may choose to allow leap seconds. Related
3065 # types are google.type.Date and `google.protobuf.Timestamp`.
3066 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
3067 # to allow the value "24:00:00" for scenarios like business closing time.
3068 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3069 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
3070 # allow the value 60 if it allows leap-seconds.
3071 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
3072 },
3073 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
3074 # and time zone are either specified elsewhere or are not significant. The date
3075 # is relative to the Proleptic Gregorian Calendar. This can represent:
3076 #
3077 # * A full date, with non-zero year, month and day values
3078 # * A month and day value, with a zero year, e.g. an anniversary
3079 # * A year on its own, with zero month and day values
3080 # * A year and month value, with a zero day, e.g. a credit card expiration date
3081 #
3082 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
3083 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
3084 # month and day.
3085 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
3086 # if specifying a year by itself or a year and month where the day is not
3087 # significant.
3088 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
3089 # a year.
3090 },
3091 "stringValue": "A String", # string
3092 "booleanValue": True or False, # boolean
3093 "integerValue": "A String", # integer
3094 },
3095 "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
3096 # grouped together into a single bucket; for example if `upper_bound` = 89,
3097 # then all values greater than 89 are replaced with the value “89+”.
3098 # Note that for the purposes of inspection or transformation, the number
3099 # of bytes considered to comprise a 'Value' is based on its representation
3100 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
3101 # 123456789, the number of bytes would be counted as 9, even though an
3102 # int64 only holds up to 8 bytes of data.
3103 "floatValue": 3.14, # float
3104 "timestampValue": "A String", # timestamp
3105 "dayOfWeekValue": "A String", # day of week
3106 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
3107 # or are specified elsewhere. An API may choose to allow leap seconds. Related
3108 # types are google.type.Date and `google.protobuf.Timestamp`.
3109 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
3110 # to allow the value "24:00:00" for scenarios like business closing time.
3111 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3112 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
3113 # allow the value 60 if it allows leap-seconds.
3114 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
3115 },
3116 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
3117 # and time zone are either specified elsewhere or are not significant. The date
3118 # is relative to the Proleptic Gregorian Calendar. This can represent:
3119 #
3120 # * A full date, with non-zero year, month and day values
3121 # * A month and day value, with a zero year, e.g. an anniversary
3122 # * A year on its own, with zero month and day values
3123 # * A year and month value, with a zero day, e.g. a credit card expiration date
3124 #
3125 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
3126 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
3127 # month and day.
3128 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
3129 # if specifying a year by itself or a year and month where the day is not
3130 # significant.
3131 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
3132 # a year.
3133 },
3134 "stringValue": "A String", # string
3135 "booleanValue": True or False, # boolean
3136 "integerValue": "A String", # integer
3137 },
3138 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
3139 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
3140 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
3141 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
3142 },
3143 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
3144 # portion of the value.
3145 "partToExtract": "A String", # The part of the time to keep.
3146 },
3147 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
3148 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
3149 # to learn more.
3150 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
3151 # results in the same shift for the same context and crypto_key. If
3152 # set, must also set context. Can only be applied to table items.
3153 # a key encryption key (KEK) stored by KMS).
3154 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
3155 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
3156 # unwrap the data crypto key.
3157 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
3158 # The wrapped key must be a 128/192/256 bit key.
3159 # Authorization requires the following IAM permissions when sending a request
3160 # to perform a crypto transformation using a kms-wrapped crypto key:
3161 # dlp.kms.encrypt
3162 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
3163 "wrappedKey": "A String", # Required. The wrapped data crypto key.
3164 },
3165 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
3166 # leaking the key. Choose another type of key if possible.
3167 "key": "A String", # Required. A 128/192/256 bit key.
3168 },
3169 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
3170 # It will be discarded after the request finishes.
3171 "name": "A String", # Required. Name of the key.
3172 # This is an arbitrary string used to differentiate different keys.
3173 # A unique key is generated per name: two separate `TransientCryptoKey`
3174 # protos share the same generated key if their names are the same.
3175 # When the data crypto key is generated, this name is not used in any way
3176 # (repeating the api call will result in a different key being generated).
3177 },
3178 },
3179 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
3180 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
3181 # range (inclusive ends). Negative means shift to earlier in time. Must not
3182 # be more than 365250 days (1000 years) each direction.
3183 #
3184 # For example, 3 means shift date to at most 3 days into the future.
3185 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
3186 # If set, must also set cryptoKey. If set, shift will be consistent for the
3187 # given context.
3188 "name": "A String", # Name describing the field.
3189 },
3190 },
3191 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
3192 # (FPE) with the FFX mode of operation; however when used in the
3193 # `ReidentifyContent` API method, it serves the opposite function by reversing
3194 # the surrogate back into the original identifier. The identifier must be
3195 # encoded as ASCII. For a given crypto key and context, the same identifier
3196 # will be replaced with the same surrogate. Identifiers must be at least two
3197 # characters long. In the case that the identifier is the empty string, it will
3198 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
3199 # more.
3200 #
3201 # Note: We recommend using CryptoDeterministicConfig for all use cases which
3202 # do not require preserving the input alphabet space and size, plus warrant
3203 # referential integrity.
3204 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
3205 # a key encryption key (KEK) stored by KMS).
3206 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
3207 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
3208 # unwrap the data crypto key.
3209 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
3210 # The wrapped key must be a 128/192/256 bit key.
3211 # Authorization requires the following IAM permissions when sending a request
3212 # to perform a crypto transformation using a kms-wrapped crypto key:
3213 # dlp.kms.encrypt
3214 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
3215 "wrappedKey": "A String", # Required. The wrapped data crypto key.
3216 },
3217 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
3218 # leaking the key. Choose another type of key if possible.
3219 "key": "A String", # Required. A 128/192/256 bit key.
3220 },
3221 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
3222 # It will be discarded after the request finishes.
3223 "name": "A String", # Required. Name of the key.
3224 # This is an arbitrary string used to differentiate different keys.
3225 # A unique key is generated per name: two separate `TransientCryptoKey`
3226 # protos share the same generated key if their names are the same.
3227 # When the data crypto key is generated, this name is not used in any way
3228 # (repeating the api call will result in a different key being generated).
3229 },
3230 },
3231 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
3232 "commonAlphabet": "A String", # Common alphabets.
3233 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
3234 # that the FFX mode natively supports. This happens before/after
3235 # encryption/decryption.
3236 # Each character listed must appear only once.
3237 # Number of characters must be in the range [2, 95].
3238 # This must be encoded as ASCII.
3239 # The order of characters does not matter.
3240 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
3241 # identifier in two different contexts won't be given the same surrogate. If
3242 # the context is not set, a default tweak will be used.
3243 #
3244 # If the context is set but:
3245 #
3246 # 1. there is no record present when transforming a given value or
3247 # 1. the field is not present when transforming a given value,
3248 #
3249 # a default tweak will be used.
3250 #
3251 # Note that case (1) is expected when an `InfoTypeTransformation` is
3252 # applied to both structured and non-structured `ContentItem`s.
3253 # Currently, the referenced field may be of value type integer or string.
3254 #
3255 # The tweak is constructed as a sequence of bytes in big endian byte order
3256 # such that:
3257 #
3258 # - a 64 bit integer is encoded followed by a single byte of value 1
3259 # - a string is encoded in UTF-8 format followed by a single byte of value 2
3260 "name": "A String", # Name describing the field.
3261 },
3262 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
3263 # This annotation will be applied to the surrogate by prefixing it with
3264 # the name of the custom infoType followed by the number of
3265 # characters comprising the surrogate. The following scheme defines the
3266 # format: info_type_name(surrogate_character_count):surrogate
3267 #
3268 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
3269 # the surrogate is 'abc', the full replacement value
3270 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
3271 #
3272 # This annotation identifies the surrogate when inspecting content using the
3273 # custom infoType
3274 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
3275 # This facilitates reversal of the surrogate when it occurs in free text.
3276 #
3277 # In order for inspection to work properly, the name of this infoType must
3278 # not occur naturally anywhere in your data; otherwise, inspection may
3279 # find a surrogate that does not correspond to an actual identifier.
3280 # Therefore, choose your custom infoType name carefully after considering
3281 # what your data looks like. One way to select a name that has a high chance
3282 # of yielding reliable detection is to include one or more unicode characters
3283 # that are highly improbable to exist in your data.
3284 # For example, assuming your data is entered from a regular ASCII keyboard,
3285 # the symbol with the hex code point 29DD might be used like so:
3286 # ⧝MY_TOKEN_TYPE
3287 "name": "A String", # Name of the information type. Either a name of your choosing when
3288 # creating a CustomInfoType, or one of the names listed
3289 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
3290 # a built-in type. InfoType names should conform to the pattern
3291 # `[a-zA-Z0-9_]{1,64}`.
3292 },
3293 },
3294 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
3295 # replacement values are dynamically provided by the user for custom behavior,
3296 # such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH
3297 # This can be used on
3298 # data of type: number, long, string, timestamp.
3299 # If the bound `Value` type differs from the type of data being transformed, we
3300 # will first attempt converting the type of the data to be transformed to match
3301 # the type of the bound before comparing.
3302 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
3303 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
3304 { # Bucket is represented as a range, along with replacement values.
3305 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
3306 # Note that for the purposes of inspection or transformation, the number
3307 # of bytes considered to comprise a 'Value' is based on its representation
3308 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
3309 # 123456789, the number of bytes would be counted as 9, even though an
3310 # int64 only holds up to 8 bytes of data.
3311 "floatValue": 3.14, # float
3312 "timestampValue": "A String", # timestamp
3313 "dayOfWeekValue": "A String", # day of week
3314 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
3315 # or are specified elsewhere. An API may choose to allow leap seconds. Related
3316 # types are google.type.Date and `google.protobuf.Timestamp`.
3317 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
3318 # to allow the value "24:00:00" for scenarios like business closing time.
3319 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3320 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
3321 # allow the value 60 if it allows leap-seconds.
3322 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
3323 },
3324 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
3325 # and time zone are either specified elsewhere or are not significant. The date
3326 # is relative to the Proleptic Gregorian Calendar. This can represent:
3327 #
3328 # * A full date, with non-zero year, month and day values
3329 # * A month and day value, with a zero year, e.g. an anniversary
3330 # * A year on its own, with zero month and day values
3331 # * A year and month value, with a zero day, e.g. a credit card expiration date
3332 #
3333 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
3334 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
3335 # month and day.
3336 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
3337 # if specifying a year by itself or a year and month where the day is not
3338 # significant.
3339 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
3340 # a year.
3341 },
3342 "stringValue": "A String", # string
3343 "booleanValue": True or False, # boolean
3344 "integerValue": "A String", # integer
3345 },
3346 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
3347 # the default behavior will be to hyphenate the min-max range.
3348 # Note that for the purposes of inspection or transformation, the number
3349 # of bytes considered to comprise a 'Value' is based on its representation
3350 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
3351 # 123456789, the number of bytes would be counted as 9, even though an
3352 # int64 only holds up to 8 bytes of data.
3353 "floatValue": 3.14, # float
3354 "timestampValue": "A String", # timestamp
3355 "dayOfWeekValue": "A String", # day of week
3356 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
3357 # or are specified elsewhere. An API may choose to allow leap seconds. Related
3358 # types are google.type.Date and `google.protobuf.Timestamp`.
3359 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
3360 # to allow the value "24:00:00" for scenarios like business closing time.
3361 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3362 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
3363 # allow the value 60 if it allows leap-seconds.
3364 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
3365 },
3366 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
3367 # and time zone are either specified elsewhere or are not significant. The date
3368 # is relative to the Proleptic Gregorian Calendar. This can represent:
3369 #
3370 # * A full date, with non-zero year, month and day values
3371 # * A month and day value, with a zero year, e.g. an anniversary
3372 # * A year on its own, with zero month and day values
3373 # * A year and month value, with a zero day, e.g. a credit card expiration date
3374 #
3375 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
3376 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
3377 # month and day.
3378 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
3379 # if specifying a year by itself or a year and month where the day is not
3380 # significant.
3381 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
3382 # a year.
3383 },
3384 "stringValue": "A String", # string
3385 "booleanValue": True or False, # boolean
3386 "integerValue": "A String", # integer
3387 },
3388 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
3389 # used.
3390 # Note that for the purposes of inspection or transformation, the number
3391 # of bytes considered to comprise a 'Value' is based on its representation
3392 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
3393 # 123456789, the number of bytes would be counted as 9, even though an
3394 # int64 only holds up to 8 bytes of data.
3395 "floatValue": 3.14, # float
3396 "timestampValue": "A String", # timestamp
3397 "dayOfWeekValue": "A String", # day of week
3398 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
3399 # or are specified elsewhere. An API may choose to allow leap seconds. Related
3400 # types are google.type.Date and `google.protobuf.Timestamp`.
3401 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
3402 # to allow the value "24:00:00" for scenarios like business closing time.
3403 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3404 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
3405 # allow the value 60 if it allows leap-seconds.
3406 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
3407 },
3408 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
3409 # and time zone are either specified elsewhere or are not significant. The date
3410 # is relative to the Proleptic Gregorian Calendar. This can represent:
3411 #
3412 # * A full date, with non-zero year, month and day values
3413 # * A month and day value, with a zero year, e.g. an anniversary
3414 # * A year on its own, with zero month and day values
3415 # * A year and month value, with a zero day, e.g. a credit card expiration date
3416 #
3417 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
3418 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
3419 # month and day.
3420 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
3421 # if specifying a year by itself or a year and month where the day is not
3422 # significant.
3423 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
3424 # a year.
3425 },
3426 "stringValue": "A String", # string
3427 "booleanValue": True or False, # boolean
3428 "integerValue": "A String", # integer
3429 },
3430 },
3431 ],
3432 },
3433 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
3434 # Uses SHA-256.
3435 # The key size must be either 32 or 64 bytes.
3436 # Outputs a base64 encoded representation of the hashed output
3437 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
3438 # Currently, only string and integer values can be hashed.
3439 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
3440 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
3441 # a key encryption key (KEK) stored by KMS).
3442 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
3443 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
3444 # unwrap the data crypto key.
3445 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
3446 # The wrapped key must be a 128/192/256 bit key.
3447 # Authorization requires the following IAM permissions when sending a request
3448 # to perform a crypto transformation using a kms-wrapped crypto key:
3449 # dlp.kms.encrypt
3450 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
3451 "wrappedKey": "A String", # Required. The wrapped data crypto key.
3452 },
3453 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
3454 # leaking the key. Choose another type of key if possible.
3455 "key": "A String", # Required. A 128/192/256 bit key.
3456 },
3457 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
3458 # It will be discarded after the request finishes.
3459 "name": "A String", # Required. Name of the key.
3460 # This is an arbitrary string used to differentiate different keys.
3461 # A unique key is generated per name: two separate `TransientCryptoKey`
3462 # protos share the same generated key if their names are the same.
3463 # When the data crypto key is generated, this name is not used in any way
3464 # (repeating the api call will result in a different key being generated).
3465 },
3466 },
3467 },
3468 "replaceConfig": { # Replace each input value with a given `Value`. # Replace
3469 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
3470 # Note that for the purposes of inspection or transformation, the number
3471 # of bytes considered to comprise a 'Value' is based on its representation
3472 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
3473 # 123456789, the number of bytes would be counted as 9, even though an
3474 # int64 only holds up to 8 bytes of data.
3475 "floatValue": 3.14, # float
3476 "timestampValue": "A String", # timestamp
3477 "dayOfWeekValue": "A String", # day of week
3478 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
3479 # or are specified elsewhere. An API may choose to allow leap seconds. Related
3480 # types are google.type.Date and `google.protobuf.Timestamp`.
3481 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
3482 # to allow the value "24:00:00" for scenarios like business closing time.
3483 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3484 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
3485 # allow the value 60 if it allows leap-seconds.
3486 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
3487 },
3488 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
3489 # and time zone are either specified elsewhere or are not significant. The date
3490 # is relative to the Proleptic Gregorian Calendar. This can represent:
3491 #
3492 # * A full date, with non-zero year, month and day values
3493 # * A month and day value, with a zero year, e.g. an anniversary
3494 # * A year on its own, with zero month and day values
3495 # * A year and month value, with a zero day, e.g. a credit card expiration date
3496 #
3497 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
3498 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
3499 # month and day.
3500 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
3501 # if specifying a year by itself or a year and month where the day is not
3502 # significant.
3503 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
3504 # a year.
3505 },
3506 "stringValue": "A String", # string
3507 "booleanValue": True or False, # boolean
3508 "integerValue": "A String", # integer
3509 },
3510 },
3511 },
3512 "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
3513 # given `RecordCondition`. The conditions are allowed to reference fields
3514 # that are not used in the actual transformation.
3515 #
3516 # Example Use Cases:
3517 #
3518 # - Apply a different bucket transformation to an age column if the zip code
3519 # column for the same record is within a specific range.
3520 # - Redact a field if the date of birth field is greater than 85.
3521 # a field.
3522 "expressions": { # An expression, consisting or an operator and conditions. # An expression.
3523 "conditions": { # A collection of conditions. # Conditions to apply to the expression.
3524 "conditions": [ # A collection of conditions.
3525 { # The field type of `value` and `field` do not need to match to be
3526 # considered equal, but not all comparisons are possible.
3527 # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
3528 # but all other comparisons are invalid with incompatible types.
3529 # A `value` of type:
3530 #
3531 # - `string` can be compared against all other types
3532 # - `boolean` can only be compared against other booleans
3533 # - `integer` can be compared against doubles or a string if the string value
3534 # can be parsed as an integer.
3535 # - `double` can be compared against integers or a string if the string can
3536 # be parsed as a double.
3537 # - `Timestamp` can be compared against strings in RFC 3339 date string
3538 # format.
3539 # - `TimeOfDay` can be compared against timestamps and strings in the format
3540 # of 'HH:mm:ss'.
3541 #
3542 # If we fail to compare do to type mismatch, a warning will be given and
3543 # the condition will evaluate to false.
3544 "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
3545 "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
3546 "name": "A String", # Name describing the field.
3547 },
3548 "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
3549 # Note that for the purposes of inspection or transformation, the number
3550 # of bytes considered to comprise a 'Value' is based on its representation
3551 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
3552 # 123456789, the number of bytes would be counted as 9, even though an
3553 # int64 only holds up to 8 bytes of data.
3554 "floatValue": 3.14, # float
3555 "timestampValue": "A String", # timestamp
3556 "dayOfWeekValue": "A String", # day of week
3557 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
3558 # or are specified elsewhere. An API may choose to allow leap seconds. Related
3559 # types are google.type.Date and `google.protobuf.Timestamp`.
3560 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
3561 # to allow the value "24:00:00" for scenarios like business closing time.
3562 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3563 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
3564 # allow the value 60 if it allows leap-seconds.
3565 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
3566 },
3567 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
3568 # and time zone are either specified elsewhere or are not significant. The date
3569 # is relative to the Proleptic Gregorian Calendar. This can represent:
3570 #
3571 # * A full date, with non-zero year, month and day values
3572 # * A month and day value, with a zero year, e.g. an anniversary
3573 # * A year on its own, with zero month and day values
3574 # * A year and month value, with a zero day, e.g. a credit card expiration date
3575 #
3576 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
3577 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
3578 # month and day.
3579 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
3580 # if specifying a year by itself or a year and month where the day is not
3581 # significant.
3582 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
3583 # a year.
3584 },
3585 "stringValue": "A String", # string
3586 "booleanValue": True or False, # boolean
3587 "integerValue": "A String", # integer
3588 },
3589 },
3590 ],
3591 },
3592 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
3593 # only supported value is `AND`.
3594 },
3595 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3596 "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
3597 # transform content that matches an `InfoType`.
3598 # apply various `PrimitiveTransformation`s to each finding, where the
3599 # transformation is applied to only values that were identified as a specific
3600 # info_type.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3601 "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one
3602 # for a given infoType.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3603 { # A transformation to apply to text that is identified as a specific
3604 # info_type.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3605 "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
3606 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3607 # input. Outputs a base64 encoded representation of the encrypted output.
3608 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
3609 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
3610 # a key encryption key (KEK) stored by KMS).
3611 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
3612 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
3613 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3614 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3615 # The wrapped key must be a 128/192/256 bit key.
3616 # Authorization requires the following IAM permissions when sending a request
3617 # to perform a crypto transformation using a kms-wrapped crypto key:
3618 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3619 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
3620 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3621 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3622 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3623 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3624 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3625 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3626 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3627 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3628 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3629 # This is an arbitrary string used to differentiate different keys.
3630 # A unique key is generated per name: two separate `TransientCryptoKey`
3631 # protos share the same generated key if their names are the same.
3632 # When the data crypto key is generated, this name is not used in any way
3633 # (repeating the api call will result in a different key being generated).
3634 },
3635 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3636 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3637 # referential integrity such that the same identifier in two different
3638 # contexts will be given a distinct surrogate. The context is appended to
3639 # plaintext value being encrypted. On decryption the provided context is
3640 # validated against the value used during encryption. If a context was
3641 # provided during encryption, same context must be provided during decryption
3642 # as well.
3643 #
3644 # If the context is not set, plaintext would be used as is for encryption.
3645 # If the context is set but:
3646 #
3647 # 1. there is no record present when transforming a given value or
3648 # 2. the field is not present when transforming a given value,
3649 #
3650 # plaintext would be used as is for encryption.
3651 #
3652 # Note that case (1) is expected when an `InfoTypeTransformation` is
3653 # applied to both structured and non-structured `ContentItem`s.
3654 "name": "A String", # Name describing the field.
3655 },
3656 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
3657 # This annotation will be applied to the surrogate by prefixing it with
3658 # the name of the custom info type followed by the number of
3659 # characters comprising the surrogate. The following scheme defines the
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3660 # format: {info type name}({surrogate character count}):{surrogate}
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3661 #
3662 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
3663 # the surrogate is 'abc', the full replacement value
3664 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
3665 #
3666 # This annotation identifies the surrogate when inspecting content using the
3667 # custom info type 'Surrogate'. This facilitates reversal of the
3668 # surrogate when it occurs in free text.
3669 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3670 # Note: For record transformations where the entire cell in a table is being
3671 # transformed, surrogates are not mandatory. Surrogates are used to denote
3672 # the location of the token and are necessary for re-identification in free
3673 # form text.
3674 #
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3675 # In order for inspection to work properly, the name of this info type must
3676 # not occur naturally anywhere in your data; otherwise, inspection may either
3677 #
3678 # - reverse a surrogate that does not correspond to an actual identifier
3679 # - be unable to parse the surrogate and result in an error
3680 #
3681 # Therefore, choose your custom info type name carefully after considering
3682 # what your data looks like. One way to select a name that has a high chance
3683 # of yielding reliable detection is to include one or more unicode characters
3684 # that are highly improbable to exist in your data.
3685 # For example, assuming your data is entered from a regular ASCII keyboard,
3686 # the symbol with the hex code point 29DD might be used like so:
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3687 # ⧝MY_TOKEN_TYPE.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3688 "name": "A String", # Name of the information type. Either a name of your choosing when
3689 # creating a CustomInfoType, or one of the names listed
3690 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
3691 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3692 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3693 },
3694 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3695 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
3696 # fixed character. Masking can start from the beginning or end of the string.
3697 # This can be used on data of any type (numbers, longs, and so on) and when
3698 # de-identifying structured data we'll attempt to preserve the original data's
3699 # type. (This allows you to take a long like 123 and modify it to a string like
3700 # **3.
3701 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
3702 # characters. For example, if the input string is `555-555-5555` and you
3703 # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
3704 # returns `***-**5-5555`.
3705 { # Characters to skip when doing deidentification of a value. These will be left
3706 # alone and skipped.
3707 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
3708 # punctuation.
3709 "charactersToSkip": "A String", # Characters to not transform when masking.
3710 },
3711 ],
3712 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
3713 # masked. Skipped characters do not count towards this tally.
3714 "maskingCharacter": "A String", # Character to use to mask the sensitive values&amp;mdash;for example, `*` for an
3715 # alphabetic string such as a name, or `0` for a numeric string such as ZIP
3716 # code or credit card number. This string must have a length of 1. If not
3717 # supplied, this value defaults to `*` for strings, and `0` for digits.
3718 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
3719 # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
3720 # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
3721 # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
3722 # is `true`, then the string `12345` is masked as `12***`.
3723 },
3724 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
3725 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
3726 # output would be 'My phone number is '.
3727 },
3728 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
3729 },
3730 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3731 # Bucketing transformation can provide all of this functionality,
3732 # but requires more configuration. This message is provided as a convenience to
3733 # the user for simple bucketing strategies.
3734 #
3735 # The transformed value will be a hyphenated string of
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3736 # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3737 # all values that are within this bucket will be replaced with "10-20".
3738 #
3739 # This can be used on data of type: double, long.
3740 #
3741 # If the bound Value type differs from the type of data
3742 # being transformed, we will first attempt converting the type of the data to
3743 # be transformed to match the type of the bound before comparing.
3744 #
3745 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3746 "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3747 # grouped together into a single bucket; for example if `lower_bound` = 10,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3748 # then all values less than 10 are replaced with the value “-10”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3749 # Note that for the purposes of inspection or transformation, the number
3750 # of bytes considered to comprise a 'Value' is based on its representation
3751 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
3752 # 123456789, the number of bytes would be counted as 9, even though an
3753 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3754 "floatValue": 3.14, # float
3755 "timestampValue": "A String", # timestamp
3756 "dayOfWeekValue": "A String", # day of week
3757 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3758 # or are specified elsewhere. An API may choose to allow leap seconds. Related
3759 # types are google.type.Date and `google.protobuf.Timestamp`.
3760 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
3761 # to allow the value "24:00:00" for scenarios like business closing time.
3762 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3763 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
3764 # allow the value 60 if it allows leap-seconds.
3765 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
3766 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3767 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3768 # and time zone are either specified elsewhere or are not significant. The date
3769 # is relative to the Proleptic Gregorian Calendar. This can represent:
3770 #
3771 # * A full date, with non-zero year, month and day values
3772 # * A month and day value, with a zero year, e.g. an anniversary
3773 # * A year on its own, with zero month and day values
3774 # * A year and month value, with a zero day, e.g. a credit card expiration date
3775 #
3776 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3777 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
3778 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3779 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
3780 # if specifying a year by itself or a year and month where the day is not
3781 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3782 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
3783 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3784 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3785 "stringValue": "A String", # string
3786 "booleanValue": True or False, # boolean
3787 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3788 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3789 "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3790 # grouped together into a single bucket; for example if `upper_bound` = 89,
3791 # then all values greater than 89 are replaced with the value “89+”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3792 # Note that for the purposes of inspection or transformation, the number
3793 # of bytes considered to comprise a 'Value' is based on its representation
3794 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
3795 # 123456789, the number of bytes would be counted as 9, even though an
3796 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3797 "floatValue": 3.14, # float
3798 "timestampValue": "A String", # timestamp
3799 "dayOfWeekValue": "A String", # day of week
3800 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3801 # or are specified elsewhere. An API may choose to allow leap seconds. Related
3802 # types are google.type.Date and `google.protobuf.Timestamp`.
3803 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
3804 # to allow the value "24:00:00" for scenarios like business closing time.
3805 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
3806 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
3807 # allow the value 60 if it allows leap-seconds.
3808 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
3809 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3810 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3811 # and time zone are either specified elsewhere or are not significant. The date
3812 # is relative to the Proleptic Gregorian Calendar. This can represent:
3813 #
3814 # * A full date, with non-zero year, month and day values
3815 # * A month and day value, with a zero year, e.g. an anniversary
3816 # * A year on its own, with zero month and day values
3817 # * A year and month value, with a zero day, e.g. a credit card expiration date
3818 #
3819 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3820 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
3821 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3822 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
3823 # if specifying a year by itself or a year and month where the day is not
3824 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3825 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
3826 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3827 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3828 "stringValue": "A String", # string
3829 "booleanValue": True or False, # boolean
3830 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3831 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3832 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3833 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
3834 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3835 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3836 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3837 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3838 # portion of the value.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3839 "partToExtract": "A String", # The part of the time to keep.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3840 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3841 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3842 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
3843 # to learn more.
3844 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3845 # results in the same shift for the same context and crypto_key. If
3846 # set, must also set context. Can only be applied to table items.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3847 # a key encryption key (KEK) stored by KMS).
3848 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
3849 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
3850 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3851 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3852 # The wrapped key must be a 128/192/256 bit key.
3853 # Authorization requires the following IAM permissions when sending a request
3854 # to perform a crypto transformation using a kms-wrapped crypto key:
3855 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3856 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
3857 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3858 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3859 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3860 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3861 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3862 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3863 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3864 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3865 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3866 # This is an arbitrary string used to differentiate different keys.
3867 # A unique key is generated per name: two separate `TransientCryptoKey`
3868 # protos share the same generated key if their names are the same.
3869 # When the data crypto key is generated, this name is not used in any way
3870 # (repeating the api call will result in a different key being generated).
3871 },
3872 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3873 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
3874 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3875 # range (inclusive ends). Negative means shift to earlier in time. Must not
3876 # be more than 365250 days (1000 years) each direction.
3877 #
3878 # For example, 3 means shift date to at most 3 days into the future.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3879 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3880 # If set, must also set cryptoKey. If set, shift will be consistent for the
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3881 # given context.
3882 "name": "A String", # Name describing the field.
3883 },
3884 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3885 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3886 # (FPE) with the FFX mode of operation; however when used in the
3887 # `ReidentifyContent` API method, it serves the opposite function by reversing
3888 # the surrogate back into the original identifier. The identifier must be
3889 # encoded as ASCII. For a given crypto key and context, the same identifier
3890 # will be replaced with the same surrogate. Identifiers must be at least two
3891 # characters long. In the case that the identifier is the empty string, it will
3892 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
3893 # more.
3894 #
3895 # Note: We recommend using CryptoDeterministicConfig for all use cases which
3896 # do not require preserving the input alphabet space and size, plus warrant
3897 # referential integrity.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3898 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3899 # a key encryption key (KEK) stored by KMS).
3900 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
3901 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
3902 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3903 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3904 # The wrapped key must be a 128/192/256 bit key.
3905 # Authorization requires the following IAM permissions when sending a request
3906 # to perform a crypto transformation using a kms-wrapped crypto key:
3907 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3908 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
3909 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3910 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3911 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3912 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3913 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3914 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3915 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3916 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3917 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3918 # This is an arbitrary string used to differentiate different keys.
3919 # A unique key is generated per name: two separate `TransientCryptoKey`
3920 # protos share the same generated key if their names are the same.
3921 # When the data crypto key is generated, this name is not used in any way
3922 # (repeating the api call will result in a different key being generated).
3923 },
3924 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3925 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
3926 "commonAlphabet": "A String", # Common alphabets.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3927 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
3928 # that the FFX mode natively supports. This happens before/after
3929 # encryption/decryption.
3930 # Each character listed must appear only once.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3931 # Number of characters must be in the range [2, 95].
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3932 # This must be encoded as ASCII.
3933 # The order of characters does not matter.
3934 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
3935 # identifier in two different contexts won't be given the same surrogate. If
3936 # the context is not set, a default tweak will be used.
3937 #
3938 # If the context is set but:
3939 #
3940 # 1. there is no record present when transforming a given value or
3941 # 1. the field is not present when transforming a given value,
3942 #
3943 # a default tweak will be used.
3944 #
3945 # Note that case (1) is expected when an `InfoTypeTransformation` is
3946 # applied to both structured and non-structured `ContentItem`s.
3947 # Currently, the referenced field may be of value type integer or string.
3948 #
3949 # The tweak is constructed as a sequence of bytes in big endian byte order
3950 # such that:
3951 #
3952 # - a 64 bit integer is encoded followed by a single byte of value 1
3953 # - a string is encoded in UTF-8 format followed by a single byte of value 2
3954 "name": "A String", # Name describing the field.
3955 },
3956 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
3957 # This annotation will be applied to the surrogate by prefixing it with
3958 # the name of the custom infoType followed by the number of
3959 # characters comprising the surrogate. The following scheme defines the
3960 # format: info_type_name(surrogate_character_count):surrogate
3961 #
3962 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
3963 # the surrogate is 'abc', the full replacement value
3964 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
3965 #
3966 # This annotation identifies the surrogate when inspecting content using the
3967 # custom infoType
3968 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
3969 # This facilitates reversal of the surrogate when it occurs in free text.
3970 #
3971 # In order for inspection to work properly, the name of this infoType must
3972 # not occur naturally anywhere in your data; otherwise, inspection may
3973 # find a surrogate that does not correspond to an actual identifier.
3974 # Therefore, choose your custom infoType name carefully after considering
3975 # what your data looks like. One way to select a name that has a high chance
3976 # of yielding reliable detection is to include one or more unicode characters
3977 # that are highly improbable to exist in your data.
3978 # For example, assuming your data is entered from a regular ASCII keyboard,
3979 # the symbol with the hex code point 29DD might be used like so:
3980 # ⧝MY_TOKEN_TYPE
3981 "name": "A String", # Name of the information type. Either a name of your choosing when
3982 # creating a CustomInfoType, or one of the names listed
3983 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
3984 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3985 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]3986 },
3987 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]3988 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
3989 # replacement values are dynamically provided by the user for custom behavior,
3990 # such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH
3991 # This can be used on
3992 # data of type: number, long, string, timestamp.
3993 # If the bound `Value` type differs from the type of data being transformed, we
3994 # will first attempt converting the type of the data to be transformed to match
3995 # the type of the bound before comparing.
3996 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
3997 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
3998 { # Bucket is represented as a range, along with replacement values.
3999 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
4000 # Note that for the purposes of inspection or transformation, the number
4001 # of bytes considered to comprise a 'Value' is based on its representation
4002 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
4003 # 123456789, the number of bytes would be counted as 9, even though an
4004 # int64 only holds up to 8 bytes of data.
4005 "floatValue": 3.14, # float
4006 "timestampValue": "A String", # timestamp
4007 "dayOfWeekValue": "A String", # day of week
4008 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
4009 # or are specified elsewhere. An API may choose to allow leap seconds. Related
4010 # types are google.type.Date and `google.protobuf.Timestamp`.
4011 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
4012 # to allow the value "24:00:00" for scenarios like business closing time.
4013 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4014 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
4015 # allow the value 60 if it allows leap-seconds.
4016 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
4017 },
4018 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
4019 # and time zone are either specified elsewhere or are not significant. The date
4020 # is relative to the Proleptic Gregorian Calendar. This can represent:
4021 #
4022 # * A full date, with non-zero year, month and day values
4023 # * A month and day value, with a zero year, e.g. an anniversary
4024 # * A year on its own, with zero month and day values
4025 # * A year and month value, with a zero day, e.g. a credit card expiration date
4026 #
4027 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
4028 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
4029 # month and day.
4030 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
4031 # if specifying a year by itself or a year and month where the day is not
4032 # significant.
4033 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
4034 # a year.
4035 },
4036 "stringValue": "A String", # string
4037 "booleanValue": True or False, # boolean
4038 "integerValue": "A String", # integer
4039 },
4040 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
4041 # the default behavior will be to hyphenate the min-max range.
4042 # Note that for the purposes of inspection or transformation, the number
4043 # of bytes considered to comprise a 'Value' is based on its representation
4044 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
4045 # 123456789, the number of bytes would be counted as 9, even though an
4046 # int64 only holds up to 8 bytes of data.
4047 "floatValue": 3.14, # float
4048 "timestampValue": "A String", # timestamp
4049 "dayOfWeekValue": "A String", # day of week
4050 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
4051 # or are specified elsewhere. An API may choose to allow leap seconds. Related
4052 # types are google.type.Date and `google.protobuf.Timestamp`.
4053 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
4054 # to allow the value "24:00:00" for scenarios like business closing time.
4055 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4056 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
4057 # allow the value 60 if it allows leap-seconds.
4058 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
4059 },
4060 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
4061 # and time zone are either specified elsewhere or are not significant. The date
4062 # is relative to the Proleptic Gregorian Calendar. This can represent:
4063 #
4064 # * A full date, with non-zero year, month and day values
4065 # * A month and day value, with a zero year, e.g. an anniversary
4066 # * A year on its own, with zero month and day values
4067 # * A year and month value, with a zero day, e.g. a credit card expiration date
4068 #
4069 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
4070 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
4071 # month and day.
4072 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
4073 # if specifying a year by itself or a year and month where the day is not
4074 # significant.
4075 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
4076 # a year.
4077 },
4078 "stringValue": "A String", # string
4079 "booleanValue": True or False, # boolean
4080 "integerValue": "A String", # integer
4081 },
4082 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
4083 # used.
4084 # Note that for the purposes of inspection or transformation, the number
4085 # of bytes considered to comprise a 'Value' is based on its representation
4086 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
4087 # 123456789, the number of bytes would be counted as 9, even though an
4088 # int64 only holds up to 8 bytes of data.
4089 "floatValue": 3.14, # float
4090 "timestampValue": "A String", # timestamp
4091 "dayOfWeekValue": "A String", # day of week
4092 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
4093 # or are specified elsewhere. An API may choose to allow leap seconds. Related
4094 # types are google.type.Date and `google.protobuf.Timestamp`.
4095 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
4096 # to allow the value "24:00:00" for scenarios like business closing time.
4097 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4098 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
4099 # allow the value 60 if it allows leap-seconds.
4100 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
4101 },
4102 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
4103 # and time zone are either specified elsewhere or are not significant. The date
4104 # is relative to the Proleptic Gregorian Calendar. This can represent:
4105 #
4106 # * A full date, with non-zero year, month and day values
4107 # * A month and day value, with a zero year, e.g. an anniversary
4108 # * A year on its own, with zero month and day values
4109 # * A year and month value, with a zero day, e.g. a credit card expiration date
4110 #
4111 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
4112 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
4113 # month and day.
4114 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
4115 # if specifying a year by itself or a year and month where the day is not
4116 # significant.
4117 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
4118 # a year.
4119 },
4120 "stringValue": "A String", # string
4121 "booleanValue": True or False, # boolean
4122 "integerValue": "A String", # integer
4123 },
4124 },
4125 ],
4126 },
4127 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
4128 # Uses SHA-256.
4129 # The key size must be either 32 or 64 bytes.
4130 # Outputs a base64 encoded representation of the hashed output
4131 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
4132 # Currently, only string and integer values can be hashed.
4133 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
4134 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
4135 # a key encryption key (KEK) stored by KMS).
4136 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
4137 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
4138 # unwrap the data crypto key.
4139 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
4140 # The wrapped key must be a 128/192/256 bit key.
4141 # Authorization requires the following IAM permissions when sending a request
4142 # to perform a crypto transformation using a kms-wrapped crypto key:
4143 # dlp.kms.encrypt
4144 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
4145 "wrappedKey": "A String", # Required. The wrapped data crypto key.
4146 },
4147 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
4148 # leaking the key. Choose another type of key if possible.
4149 "key": "A String", # Required. A 128/192/256 bit key.
4150 },
4151 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
4152 # It will be discarded after the request finishes.
4153 "name": "A String", # Required. Name of the key.
4154 # This is an arbitrary string used to differentiate different keys.
4155 # A unique key is generated per name: two separate `TransientCryptoKey`
4156 # protos share the same generated key if their names are the same.
4157 # When the data crypto key is generated, this name is not used in any way
4158 # (repeating the api call will result in a different key being generated).
4159 },
4160 },
4161 },
4162 "replaceConfig": { # Replace each input value with a given `Value`. # Replace
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4163 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
4164 # Note that for the purposes of inspection or transformation, the number
4165 # of bytes considered to comprise a 'Value' is based on its representation
4166 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
4167 # 123456789, the number of bytes would be counted as 9, even though an
4168 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4169 "floatValue": 3.14, # float
4170 "timestampValue": "A String", # timestamp
4171 "dayOfWeekValue": "A String", # day of week
4172 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4173 # or are specified elsewhere. An API may choose to allow leap seconds. Related
4174 # types are google.type.Date and `google.protobuf.Timestamp`.
4175 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
4176 # to allow the value "24:00:00" for scenarios like business closing time.
4177 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4178 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
4179 # allow the value 60 if it allows leap-seconds.
4180 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
4181 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4182 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4183 # and time zone are either specified elsewhere or are not significant. The date
4184 # is relative to the Proleptic Gregorian Calendar. This can represent:
4185 #
4186 # * A full date, with non-zero year, month and day values
4187 # * A month and day value, with a zero year, e.g. an anniversary
4188 # * A year on its own, with zero month and day values
4189 # * A year and month value, with a zero day, e.g. a credit card expiration date
4190 #
4191 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4192 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
4193 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4194 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
4195 # if specifying a year by itself or a year and month where the day is not
4196 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4197 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
4198 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4199 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4200 "stringValue": "A String", # string
4201 "booleanValue": True or False, # boolean
4202 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4203 },
4204 },
4205 },
4206 "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
4207 # this transformation to apply to all findings that correspond to
4208 # infoTypes that were requested in `InspectConfig`.
4209 { # Type of information detected by the API.
4210 "name": "A String", # Name of the information type. Either a name of your choosing when
4211 # creating a CustomInfoType, or one of the names listed
4212 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
4213 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4214 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4215 },
4216 ],
4217 },
4218 ],
4219 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4220 },
4221 ],
4222 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4223 "transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default
4224 # mode is `TransformationErrorHandling.ThrowError`.
4225 # transformation error occurs when the requested transformation is incompatible
4226 # with the data. For example, trying to de-identify an IP address using a
4227 # `DateShift` transformation would result in a transformation error, since date
4228 # info cannot be extracted from an IP address.
4229 # Information about any incompatible transformations, and how they were
4230 # handled, is returned in the response as part of the
4231 # `TransformationOverviews`.
4232 "throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error
4233 },
4234 "leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors
4235 # cause an error. For example, if a `DateShift` transformation were applied
4236 # an an IP address, this mode would leave the IP address unchanged in the
4237 # response.
4238 },
4239 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4240 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4241 "createTime": "A String", # Output only. The creation timestamp of an inspectTemplate.
4242 "name": "A String", # Output only. The template name.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4243 #
4244 # The template will have one of the following formats:
4245 # `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR
4246 # `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`
4247 }</pre>
4248</div>
4249
4250<div class="method">
4251 <code class="details" id="delete">delete(name, x__xgafv=None)</code>
4252 <pre>Deletes a DeidentifyTemplate.
4253See https://cloud.google.com/dlp/docs/creating-templates-deid to learn
4254more.
4255
4256Args:
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4257 name: string, Required. Resource name of the organization and deidentify template to be deleted,
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4258for example `organizations/433245324/deidentifyTemplates/432452342` or
4259projects/project-id/deidentifyTemplates/432452342. (required)
4260 x__xgafv: string, V1 error format.
4261 Allowed values
4262 1 - v1 error format
4263 2 - v2 error format
4264
4265Returns:
4266 An object of the form:
4267
4268 { # A generic empty message that you can re-use to avoid defining duplicated
4269 # empty messages in your APIs. A typical example is to use it as the request
4270 # or the response type of an API method. For instance:
4271 #
4272 # service Foo {
4273 # rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);
4274 # }
4275 #
4276 # The JSON representation for `Empty` is empty JSON object `{}`.
4277 }</pre>
4278</div>
4279
4280<div class="method">
4281 <code class="details" id="get">get(name, x__xgafv=None)</code>
4282 <pre>Gets a DeidentifyTemplate.
4283See https://cloud.google.com/dlp/docs/creating-templates-deid to learn
4284more.
4285
4286Args:
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4287 name: string, Required. Resource name of the organization and deidentify template to be read, for
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4288example `organizations/433245324/deidentifyTemplates/432452342` or
4289projects/project-id/deidentifyTemplates/432452342. (required)
4290 x__xgafv: string, V1 error format.
4291 Allowed values
4292 1 - v1 error format
4293 2 - v2 error format
4294
4295Returns:
4296 An object of the form:
4297
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4298 { # DeidentifyTemplates contains instructions on how to de-identify content.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4299 # See https://cloud.google.com/dlp/docs/concepts-templates to learn more.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4300 "updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4301 "displayName": "A String", # Display name (max 256 chars).
4302 "description": "A String", # Short description (max 256 chars).
4303 "deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////
4304 "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text
4305 # transformation everywhere.
4306 # apply various `PrimitiveTransformation`s to each finding, where the
4307 # transformation is applied to only values that were identified as a specific
4308 # info_type.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4309 "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one
4310 # for a given infoType.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4311 { # A transformation to apply to text that is identified as a specific
4312 # info_type.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4313 "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
4314 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4315 # input. Outputs a base64 encoded representation of the encrypted output.
4316 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
4317 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
4318 # a key encryption key (KEK) stored by KMS).
4319 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
4320 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
4321 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4322 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4323 # The wrapped key must be a 128/192/256 bit key.
4324 # Authorization requires the following IAM permissions when sending a request
4325 # to perform a crypto transformation using a kms-wrapped crypto key:
4326 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4327 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
4328 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4329 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4330 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4331 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4332 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4333 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4334 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4335 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4336 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4337 # This is an arbitrary string used to differentiate different keys.
4338 # A unique key is generated per name: two separate `TransientCryptoKey`
4339 # protos share the same generated key if their names are the same.
4340 # When the data crypto key is generated, this name is not used in any way
4341 # (repeating the api call will result in a different key being generated).
4342 },
4343 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4344 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4345 # referential integrity such that the same identifier in two different
4346 # contexts will be given a distinct surrogate. The context is appended to
4347 # plaintext value being encrypted. On decryption the provided context is
4348 # validated against the value used during encryption. If a context was
4349 # provided during encryption, same context must be provided during decryption
4350 # as well.
4351 #
4352 # If the context is not set, plaintext would be used as is for encryption.
4353 # If the context is set but:
4354 #
4355 # 1. there is no record present when transforming a given value or
4356 # 2. the field is not present when transforming a given value,
4357 #
4358 # plaintext would be used as is for encryption.
4359 #
4360 # Note that case (1) is expected when an `InfoTypeTransformation` is
4361 # applied to both structured and non-structured `ContentItem`s.
4362 "name": "A String", # Name describing the field.
4363 },
4364 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
4365 # This annotation will be applied to the surrogate by prefixing it with
4366 # the name of the custom info type followed by the number of
4367 # characters comprising the surrogate. The following scheme defines the
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4368 # format: {info type name}({surrogate character count}):{surrogate}
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4369 #
4370 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
4371 # the surrogate is 'abc', the full replacement value
4372 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
4373 #
4374 # This annotation identifies the surrogate when inspecting content using the
4375 # custom info type 'Surrogate'. This facilitates reversal of the
4376 # surrogate when it occurs in free text.
4377 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4378 # Note: For record transformations where the entire cell in a table is being
4379 # transformed, surrogates are not mandatory. Surrogates are used to denote
4380 # the location of the token and are necessary for re-identification in free
4381 # form text.
4382 #
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4383 # In order for inspection to work properly, the name of this info type must
4384 # not occur naturally anywhere in your data; otherwise, inspection may either
4385 #
4386 # - reverse a surrogate that does not correspond to an actual identifier
4387 # - be unable to parse the surrogate and result in an error
4388 #
4389 # Therefore, choose your custom info type name carefully after considering
4390 # what your data looks like. One way to select a name that has a high chance
4391 # of yielding reliable detection is to include one or more unicode characters
4392 # that are highly improbable to exist in your data.
4393 # For example, assuming your data is entered from a regular ASCII keyboard,
4394 # the symbol with the hex code point 29DD might be used like so:
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4395 # ⧝MY_TOKEN_TYPE.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4396 "name": "A String", # Name of the information type. Either a name of your choosing when
4397 # creating a CustomInfoType, or one of the names listed
4398 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
4399 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4400 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4401 },
4402 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4403 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
4404 # fixed character. Masking can start from the beginning or end of the string.
4405 # This can be used on data of any type (numbers, longs, and so on) and when
4406 # de-identifying structured data we'll attempt to preserve the original data's
4407 # type. (This allows you to take a long like 123 and modify it to a string like
4408 # **3.
4409 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
4410 # characters. For example, if the input string is `555-555-5555` and you
4411 # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
4412 # returns `***-**5-5555`.
4413 { # Characters to skip when doing deidentification of a value. These will be left
4414 # alone and skipped.
4415 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
4416 # punctuation.
4417 "charactersToSkip": "A String", # Characters to not transform when masking.
4418 },
4419 ],
4420 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
4421 # masked. Skipped characters do not count towards this tally.
4422 "maskingCharacter": "A String", # Character to use to mask the sensitive values&amp;mdash;for example, `*` for an
4423 # alphabetic string such as a name, or `0` for a numeric string such as ZIP
4424 # code or credit card number. This string must have a length of 1. If not
4425 # supplied, this value defaults to `*` for strings, and `0` for digits.
4426 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
4427 # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
4428 # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
4429 # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
4430 # is `true`, then the string `12345` is masked as `12***`.
4431 },
4432 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
4433 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
4434 # output would be 'My phone number is '.
4435 },
4436 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
4437 },
4438 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4439 # Bucketing transformation can provide all of this functionality,
4440 # but requires more configuration. This message is provided as a convenience to
4441 # the user for simple bucketing strategies.
4442 #
4443 # The transformed value will be a hyphenated string of
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4444 # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4445 # all values that are within this bucket will be replaced with "10-20".
4446 #
4447 # This can be used on data of type: double, long.
4448 #
4449 # If the bound Value type differs from the type of data
4450 # being transformed, we will first attempt converting the type of the data to
4451 # be transformed to match the type of the bound before comparing.
4452 #
4453 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4454 "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4455 # grouped together into a single bucket; for example if `lower_bound` = 10,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4456 # then all values less than 10 are replaced with the value “-10”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4457 # Note that for the purposes of inspection or transformation, the number
4458 # of bytes considered to comprise a 'Value' is based on its representation
4459 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
4460 # 123456789, the number of bytes would be counted as 9, even though an
4461 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4462 "floatValue": 3.14, # float
4463 "timestampValue": "A String", # timestamp
4464 "dayOfWeekValue": "A String", # day of week
4465 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4466 # or are specified elsewhere. An API may choose to allow leap seconds. Related
4467 # types are google.type.Date and `google.protobuf.Timestamp`.
4468 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
4469 # to allow the value "24:00:00" for scenarios like business closing time.
4470 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4471 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
4472 # allow the value 60 if it allows leap-seconds.
4473 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
4474 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4475 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4476 # and time zone are either specified elsewhere or are not significant. The date
4477 # is relative to the Proleptic Gregorian Calendar. This can represent:
4478 #
4479 # * A full date, with non-zero year, month and day values
4480 # * A month and day value, with a zero year, e.g. an anniversary
4481 # * A year on its own, with zero month and day values
4482 # * A year and month value, with a zero day, e.g. a credit card expiration date
4483 #
4484 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4485 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
4486 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4487 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
4488 # if specifying a year by itself or a year and month where the day is not
4489 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4490 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
4491 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4492 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4493 "stringValue": "A String", # string
4494 "booleanValue": True or False, # boolean
4495 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4496 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4497 "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4498 # grouped together into a single bucket; for example if `upper_bound` = 89,
4499 # then all values greater than 89 are replaced with the value “89+”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4500 # Note that for the purposes of inspection or transformation, the number
4501 # of bytes considered to comprise a 'Value' is based on its representation
4502 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
4503 # 123456789, the number of bytes would be counted as 9, even though an
4504 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4505 "floatValue": 3.14, # float
4506 "timestampValue": "A String", # timestamp
4507 "dayOfWeekValue": "A String", # day of week
4508 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4509 # or are specified elsewhere. An API may choose to allow leap seconds. Related
4510 # types are google.type.Date and `google.protobuf.Timestamp`.
4511 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
4512 # to allow the value "24:00:00" for scenarios like business closing time.
4513 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4514 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
4515 # allow the value 60 if it allows leap-seconds.
4516 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
4517 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4518 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4519 # and time zone are either specified elsewhere or are not significant. The date
4520 # is relative to the Proleptic Gregorian Calendar. This can represent:
4521 #
4522 # * A full date, with non-zero year, month and day values
4523 # * A month and day value, with a zero year, e.g. an anniversary
4524 # * A year on its own, with zero month and day values
4525 # * A year and month value, with a zero day, e.g. a credit card expiration date
4526 #
4527 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4528 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
4529 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4530 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
4531 # if specifying a year by itself or a year and month where the day is not
4532 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4533 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
4534 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4535 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4536 "stringValue": "A String", # string
4537 "booleanValue": True or False, # boolean
4538 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4539 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4540 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4541 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
4542 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4543 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4544 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4545 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4546 # portion of the value.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4547 "partToExtract": "A String", # The part of the time to keep.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4548 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4549 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4550 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
4551 # to learn more.
4552 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4553 # results in the same shift for the same context and crypto_key. If
4554 # set, must also set context. Can only be applied to table items.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4555 # a key encryption key (KEK) stored by KMS).
4556 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
4557 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
4558 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4559 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4560 # The wrapped key must be a 128/192/256 bit key.
4561 # Authorization requires the following IAM permissions when sending a request
4562 # to perform a crypto transformation using a kms-wrapped crypto key:
4563 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4564 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
4565 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4566 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4567 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4568 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4569 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4570 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4571 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4572 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4573 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4574 # This is an arbitrary string used to differentiate different keys.
4575 # A unique key is generated per name: two separate `TransientCryptoKey`
4576 # protos share the same generated key if their names are the same.
4577 # When the data crypto key is generated, this name is not used in any way
4578 # (repeating the api call will result in a different key being generated).
4579 },
4580 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4581 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
4582 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4583 # range (inclusive ends). Negative means shift to earlier in time. Must not
4584 # be more than 365250 days (1000 years) each direction.
4585 #
4586 # For example, 3 means shift date to at most 3 days into the future.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4587 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4588 # If set, must also set cryptoKey. If set, shift will be consistent for the
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4589 # given context.
4590 "name": "A String", # Name describing the field.
4591 },
4592 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4593 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4594 # (FPE) with the FFX mode of operation; however when used in the
4595 # `ReidentifyContent` API method, it serves the opposite function by reversing
4596 # the surrogate back into the original identifier. The identifier must be
4597 # encoded as ASCII. For a given crypto key and context, the same identifier
4598 # will be replaced with the same surrogate. Identifiers must be at least two
4599 # characters long. In the case that the identifier is the empty string, it will
4600 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
4601 # more.
4602 #
4603 # Note: We recommend using CryptoDeterministicConfig for all use cases which
4604 # do not require preserving the input alphabet space and size, plus warrant
4605 # referential integrity.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4606 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4607 # a key encryption key (KEK) stored by KMS).
4608 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
4609 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
4610 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4611 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4612 # The wrapped key must be a 128/192/256 bit key.
4613 # Authorization requires the following IAM permissions when sending a request
4614 # to perform a crypto transformation using a kms-wrapped crypto key:
4615 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4616 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
4617 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4618 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4619 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4620 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4621 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4622 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4623 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4624 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4625 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4626 # This is an arbitrary string used to differentiate different keys.
4627 # A unique key is generated per name: two separate `TransientCryptoKey`
4628 # protos share the same generated key if their names are the same.
4629 # When the data crypto key is generated, this name is not used in any way
4630 # (repeating the api call will result in a different key being generated).
4631 },
4632 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4633 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
4634 "commonAlphabet": "A String", # Common alphabets.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4635 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
4636 # that the FFX mode natively supports. This happens before/after
4637 # encryption/decryption.
4638 # Each character listed must appear only once.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4639 # Number of characters must be in the range [2, 95].
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4640 # This must be encoded as ASCII.
4641 # The order of characters does not matter.
4642 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
4643 # identifier in two different contexts won't be given the same surrogate. If
4644 # the context is not set, a default tweak will be used.
4645 #
4646 # If the context is set but:
4647 #
4648 # 1. there is no record present when transforming a given value or
4649 # 1. the field is not present when transforming a given value,
4650 #
4651 # a default tweak will be used.
4652 #
4653 # Note that case (1) is expected when an `InfoTypeTransformation` is
4654 # applied to both structured and non-structured `ContentItem`s.
4655 # Currently, the referenced field may be of value type integer or string.
4656 #
4657 # The tweak is constructed as a sequence of bytes in big endian byte order
4658 # such that:
4659 #
4660 # - a 64 bit integer is encoded followed by a single byte of value 1
4661 # - a string is encoded in UTF-8 format followed by a single byte of value 2
4662 "name": "A String", # Name describing the field.
4663 },
4664 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
4665 # This annotation will be applied to the surrogate by prefixing it with
4666 # the name of the custom infoType followed by the number of
4667 # characters comprising the surrogate. The following scheme defines the
4668 # format: info_type_name(surrogate_character_count):surrogate
4669 #
4670 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
4671 # the surrogate is 'abc', the full replacement value
4672 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
4673 #
4674 # This annotation identifies the surrogate when inspecting content using the
4675 # custom infoType
4676 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
4677 # This facilitates reversal of the surrogate when it occurs in free text.
4678 #
4679 # In order for inspection to work properly, the name of this infoType must
4680 # not occur naturally anywhere in your data; otherwise, inspection may
4681 # find a surrogate that does not correspond to an actual identifier.
4682 # Therefore, choose your custom infoType name carefully after considering
4683 # what your data looks like. One way to select a name that has a high chance
4684 # of yielding reliable detection is to include one or more unicode characters
4685 # that are highly improbable to exist in your data.
4686 # For example, assuming your data is entered from a regular ASCII keyboard,
4687 # the symbol with the hex code point 29DD might be used like so:
4688 # ⧝MY_TOKEN_TYPE
4689 "name": "A String", # Name of the information type. Either a name of your choosing when
4690 # creating a CustomInfoType, or one of the names listed
4691 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
4692 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4693 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4694 },
4695 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4696 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
4697 # replacement values are dynamically provided by the user for custom behavior,
4698 # such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH
4699 # This can be used on
4700 # data of type: number, long, string, timestamp.
4701 # If the bound `Value` type differs from the type of data being transformed, we
4702 # will first attempt converting the type of the data to be transformed to match
4703 # the type of the bound before comparing.
4704 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
4705 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
4706 { # Bucket is represented as a range, along with replacement values.
4707 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
4708 # Note that for the purposes of inspection or transformation, the number
4709 # of bytes considered to comprise a 'Value' is based on its representation
4710 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
4711 # 123456789, the number of bytes would be counted as 9, even though an
4712 # int64 only holds up to 8 bytes of data.
4713 "floatValue": 3.14, # float
4714 "timestampValue": "A String", # timestamp
4715 "dayOfWeekValue": "A String", # day of week
4716 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
4717 # or are specified elsewhere. An API may choose to allow leap seconds. Related
4718 # types are google.type.Date and `google.protobuf.Timestamp`.
4719 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
4720 # to allow the value "24:00:00" for scenarios like business closing time.
4721 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4722 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
4723 # allow the value 60 if it allows leap-seconds.
4724 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
4725 },
4726 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
4727 # and time zone are either specified elsewhere or are not significant. The date
4728 # is relative to the Proleptic Gregorian Calendar. This can represent:
4729 #
4730 # * A full date, with non-zero year, month and day values
4731 # * A month and day value, with a zero year, e.g. an anniversary
4732 # * A year on its own, with zero month and day values
4733 # * A year and month value, with a zero day, e.g. a credit card expiration date
4734 #
4735 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
4736 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
4737 # month and day.
4738 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
4739 # if specifying a year by itself or a year and month where the day is not
4740 # significant.
4741 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
4742 # a year.
4743 },
4744 "stringValue": "A String", # string
4745 "booleanValue": True or False, # boolean
4746 "integerValue": "A String", # integer
4747 },
4748 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
4749 # the default behavior will be to hyphenate the min-max range.
4750 # Note that for the purposes of inspection or transformation, the number
4751 # of bytes considered to comprise a 'Value' is based on its representation
4752 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
4753 # 123456789, the number of bytes would be counted as 9, even though an
4754 # int64 only holds up to 8 bytes of data.
4755 "floatValue": 3.14, # float
4756 "timestampValue": "A String", # timestamp
4757 "dayOfWeekValue": "A String", # day of week
4758 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
4759 # or are specified elsewhere. An API may choose to allow leap seconds. Related
4760 # types are google.type.Date and `google.protobuf.Timestamp`.
4761 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
4762 # to allow the value "24:00:00" for scenarios like business closing time.
4763 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4764 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
4765 # allow the value 60 if it allows leap-seconds.
4766 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
4767 },
4768 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
4769 # and time zone are either specified elsewhere or are not significant. The date
4770 # is relative to the Proleptic Gregorian Calendar. This can represent:
4771 #
4772 # * A full date, with non-zero year, month and day values
4773 # * A month and day value, with a zero year, e.g. an anniversary
4774 # * A year on its own, with zero month and day values
4775 # * A year and month value, with a zero day, e.g. a credit card expiration date
4776 #
4777 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
4778 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
4779 # month and day.
4780 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
4781 # if specifying a year by itself or a year and month where the day is not
4782 # significant.
4783 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
4784 # a year.
4785 },
4786 "stringValue": "A String", # string
4787 "booleanValue": True or False, # boolean
4788 "integerValue": "A String", # integer
4789 },
4790 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
4791 # used.
4792 # Note that for the purposes of inspection or transformation, the number
4793 # of bytes considered to comprise a 'Value' is based on its representation
4794 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
4795 # 123456789, the number of bytes would be counted as 9, even though an
4796 # int64 only holds up to 8 bytes of data.
4797 "floatValue": 3.14, # float
4798 "timestampValue": "A String", # timestamp
4799 "dayOfWeekValue": "A String", # day of week
4800 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
4801 # or are specified elsewhere. An API may choose to allow leap seconds. Related
4802 # types are google.type.Date and `google.protobuf.Timestamp`.
4803 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
4804 # to allow the value "24:00:00" for scenarios like business closing time.
4805 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4806 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
4807 # allow the value 60 if it allows leap-seconds.
4808 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
4809 },
4810 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
4811 # and time zone are either specified elsewhere or are not significant. The date
4812 # is relative to the Proleptic Gregorian Calendar. This can represent:
4813 #
4814 # * A full date, with non-zero year, month and day values
4815 # * A month and day value, with a zero year, e.g. an anniversary
4816 # * A year on its own, with zero month and day values
4817 # * A year and month value, with a zero day, e.g. a credit card expiration date
4818 #
4819 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
4820 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
4821 # month and day.
4822 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
4823 # if specifying a year by itself or a year and month where the day is not
4824 # significant.
4825 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
4826 # a year.
4827 },
4828 "stringValue": "A String", # string
4829 "booleanValue": True or False, # boolean
4830 "integerValue": "A String", # integer
4831 },
4832 },
4833 ],
4834 },
4835 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
4836 # Uses SHA-256.
4837 # The key size must be either 32 or 64 bytes.
4838 # Outputs a base64 encoded representation of the hashed output
4839 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
4840 # Currently, only string and integer values can be hashed.
4841 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
4842 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
4843 # a key encryption key (KEK) stored by KMS).
4844 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
4845 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
4846 # unwrap the data crypto key.
4847 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
4848 # The wrapped key must be a 128/192/256 bit key.
4849 # Authorization requires the following IAM permissions when sending a request
4850 # to perform a crypto transformation using a kms-wrapped crypto key:
4851 # dlp.kms.encrypt
4852 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
4853 "wrappedKey": "A String", # Required. The wrapped data crypto key.
4854 },
4855 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
4856 # leaking the key. Choose another type of key if possible.
4857 "key": "A String", # Required. A 128/192/256 bit key.
4858 },
4859 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
4860 # It will be discarded after the request finishes.
4861 "name": "A String", # Required. Name of the key.
4862 # This is an arbitrary string used to differentiate different keys.
4863 # A unique key is generated per name: two separate `TransientCryptoKey`
4864 # protos share the same generated key if their names are the same.
4865 # When the data crypto key is generated, this name is not used in any way
4866 # (repeating the api call will result in a different key being generated).
4867 },
4868 },
4869 },
4870 "replaceConfig": { # Replace each input value with a given `Value`. # Replace
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4871 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
4872 # Note that for the purposes of inspection or transformation, the number
4873 # of bytes considered to comprise a 'Value' is based on its representation
4874 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
4875 # 123456789, the number of bytes would be counted as 9, even though an
4876 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4877 "floatValue": 3.14, # float
4878 "timestampValue": "A String", # timestamp
4879 "dayOfWeekValue": "A String", # day of week
4880 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4881 # or are specified elsewhere. An API may choose to allow leap seconds. Related
4882 # types are google.type.Date and `google.protobuf.Timestamp`.
4883 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
4884 # to allow the value "24:00:00" for scenarios like business closing time.
4885 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4886 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
4887 # allow the value 60 if it allows leap-seconds.
4888 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
4889 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4890 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4891 # and time zone are either specified elsewhere or are not significant. The date
4892 # is relative to the Proleptic Gregorian Calendar. This can represent:
4893 #
4894 # * A full date, with non-zero year, month and day values
4895 # * A month and day value, with a zero year, e.g. an anniversary
4896 # * A year on its own, with zero month and day values
4897 # * A year and month value, with a zero day, e.g. a credit card expiration date
4898 #
4899 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4900 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
4901 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4902 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
4903 # if specifying a year by itself or a year and month where the day is not
4904 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4905 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
4906 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4907 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4908 "stringValue": "A String", # string
4909 "booleanValue": True or False, # boolean
4910 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4911 },
4912 },
4913 },
4914 "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
4915 # this transformation to apply to all findings that correspond to
4916 # infoTypes that were requested in `InspectConfig`.
4917 { # Type of information detected by the API.
4918 "name": "A String", # Name of the information type. Either a name of your choosing when
4919 # creating a CustomInfoType, or one of the names listed
4920 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
4921 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4922 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4923 },
4924 ],
4925 },
4926 ],
4927 },
4928 "recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to
4929 # specific locations within structured datasets, such as transforming
4930 # a column within a table.
4931 # table.
4932 "recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4933 # match any suppression rule are omitted from the output.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4934 { # Configuration to suppress records whose suppression conditions evaluate to
4935 # true.
4936 "condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
4937 # evaluated to be suppressed from the transformed content.
4938 # a field.
4939 "expressions": { # An expression, consisting or an operator and conditions. # An expression.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4940 "conditions": { # A collection of conditions. # Conditions to apply to the expression.
4941 "conditions": [ # A collection of conditions.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4942 { # The field type of `value` and `field` do not need to match to be
4943 # considered equal, but not all comparisons are possible.
4944 # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
4945 # but all other comparisons are invalid with incompatible types.
4946 # A `value` of type:
4947 #
4948 # - `string` can be compared against all other types
4949 # - `boolean` can only be compared against other booleans
4950 # - `integer` can be compared against doubles or a string if the string value
4951 # can be parsed as an integer.
4952 # - `double` can be compared against integers or a string if the string can
4953 # be parsed as a double.
4954 # - `Timestamp` can be compared against strings in RFC 3339 date string
4955 # format.
4956 # - `TimeOfDay` can be compared against timestamps and strings in the format
4957 # of 'HH:mm:ss'.
4958 #
4959 # If we fail to compare do to type mismatch, a warning will be given and
4960 # the condition will evaluate to false.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4961 "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
4962 "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4963 "name": "A String", # Name describing the field.
4964 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4965 "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4966 # Note that for the purposes of inspection or transformation, the number
4967 # of bytes considered to comprise a 'Value' is based on its representation
4968 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
4969 # 123456789, the number of bytes would be counted as 9, even though an
4970 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4971 "floatValue": 3.14, # float
4972 "timestampValue": "A String", # timestamp
4973 "dayOfWeekValue": "A String", # day of week
4974 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4975 # or are specified elsewhere. An API may choose to allow leap seconds. Related
4976 # types are google.type.Date and `google.protobuf.Timestamp`.
4977 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
4978 # to allow the value "24:00:00" for scenarios like business closing time.
4979 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
4980 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
4981 # allow the value 60 if it allows leap-seconds.
4982 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
4983 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4984 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4985 # and time zone are either specified elsewhere or are not significant. The date
4986 # is relative to the Proleptic Gregorian Calendar. This can represent:
4987 #
4988 # * A full date, with non-zero year, month and day values
4989 # * A month and day value, with a zero year, e.g. an anniversary
4990 # * A year on its own, with zero month and day values
4991 # * A year and month value, with a zero day, e.g. a credit card expiration date
4992 #
4993 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4994 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
4995 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]4996 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
4997 # if specifying a year by itself or a year and month where the day is not
4998 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]4999 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
5000 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5001 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5002 "stringValue": "A String", # string
5003 "booleanValue": True or False, # boolean
5004 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5005 },
5006 },
5007 ],
5008 },
5009 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
5010 # only supported value is `AND`.
5011 },
5012 },
5013 },
5014 ],
5015 "fieldTransformations": [ # Transform the record by applying various field transformations.
5016 { # The transformation to apply to the field.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5017 "fields": [ # Required. Input field(s) to apply the transformation to.
5018 { # General identifier of a data field in a storage service.
5019 "name": "A String", # Name describing the field.
5020 },
5021 ],
5022 "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
5023 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
5024 # input. Outputs a base64 encoded representation of the encrypted output.
5025 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
5026 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
5027 # a key encryption key (KEK) stored by KMS).
5028 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
5029 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
5030 # unwrap the data crypto key.
5031 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
5032 # The wrapped key must be a 128/192/256 bit key.
5033 # Authorization requires the following IAM permissions when sending a request
5034 # to perform a crypto transformation using a kms-wrapped crypto key:
5035 # dlp.kms.encrypt
5036 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
5037 "wrappedKey": "A String", # Required. The wrapped data crypto key.
5038 },
5039 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
5040 # leaking the key. Choose another type of key if possible.
5041 "key": "A String", # Required. A 128/192/256 bit key.
5042 },
5043 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
5044 # It will be discarded after the request finishes.
5045 "name": "A String", # Required. Name of the key.
5046 # This is an arbitrary string used to differentiate different keys.
5047 # A unique key is generated per name: two separate `TransientCryptoKey`
5048 # protos share the same generated key if their names are the same.
5049 # When the data crypto key is generated, this name is not used in any way
5050 # (repeating the api call will result in a different key being generated).
5051 },
5052 },
5053 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
5054 # referential integrity such that the same identifier in two different
5055 # contexts will be given a distinct surrogate. The context is appended to
5056 # plaintext value being encrypted. On decryption the provided context is
5057 # validated against the value used during encryption. If a context was
5058 # provided during encryption, same context must be provided during decryption
5059 # as well.
5060 #
5061 # If the context is not set, plaintext would be used as is for encryption.
5062 # If the context is set but:
5063 #
5064 # 1. there is no record present when transforming a given value or
5065 # 2. the field is not present when transforming a given value,
5066 #
5067 # plaintext would be used as is for encryption.
5068 #
5069 # Note that case (1) is expected when an `InfoTypeTransformation` is
5070 # applied to both structured and non-structured `ContentItem`s.
5071 "name": "A String", # Name describing the field.
5072 },
5073 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
5074 # This annotation will be applied to the surrogate by prefixing it with
5075 # the name of the custom info type followed by the number of
5076 # characters comprising the surrogate. The following scheme defines the
5077 # format: {info type name}({surrogate character count}):{surrogate}
5078 #
5079 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
5080 # the surrogate is 'abc', the full replacement value
5081 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
5082 #
5083 # This annotation identifies the surrogate when inspecting content using the
5084 # custom info type 'Surrogate'. This facilitates reversal of the
5085 # surrogate when it occurs in free text.
5086 #
5087 # Note: For record transformations where the entire cell in a table is being
5088 # transformed, surrogates are not mandatory. Surrogates are used to denote
5089 # the location of the token and are necessary for re-identification in free
5090 # form text.
5091 #
5092 # In order for inspection to work properly, the name of this info type must
5093 # not occur naturally anywhere in your data; otherwise, inspection may either
5094 #
5095 # - reverse a surrogate that does not correspond to an actual identifier
5096 # - be unable to parse the surrogate and result in an error
5097 #
5098 # Therefore, choose your custom info type name carefully after considering
5099 # what your data looks like. One way to select a name that has a high chance
5100 # of yielding reliable detection is to include one or more unicode characters
5101 # that are highly improbable to exist in your data.
5102 # For example, assuming your data is entered from a regular ASCII keyboard,
5103 # the symbol with the hex code point 29DD might be used like so:
5104 # ⧝MY_TOKEN_TYPE.
5105 "name": "A String", # Name of the information type. Either a name of your choosing when
5106 # creating a CustomInfoType, or one of the names listed
5107 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
5108 # a built-in type. InfoType names should conform to the pattern
5109 # `[a-zA-Z0-9_]{1,64}`.
5110 },
5111 },
5112 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
5113 # fixed character. Masking can start from the beginning or end of the string.
5114 # This can be used on data of any type (numbers, longs, and so on) and when
5115 # de-identifying structured data we'll attempt to preserve the original data's
5116 # type. (This allows you to take a long like 123 and modify it to a string like
5117 # **3.
5118 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
5119 # characters. For example, if the input string is `555-555-5555` and you
5120 # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
5121 # returns `***-**5-5555`.
5122 { # Characters to skip when doing deidentification of a value. These will be left
5123 # alone and skipped.
5124 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
5125 # punctuation.
5126 "charactersToSkip": "A String", # Characters to not transform when masking.
5127 },
5128 ],
5129 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
5130 # masked. Skipped characters do not count towards this tally.
5131 "maskingCharacter": "A String", # Character to use to mask the sensitive values&amp;mdash;for example, `*` for an
5132 # alphabetic string such as a name, or `0` for a numeric string such as ZIP
5133 # code or credit card number. This string must have a length of 1. If not
5134 # supplied, this value defaults to `*` for strings, and `0` for digits.
5135 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
5136 # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
5137 # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
5138 # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
5139 # is `true`, then the string `12345` is masked as `12***`.
5140 },
5141 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
5142 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
5143 # output would be 'My phone number is '.
5144 },
5145 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
5146 },
5147 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
5148 # Bucketing transformation can provide all of this functionality,
5149 # but requires more configuration. This message is provided as a convenience to
5150 # the user for simple bucketing strategies.
5151 #
5152 # The transformed value will be a hyphenated string of
5153 # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
5154 # all values that are within this bucket will be replaced with "10-20".
5155 #
5156 # This can be used on data of type: double, long.
5157 #
5158 # If the bound Value type differs from the type of data
5159 # being transformed, we will first attempt converting the type of the data to
5160 # be transformed to match the type of the bound before comparing.
5161 #
5162 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
5163 "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
5164 # grouped together into a single bucket; for example if `lower_bound` = 10,
5165 # then all values less than 10 are replaced with the value “-10”.
5166 # Note that for the purposes of inspection or transformation, the number
5167 # of bytes considered to comprise a 'Value' is based on its representation
5168 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
5169 # 123456789, the number of bytes would be counted as 9, even though an
5170 # int64 only holds up to 8 bytes of data.
5171 "floatValue": 3.14, # float
5172 "timestampValue": "A String", # timestamp
5173 "dayOfWeekValue": "A String", # day of week
5174 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
5175 # or are specified elsewhere. An API may choose to allow leap seconds. Related
5176 # types are google.type.Date and `google.protobuf.Timestamp`.
5177 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
5178 # to allow the value "24:00:00" for scenarios like business closing time.
5179 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
5180 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
5181 # allow the value 60 if it allows leap-seconds.
5182 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
5183 },
5184 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
5185 # and time zone are either specified elsewhere or are not significant. The date
5186 # is relative to the Proleptic Gregorian Calendar. This can represent:
5187 #
5188 # * A full date, with non-zero year, month and day values
5189 # * A month and day value, with a zero year, e.g. an anniversary
5190 # * A year on its own, with zero month and day values
5191 # * A year and month value, with a zero day, e.g. a credit card expiration date
5192 #
5193 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
5194 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
5195 # month and day.
5196 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
5197 # if specifying a year by itself or a year and month where the day is not
5198 # significant.
5199 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
5200 # a year.
5201 },
5202 "stringValue": "A String", # string
5203 "booleanValue": True or False, # boolean
5204 "integerValue": "A String", # integer
5205 },
5206 "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
5207 # grouped together into a single bucket; for example if `upper_bound` = 89,
5208 # then all values greater than 89 are replaced with the value “89+”.
5209 # Note that for the purposes of inspection or transformation, the number
5210 # of bytes considered to comprise a 'Value' is based on its representation
5211 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
5212 # 123456789, the number of bytes would be counted as 9, even though an
5213 # int64 only holds up to 8 bytes of data.
5214 "floatValue": 3.14, # float
5215 "timestampValue": "A String", # timestamp
5216 "dayOfWeekValue": "A String", # day of week
5217 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
5218 # or are specified elsewhere. An API may choose to allow leap seconds. Related
5219 # types are google.type.Date and `google.protobuf.Timestamp`.
5220 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
5221 # to allow the value "24:00:00" for scenarios like business closing time.
5222 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
5223 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
5224 # allow the value 60 if it allows leap-seconds.
5225 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
5226 },
5227 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
5228 # and time zone are either specified elsewhere or are not significant. The date
5229 # is relative to the Proleptic Gregorian Calendar. This can represent:
5230 #
5231 # * A full date, with non-zero year, month and day values
5232 # * A month and day value, with a zero year, e.g. an anniversary
5233 # * A year on its own, with zero month and day values
5234 # * A year and month value, with a zero day, e.g. a credit card expiration date
5235 #
5236 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
5237 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
5238 # month and day.
5239 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
5240 # if specifying a year by itself or a year and month where the day is not
5241 # significant.
5242 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
5243 # a year.
5244 },
5245 "stringValue": "A String", # string
5246 "booleanValue": True or False, # boolean
5247 "integerValue": "A String", # integer
5248 },
5249 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
5250 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
5251 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
5252 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
5253 },
5254 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
5255 # portion of the value.
5256 "partToExtract": "A String", # The part of the time to keep.
5257 },
5258 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
5259 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
5260 # to learn more.
5261 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
5262 # results in the same shift for the same context and crypto_key. If
5263 # set, must also set context. Can only be applied to table items.
5264 # a key encryption key (KEK) stored by KMS).
5265 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
5266 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
5267 # unwrap the data crypto key.
5268 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
5269 # The wrapped key must be a 128/192/256 bit key.
5270 # Authorization requires the following IAM permissions when sending a request
5271 # to perform a crypto transformation using a kms-wrapped crypto key:
5272 # dlp.kms.encrypt
5273 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
5274 "wrappedKey": "A String", # Required. The wrapped data crypto key.
5275 },
5276 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
5277 # leaking the key. Choose another type of key if possible.
5278 "key": "A String", # Required. A 128/192/256 bit key.
5279 },
5280 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
5281 # It will be discarded after the request finishes.
5282 "name": "A String", # Required. Name of the key.
5283 # This is an arbitrary string used to differentiate different keys.
5284 # A unique key is generated per name: two separate `TransientCryptoKey`
5285 # protos share the same generated key if their names are the same.
5286 # When the data crypto key is generated, this name is not used in any way
5287 # (repeating the api call will result in a different key being generated).
5288 },
5289 },
5290 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
5291 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
5292 # range (inclusive ends). Negative means shift to earlier in time. Must not
5293 # be more than 365250 days (1000 years) each direction.
5294 #
5295 # For example, 3 means shift date to at most 3 days into the future.
5296 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
5297 # If set, must also set cryptoKey. If set, shift will be consistent for the
5298 # given context.
5299 "name": "A String", # Name describing the field.
5300 },
5301 },
5302 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
5303 # (FPE) with the FFX mode of operation; however when used in the
5304 # `ReidentifyContent` API method, it serves the opposite function by reversing
5305 # the surrogate back into the original identifier. The identifier must be
5306 # encoded as ASCII. For a given crypto key and context, the same identifier
5307 # will be replaced with the same surrogate. Identifiers must be at least two
5308 # characters long. In the case that the identifier is the empty string, it will
5309 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
5310 # more.
5311 #
5312 # Note: We recommend using CryptoDeterministicConfig for all use cases which
5313 # do not require preserving the input alphabet space and size, plus warrant
5314 # referential integrity.
5315 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
5316 # a key encryption key (KEK) stored by KMS).
5317 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
5318 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
5319 # unwrap the data crypto key.
5320 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
5321 # The wrapped key must be a 128/192/256 bit key.
5322 # Authorization requires the following IAM permissions when sending a request
5323 # to perform a crypto transformation using a kms-wrapped crypto key:
5324 # dlp.kms.encrypt
5325 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
5326 "wrappedKey": "A String", # Required. The wrapped data crypto key.
5327 },
5328 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
5329 # leaking the key. Choose another type of key if possible.
5330 "key": "A String", # Required. A 128/192/256 bit key.
5331 },
5332 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
5333 # It will be discarded after the request finishes.
5334 "name": "A String", # Required. Name of the key.
5335 # This is an arbitrary string used to differentiate different keys.
5336 # A unique key is generated per name: two separate `TransientCryptoKey`
5337 # protos share the same generated key if their names are the same.
5338 # When the data crypto key is generated, this name is not used in any way
5339 # (repeating the api call will result in a different key being generated).
5340 },
5341 },
5342 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
5343 "commonAlphabet": "A String", # Common alphabets.
5344 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
5345 # that the FFX mode natively supports. This happens before/after
5346 # encryption/decryption.
5347 # Each character listed must appear only once.
5348 # Number of characters must be in the range [2, 95].
5349 # This must be encoded as ASCII.
5350 # The order of characters does not matter.
5351 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
5352 # identifier in two different contexts won't be given the same surrogate. If
5353 # the context is not set, a default tweak will be used.
5354 #
5355 # If the context is set but:
5356 #
5357 # 1. there is no record present when transforming a given value or
5358 # 1. the field is not present when transforming a given value,
5359 #
5360 # a default tweak will be used.
5361 #
5362 # Note that case (1) is expected when an `InfoTypeTransformation` is
5363 # applied to both structured and non-structured `ContentItem`s.
5364 # Currently, the referenced field may be of value type integer or string.
5365 #
5366 # The tweak is constructed as a sequence of bytes in big endian byte order
5367 # such that:
5368 #
5369 # - a 64 bit integer is encoded followed by a single byte of value 1
5370 # - a string is encoded in UTF-8 format followed by a single byte of value 2
5371 "name": "A String", # Name describing the field.
5372 },
5373 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
5374 # This annotation will be applied to the surrogate by prefixing it with
5375 # the name of the custom infoType followed by the number of
5376 # characters comprising the surrogate. The following scheme defines the
5377 # format: info_type_name(surrogate_character_count):surrogate
5378 #
5379 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
5380 # the surrogate is 'abc', the full replacement value
5381 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
5382 #
5383 # This annotation identifies the surrogate when inspecting content using the
5384 # custom infoType
5385 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
5386 # This facilitates reversal of the surrogate when it occurs in free text.
5387 #
5388 # In order for inspection to work properly, the name of this infoType must
5389 # not occur naturally anywhere in your data; otherwise, inspection may
5390 # find a surrogate that does not correspond to an actual identifier.
5391 # Therefore, choose your custom infoType name carefully after considering
5392 # what your data looks like. One way to select a name that has a high chance
5393 # of yielding reliable detection is to include one or more unicode characters
5394 # that are highly improbable to exist in your data.
5395 # For example, assuming your data is entered from a regular ASCII keyboard,
5396 # the symbol with the hex code point 29DD might be used like so:
5397 # ⧝MY_TOKEN_TYPE
5398 "name": "A String", # Name of the information type. Either a name of your choosing when
5399 # creating a CustomInfoType, or one of the names listed
5400 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
5401 # a built-in type. InfoType names should conform to the pattern
5402 # `[a-zA-Z0-9_]{1,64}`.
5403 },
5404 },
5405 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
5406 # replacement values are dynamically provided by the user for custom behavior,
5407 # such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH
5408 # This can be used on
5409 # data of type: number, long, string, timestamp.
5410 # If the bound `Value` type differs from the type of data being transformed, we
5411 # will first attempt converting the type of the data to be transformed to match
5412 # the type of the bound before comparing.
5413 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
5414 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
5415 { # Bucket is represented as a range, along with replacement values.
5416 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
5417 # Note that for the purposes of inspection or transformation, the number
5418 # of bytes considered to comprise a 'Value' is based on its representation
5419 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
5420 # 123456789, the number of bytes would be counted as 9, even though an
5421 # int64 only holds up to 8 bytes of data.
5422 "floatValue": 3.14, # float
5423 "timestampValue": "A String", # timestamp
5424 "dayOfWeekValue": "A String", # day of week
5425 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
5426 # or are specified elsewhere. An API may choose to allow leap seconds. Related
5427 # types are google.type.Date and `google.protobuf.Timestamp`.
5428 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
5429 # to allow the value "24:00:00" for scenarios like business closing time.
5430 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
5431 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
5432 # allow the value 60 if it allows leap-seconds.
5433 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
5434 },
5435 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
5436 # and time zone are either specified elsewhere or are not significant. The date
5437 # is relative to the Proleptic Gregorian Calendar. This can represent:
5438 #
5439 # * A full date, with non-zero year, month and day values
5440 # * A month and day value, with a zero year, e.g. an anniversary
5441 # * A year on its own, with zero month and day values
5442 # * A year and month value, with a zero day, e.g. a credit card expiration date
5443 #
5444 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
5445 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
5446 # month and day.
5447 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
5448 # if specifying a year by itself or a year and month where the day is not
5449 # significant.
5450 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
5451 # a year.
5452 },
5453 "stringValue": "A String", # string
5454 "booleanValue": True or False, # boolean
5455 "integerValue": "A String", # integer
5456 },
5457 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
5458 # the default behavior will be to hyphenate the min-max range.
5459 # Note that for the purposes of inspection or transformation, the number
5460 # of bytes considered to comprise a 'Value' is based on its representation
5461 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
5462 # 123456789, the number of bytes would be counted as 9, even though an
5463 # int64 only holds up to 8 bytes of data.
5464 "floatValue": 3.14, # float
5465 "timestampValue": "A String", # timestamp
5466 "dayOfWeekValue": "A String", # day of week
5467 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
5468 # or are specified elsewhere. An API may choose to allow leap seconds. Related
5469 # types are google.type.Date and `google.protobuf.Timestamp`.
5470 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
5471 # to allow the value "24:00:00" for scenarios like business closing time.
5472 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
5473 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
5474 # allow the value 60 if it allows leap-seconds.
5475 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
5476 },
5477 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
5478 # and time zone are either specified elsewhere or are not significant. The date
5479 # is relative to the Proleptic Gregorian Calendar. This can represent:
5480 #
5481 # * A full date, with non-zero year, month and day values
5482 # * A month and day value, with a zero year, e.g. an anniversary
5483 # * A year on its own, with zero month and day values
5484 # * A year and month value, with a zero day, e.g. a credit card expiration date
5485 #
5486 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
5487 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
5488 # month and day.
5489 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
5490 # if specifying a year by itself or a year and month where the day is not
5491 # significant.
5492 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
5493 # a year.
5494 },
5495 "stringValue": "A String", # string
5496 "booleanValue": True or False, # boolean
5497 "integerValue": "A String", # integer
5498 },
5499 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
5500 # used.
5501 # Note that for the purposes of inspection or transformation, the number
5502 # of bytes considered to comprise a 'Value' is based on its representation
5503 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
5504 # 123456789, the number of bytes would be counted as 9, even though an
5505 # int64 only holds up to 8 bytes of data.
5506 "floatValue": 3.14, # float
5507 "timestampValue": "A String", # timestamp
5508 "dayOfWeekValue": "A String", # day of week
5509 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
5510 # or are specified elsewhere. An API may choose to allow leap seconds. Related
5511 # types are google.type.Date and `google.protobuf.Timestamp`.
5512 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
5513 # to allow the value "24:00:00" for scenarios like business closing time.
5514 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
5515 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
5516 # allow the value 60 if it allows leap-seconds.
5517 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
5518 },
5519 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
5520 # and time zone are either specified elsewhere or are not significant. The date
5521 # is relative to the Proleptic Gregorian Calendar. This can represent:
5522 #
5523 # * A full date, with non-zero year, month and day values
5524 # * A month and day value, with a zero year, e.g. an anniversary
5525 # * A year on its own, with zero month and day values
5526 # * A year and month value, with a zero day, e.g. a credit card expiration date
5527 #
5528 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
5529 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
5530 # month and day.
5531 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
5532 # if specifying a year by itself or a year and month where the day is not
5533 # significant.
5534 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
5535 # a year.
5536 },
5537 "stringValue": "A String", # string
5538 "booleanValue": True or False, # boolean
5539 "integerValue": "A String", # integer
5540 },
5541 },
5542 ],
5543 },
5544 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
5545 # Uses SHA-256.
5546 # The key size must be either 32 or 64 bytes.
5547 # Outputs a base64 encoded representation of the hashed output
5548 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
5549 # Currently, only string and integer values can be hashed.
5550 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
5551 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
5552 # a key encryption key (KEK) stored by KMS).
5553 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
5554 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
5555 # unwrap the data crypto key.
5556 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
5557 # The wrapped key must be a 128/192/256 bit key.
5558 # Authorization requires the following IAM permissions when sending a request
5559 # to perform a crypto transformation using a kms-wrapped crypto key:
5560 # dlp.kms.encrypt
5561 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
5562 "wrappedKey": "A String", # Required. The wrapped data crypto key.
5563 },
5564 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
5565 # leaking the key. Choose another type of key if possible.
5566 "key": "A String", # Required. A 128/192/256 bit key.
5567 },
5568 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
5569 # It will be discarded after the request finishes.
5570 "name": "A String", # Required. Name of the key.
5571 # This is an arbitrary string used to differentiate different keys.
5572 # A unique key is generated per name: two separate `TransientCryptoKey`
5573 # protos share the same generated key if their names are the same.
5574 # When the data crypto key is generated, this name is not used in any way
5575 # (repeating the api call will result in a different key being generated).
5576 },
5577 },
5578 },
5579 "replaceConfig": { # Replace each input value with a given `Value`. # Replace
5580 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
5581 # Note that for the purposes of inspection or transformation, the number
5582 # of bytes considered to comprise a 'Value' is based on its representation
5583 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
5584 # 123456789, the number of bytes would be counted as 9, even though an
5585 # int64 only holds up to 8 bytes of data.
5586 "floatValue": 3.14, # float
5587 "timestampValue": "A String", # timestamp
5588 "dayOfWeekValue": "A String", # day of week
5589 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
5590 # or are specified elsewhere. An API may choose to allow leap seconds. Related
5591 # types are google.type.Date and `google.protobuf.Timestamp`.
5592 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
5593 # to allow the value "24:00:00" for scenarios like business closing time.
5594 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
5595 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
5596 # allow the value 60 if it allows leap-seconds.
5597 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
5598 },
5599 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
5600 # and time zone are either specified elsewhere or are not significant. The date
5601 # is relative to the Proleptic Gregorian Calendar. This can represent:
5602 #
5603 # * A full date, with non-zero year, month and day values
5604 # * A month and day value, with a zero year, e.g. an anniversary
5605 # * A year on its own, with zero month and day values
5606 # * A year and month value, with a zero day, e.g. a credit card expiration date
5607 #
5608 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
5609 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
5610 # month and day.
5611 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
5612 # if specifying a year by itself or a year and month where the day is not
5613 # significant.
5614 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
5615 # a year.
5616 },
5617 "stringValue": "A String", # string
5618 "booleanValue": True or False, # boolean
5619 "integerValue": "A String", # integer
5620 },
5621 },
5622 },
5623 "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
5624 # given `RecordCondition`. The conditions are allowed to reference fields
5625 # that are not used in the actual transformation.
5626 #
5627 # Example Use Cases:
5628 #
5629 # - Apply a different bucket transformation to an age column if the zip code
5630 # column for the same record is within a specific range.
5631 # - Redact a field if the date of birth field is greater than 85.
5632 # a field.
5633 "expressions": { # An expression, consisting or an operator and conditions. # An expression.
5634 "conditions": { # A collection of conditions. # Conditions to apply to the expression.
5635 "conditions": [ # A collection of conditions.
5636 { # The field type of `value` and `field` do not need to match to be
5637 # considered equal, but not all comparisons are possible.
5638 # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
5639 # but all other comparisons are invalid with incompatible types.
5640 # A `value` of type:
5641 #
5642 # - `string` can be compared against all other types
5643 # - `boolean` can only be compared against other booleans
5644 # - `integer` can be compared against doubles or a string if the string value
5645 # can be parsed as an integer.
5646 # - `double` can be compared against integers or a string if the string can
5647 # be parsed as a double.
5648 # - `Timestamp` can be compared against strings in RFC 3339 date string
5649 # format.
5650 # - `TimeOfDay` can be compared against timestamps and strings in the format
5651 # of 'HH:mm:ss'.
5652 #
5653 # If we fail to compare do to type mismatch, a warning will be given and
5654 # the condition will evaluate to false.
5655 "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
5656 "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
5657 "name": "A String", # Name describing the field.
5658 },
5659 "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
5660 # Note that for the purposes of inspection or transformation, the number
5661 # of bytes considered to comprise a 'Value' is based on its representation
5662 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
5663 # 123456789, the number of bytes would be counted as 9, even though an
5664 # int64 only holds up to 8 bytes of data.
5665 "floatValue": 3.14, # float
5666 "timestampValue": "A String", # timestamp
5667 "dayOfWeekValue": "A String", # day of week
5668 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
5669 # or are specified elsewhere. An API may choose to allow leap seconds. Related
5670 # types are google.type.Date and `google.protobuf.Timestamp`.
5671 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
5672 # to allow the value "24:00:00" for scenarios like business closing time.
5673 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
5674 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
5675 # allow the value 60 if it allows leap-seconds.
5676 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
5677 },
5678 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
5679 # and time zone are either specified elsewhere or are not significant. The date
5680 # is relative to the Proleptic Gregorian Calendar. This can represent:
5681 #
5682 # * A full date, with non-zero year, month and day values
5683 # * A month and day value, with a zero year, e.g. an anniversary
5684 # * A year on its own, with zero month and day values
5685 # * A year and month value, with a zero day, e.g. a credit card expiration date
5686 #
5687 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
5688 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
5689 # month and day.
5690 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
5691 # if specifying a year by itself or a year and month where the day is not
5692 # significant.
5693 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
5694 # a year.
5695 },
5696 "stringValue": "A String", # string
5697 "booleanValue": True or False, # boolean
5698 "integerValue": "A String", # integer
5699 },
5700 },
5701 ],
5702 },
5703 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
5704 # only supported value is `AND`.
5705 },
5706 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5707 "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
5708 # transform content that matches an `InfoType`.
5709 # apply various `PrimitiveTransformation`s to each finding, where the
5710 # transformation is applied to only values that were identified as a specific
5711 # info_type.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5712 "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one
5713 # for a given infoType.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5714 { # A transformation to apply to text that is identified as a specific
5715 # info_type.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5716 "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
5717 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5718 # input. Outputs a base64 encoded representation of the encrypted output.
5719 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
5720 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
5721 # a key encryption key (KEK) stored by KMS).
5722 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
5723 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
5724 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5725 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5726 # The wrapped key must be a 128/192/256 bit key.
5727 # Authorization requires the following IAM permissions when sending a request
5728 # to perform a crypto transformation using a kms-wrapped crypto key:
5729 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5730 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
5731 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5732 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5733 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5734 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5735 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5736 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5737 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5738 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5739 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5740 # This is an arbitrary string used to differentiate different keys.
5741 # A unique key is generated per name: two separate `TransientCryptoKey`
5742 # protos share the same generated key if their names are the same.
5743 # When the data crypto key is generated, this name is not used in any way
5744 # (repeating the api call will result in a different key being generated).
5745 },
5746 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5747 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5748 # referential integrity such that the same identifier in two different
5749 # contexts will be given a distinct surrogate. The context is appended to
5750 # plaintext value being encrypted. On decryption the provided context is
5751 # validated against the value used during encryption. If a context was
5752 # provided during encryption, same context must be provided during decryption
5753 # as well.
5754 #
5755 # If the context is not set, plaintext would be used as is for encryption.
5756 # If the context is set but:
5757 #
5758 # 1. there is no record present when transforming a given value or
5759 # 2. the field is not present when transforming a given value,
5760 #
5761 # plaintext would be used as is for encryption.
5762 #
5763 # Note that case (1) is expected when an `InfoTypeTransformation` is
5764 # applied to both structured and non-structured `ContentItem`s.
5765 "name": "A String", # Name describing the field.
5766 },
5767 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
5768 # This annotation will be applied to the surrogate by prefixing it with
5769 # the name of the custom info type followed by the number of
5770 # characters comprising the surrogate. The following scheme defines the
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5771 # format: {info type name}({surrogate character count}):{surrogate}
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5772 #
5773 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
5774 # the surrogate is 'abc', the full replacement value
5775 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
5776 #
5777 # This annotation identifies the surrogate when inspecting content using the
5778 # custom info type 'Surrogate'. This facilitates reversal of the
5779 # surrogate when it occurs in free text.
5780 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5781 # Note: For record transformations where the entire cell in a table is being
5782 # transformed, surrogates are not mandatory. Surrogates are used to denote
5783 # the location of the token and are necessary for re-identification in free
5784 # form text.
5785 #
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5786 # In order for inspection to work properly, the name of this info type must
5787 # not occur naturally anywhere in your data; otherwise, inspection may either
5788 #
5789 # - reverse a surrogate that does not correspond to an actual identifier
5790 # - be unable to parse the surrogate and result in an error
5791 #
5792 # Therefore, choose your custom info type name carefully after considering
5793 # what your data looks like. One way to select a name that has a high chance
5794 # of yielding reliable detection is to include one or more unicode characters
5795 # that are highly improbable to exist in your data.
5796 # For example, assuming your data is entered from a regular ASCII keyboard,
5797 # the symbol with the hex code point 29DD might be used like so:
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5798 # ⧝MY_TOKEN_TYPE.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5799 "name": "A String", # Name of the information type. Either a name of your choosing when
5800 # creating a CustomInfoType, or one of the names listed
5801 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
5802 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5803 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5804 },
5805 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5806 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
5807 # fixed character. Masking can start from the beginning or end of the string.
5808 # This can be used on data of any type (numbers, longs, and so on) and when
5809 # de-identifying structured data we'll attempt to preserve the original data's
5810 # type. (This allows you to take a long like 123 and modify it to a string like
5811 # **3.
5812 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
5813 # characters. For example, if the input string is `555-555-5555` and you
5814 # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
5815 # returns `***-**5-5555`.
5816 { # Characters to skip when doing deidentification of a value. These will be left
5817 # alone and skipped.
5818 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
5819 # punctuation.
5820 "charactersToSkip": "A String", # Characters to not transform when masking.
5821 },
5822 ],
5823 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
5824 # masked. Skipped characters do not count towards this tally.
5825 "maskingCharacter": "A String", # Character to use to mask the sensitive values&amp;mdash;for example, `*` for an
5826 # alphabetic string such as a name, or `0` for a numeric string such as ZIP
5827 # code or credit card number. This string must have a length of 1. If not
5828 # supplied, this value defaults to `*` for strings, and `0` for digits.
5829 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
5830 # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
5831 # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
5832 # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
5833 # is `true`, then the string `12345` is masked as `12***`.
5834 },
5835 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
5836 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
5837 # output would be 'My phone number is '.
5838 },
5839 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
5840 },
5841 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5842 # Bucketing transformation can provide all of this functionality,
5843 # but requires more configuration. This message is provided as a convenience to
5844 # the user for simple bucketing strategies.
5845 #
5846 # The transformed value will be a hyphenated string of
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5847 # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5848 # all values that are within this bucket will be replaced with "10-20".
5849 #
5850 # This can be used on data of type: double, long.
5851 #
5852 # If the bound Value type differs from the type of data
5853 # being transformed, we will first attempt converting the type of the data to
5854 # be transformed to match the type of the bound before comparing.
5855 #
5856 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5857 "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5858 # grouped together into a single bucket; for example if `lower_bound` = 10,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5859 # then all values less than 10 are replaced with the value “-10”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5860 # Note that for the purposes of inspection or transformation, the number
5861 # of bytes considered to comprise a 'Value' is based on its representation
5862 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
5863 # 123456789, the number of bytes would be counted as 9, even though an
5864 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5865 "floatValue": 3.14, # float
5866 "timestampValue": "A String", # timestamp
5867 "dayOfWeekValue": "A String", # day of week
5868 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5869 # or are specified elsewhere. An API may choose to allow leap seconds. Related
5870 # types are google.type.Date and `google.protobuf.Timestamp`.
5871 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
5872 # to allow the value "24:00:00" for scenarios like business closing time.
5873 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
5874 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
5875 # allow the value 60 if it allows leap-seconds.
5876 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
5877 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5878 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5879 # and time zone are either specified elsewhere or are not significant. The date
5880 # is relative to the Proleptic Gregorian Calendar. This can represent:
5881 #
5882 # * A full date, with non-zero year, month and day values
5883 # * A month and day value, with a zero year, e.g. an anniversary
5884 # * A year on its own, with zero month and day values
5885 # * A year and month value, with a zero day, e.g. a credit card expiration date
5886 #
5887 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5888 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
5889 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5890 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
5891 # if specifying a year by itself or a year and month where the day is not
5892 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5893 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
5894 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5895 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5896 "stringValue": "A String", # string
5897 "booleanValue": True or False, # boolean
5898 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5899 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5900 "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5901 # grouped together into a single bucket; for example if `upper_bound` = 89,
5902 # then all values greater than 89 are replaced with the value “89+”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5903 # Note that for the purposes of inspection or transformation, the number
5904 # of bytes considered to comprise a 'Value' is based on its representation
5905 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
5906 # 123456789, the number of bytes would be counted as 9, even though an
5907 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5908 "floatValue": 3.14, # float
5909 "timestampValue": "A String", # timestamp
5910 "dayOfWeekValue": "A String", # day of week
5911 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5912 # or are specified elsewhere. An API may choose to allow leap seconds. Related
5913 # types are google.type.Date and `google.protobuf.Timestamp`.
5914 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
5915 # to allow the value "24:00:00" for scenarios like business closing time.
5916 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
5917 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
5918 # allow the value 60 if it allows leap-seconds.
5919 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
5920 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5921 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5922 # and time zone are either specified elsewhere or are not significant. The date
5923 # is relative to the Proleptic Gregorian Calendar. This can represent:
5924 #
5925 # * A full date, with non-zero year, month and day values
5926 # * A month and day value, with a zero year, e.g. an anniversary
5927 # * A year on its own, with zero month and day values
5928 # * A year and month value, with a zero day, e.g. a credit card expiration date
5929 #
5930 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5931 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
5932 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5933 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
5934 # if specifying a year by itself or a year and month where the day is not
5935 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5936 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
5937 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5938 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5939 "stringValue": "A String", # string
5940 "booleanValue": True or False, # boolean
5941 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5942 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5943 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5944 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
5945 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5946 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5947 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5948 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5949 # portion of the value.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5950 "partToExtract": "A String", # The part of the time to keep.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5951 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5952 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5953 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
5954 # to learn more.
5955 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5956 # results in the same shift for the same context and crypto_key. If
5957 # set, must also set context. Can only be applied to table items.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5958 # a key encryption key (KEK) stored by KMS).
5959 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
5960 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
5961 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5962 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5963 # The wrapped key must be a 128/192/256 bit key.
5964 # Authorization requires the following IAM permissions when sending a request
5965 # to perform a crypto transformation using a kms-wrapped crypto key:
5966 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5967 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
5968 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5969 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5970 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5971 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5972 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5973 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5974 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5975 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5976 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5977 # This is an arbitrary string used to differentiate different keys.
5978 # A unique key is generated per name: two separate `TransientCryptoKey`
5979 # protos share the same generated key if their names are the same.
5980 # When the data crypto key is generated, this name is not used in any way
5981 # (repeating the api call will result in a different key being generated).
5982 },
5983 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5984 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
5985 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5986 # range (inclusive ends). Negative means shift to earlier in time. Must not
5987 # be more than 365250 days (1000 years) each direction.
5988 #
5989 # For example, 3 means shift date to at most 3 days into the future.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5990 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5991 # If set, must also set cryptoKey. If set, shift will be consistent for the
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5992 # given context.
5993 "name": "A String", # Name describing the field.
5994 },
5995 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]5996 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]5997 # (FPE) with the FFX mode of operation; however when used in the
5998 # `ReidentifyContent` API method, it serves the opposite function by reversing
5999 # the surrogate back into the original identifier. The identifier must be
6000 # encoded as ASCII. For a given crypto key and context, the same identifier
6001 # will be replaced with the same surrogate. Identifiers must be at least two
6002 # characters long. In the case that the identifier is the empty string, it will
6003 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
6004 # more.
6005 #
6006 # Note: We recommend using CryptoDeterministicConfig for all use cases which
6007 # do not require preserving the input alphabet space and size, plus warrant
6008 # referential integrity.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6009 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6010 # a key encryption key (KEK) stored by KMS).
6011 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
6012 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
6013 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6014 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6015 # The wrapped key must be a 128/192/256 bit key.
6016 # Authorization requires the following IAM permissions when sending a request
6017 # to perform a crypto transformation using a kms-wrapped crypto key:
6018 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6019 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
6020 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6021 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6022 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6023 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6024 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6025 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6026 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6027 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6028 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6029 # This is an arbitrary string used to differentiate different keys.
6030 # A unique key is generated per name: two separate `TransientCryptoKey`
6031 # protos share the same generated key if their names are the same.
6032 # When the data crypto key is generated, this name is not used in any way
6033 # (repeating the api call will result in a different key being generated).
6034 },
6035 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6036 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
6037 "commonAlphabet": "A String", # Common alphabets.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6038 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
6039 # that the FFX mode natively supports. This happens before/after
6040 # encryption/decryption.
6041 # Each character listed must appear only once.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6042 # Number of characters must be in the range [2, 95].
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6043 # This must be encoded as ASCII.
6044 # The order of characters does not matter.
6045 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
6046 # identifier in two different contexts won't be given the same surrogate. If
6047 # the context is not set, a default tweak will be used.
6048 #
6049 # If the context is set but:
6050 #
6051 # 1. there is no record present when transforming a given value or
6052 # 1. the field is not present when transforming a given value,
6053 #
6054 # a default tweak will be used.
6055 #
6056 # Note that case (1) is expected when an `InfoTypeTransformation` is
6057 # applied to both structured and non-structured `ContentItem`s.
6058 # Currently, the referenced field may be of value type integer or string.
6059 #
6060 # The tweak is constructed as a sequence of bytes in big endian byte order
6061 # such that:
6062 #
6063 # - a 64 bit integer is encoded followed by a single byte of value 1
6064 # - a string is encoded in UTF-8 format followed by a single byte of value 2
6065 "name": "A String", # Name describing the field.
6066 },
6067 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
6068 # This annotation will be applied to the surrogate by prefixing it with
6069 # the name of the custom infoType followed by the number of
6070 # characters comprising the surrogate. The following scheme defines the
6071 # format: info_type_name(surrogate_character_count):surrogate
6072 #
6073 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
6074 # the surrogate is 'abc', the full replacement value
6075 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
6076 #
6077 # This annotation identifies the surrogate when inspecting content using the
6078 # custom infoType
6079 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
6080 # This facilitates reversal of the surrogate when it occurs in free text.
6081 #
6082 # In order for inspection to work properly, the name of this infoType must
6083 # not occur naturally anywhere in your data; otherwise, inspection may
6084 # find a surrogate that does not correspond to an actual identifier.
6085 # Therefore, choose your custom infoType name carefully after considering
6086 # what your data looks like. One way to select a name that has a high chance
6087 # of yielding reliable detection is to include one or more unicode characters
6088 # that are highly improbable to exist in your data.
6089 # For example, assuming your data is entered from a regular ASCII keyboard,
6090 # the symbol with the hex code point 29DD might be used like so:
6091 # ⧝MY_TOKEN_TYPE
6092 "name": "A String", # Name of the information type. Either a name of your choosing when
6093 # creating a CustomInfoType, or one of the names listed
6094 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
6095 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6096 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6097 },
6098 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6099 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
6100 # replacement values are dynamically provided by the user for custom behavior,
6101 # such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH
6102 # This can be used on
6103 # data of type: number, long, string, timestamp.
6104 # If the bound `Value` type differs from the type of data being transformed, we
6105 # will first attempt converting the type of the data to be transformed to match
6106 # the type of the bound before comparing.
6107 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
6108 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
6109 { # Bucket is represented as a range, along with replacement values.
6110 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
6111 # Note that for the purposes of inspection or transformation, the number
6112 # of bytes considered to comprise a 'Value' is based on its representation
6113 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
6114 # 123456789, the number of bytes would be counted as 9, even though an
6115 # int64 only holds up to 8 bytes of data.
6116 "floatValue": 3.14, # float
6117 "timestampValue": "A String", # timestamp
6118 "dayOfWeekValue": "A String", # day of week
6119 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
6120 # or are specified elsewhere. An API may choose to allow leap seconds. Related
6121 # types are google.type.Date and `google.protobuf.Timestamp`.
6122 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
6123 # to allow the value "24:00:00" for scenarios like business closing time.
6124 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
6125 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
6126 # allow the value 60 if it allows leap-seconds.
6127 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
6128 },
6129 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
6130 # and time zone are either specified elsewhere or are not significant. The date
6131 # is relative to the Proleptic Gregorian Calendar. This can represent:
6132 #
6133 # * A full date, with non-zero year, month and day values
6134 # * A month and day value, with a zero year, e.g. an anniversary
6135 # * A year on its own, with zero month and day values
6136 # * A year and month value, with a zero day, e.g. a credit card expiration date
6137 #
6138 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
6139 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
6140 # month and day.
6141 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
6142 # if specifying a year by itself or a year and month where the day is not
6143 # significant.
6144 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
6145 # a year.
6146 },
6147 "stringValue": "A String", # string
6148 "booleanValue": True or False, # boolean
6149 "integerValue": "A String", # integer
6150 },
6151 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
6152 # the default behavior will be to hyphenate the min-max range.
6153 # Note that for the purposes of inspection or transformation, the number
6154 # of bytes considered to comprise a 'Value' is based on its representation
6155 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
6156 # 123456789, the number of bytes would be counted as 9, even though an
6157 # int64 only holds up to 8 bytes of data.
6158 "floatValue": 3.14, # float
6159 "timestampValue": "A String", # timestamp
6160 "dayOfWeekValue": "A String", # day of week
6161 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
6162 # or are specified elsewhere. An API may choose to allow leap seconds. Related
6163 # types are google.type.Date and `google.protobuf.Timestamp`.
6164 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
6165 # to allow the value "24:00:00" for scenarios like business closing time.
6166 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
6167 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
6168 # allow the value 60 if it allows leap-seconds.
6169 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
6170 },
6171 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
6172 # and time zone are either specified elsewhere or are not significant. The date
6173 # is relative to the Proleptic Gregorian Calendar. This can represent:
6174 #
6175 # * A full date, with non-zero year, month and day values
6176 # * A month and day value, with a zero year, e.g. an anniversary
6177 # * A year on its own, with zero month and day values
6178 # * A year and month value, with a zero day, e.g. a credit card expiration date
6179 #
6180 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
6181 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
6182 # month and day.
6183 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
6184 # if specifying a year by itself or a year and month where the day is not
6185 # significant.
6186 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
6187 # a year.
6188 },
6189 "stringValue": "A String", # string
6190 "booleanValue": True or False, # boolean
6191 "integerValue": "A String", # integer
6192 },
6193 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
6194 # used.
6195 # Note that for the purposes of inspection or transformation, the number
6196 # of bytes considered to comprise a 'Value' is based on its representation
6197 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
6198 # 123456789, the number of bytes would be counted as 9, even though an
6199 # int64 only holds up to 8 bytes of data.
6200 "floatValue": 3.14, # float
6201 "timestampValue": "A String", # timestamp
6202 "dayOfWeekValue": "A String", # day of week
6203 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
6204 # or are specified elsewhere. An API may choose to allow leap seconds. Related
6205 # types are google.type.Date and `google.protobuf.Timestamp`.
6206 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
6207 # to allow the value "24:00:00" for scenarios like business closing time.
6208 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
6209 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
6210 # allow the value 60 if it allows leap-seconds.
6211 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
6212 },
6213 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
6214 # and time zone are either specified elsewhere or are not significant. The date
6215 # is relative to the Proleptic Gregorian Calendar. This can represent:
6216 #
6217 # * A full date, with non-zero year, month and day values
6218 # * A month and day value, with a zero year, e.g. an anniversary
6219 # * A year on its own, with zero month and day values
6220 # * A year and month value, with a zero day, e.g. a credit card expiration date
6221 #
6222 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
6223 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
6224 # month and day.
6225 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
6226 # if specifying a year by itself or a year and month where the day is not
6227 # significant.
6228 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
6229 # a year.
6230 },
6231 "stringValue": "A String", # string
6232 "booleanValue": True or False, # boolean
6233 "integerValue": "A String", # integer
6234 },
6235 },
6236 ],
6237 },
6238 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
6239 # Uses SHA-256.
6240 # The key size must be either 32 or 64 bytes.
6241 # Outputs a base64 encoded representation of the hashed output
6242 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
6243 # Currently, only string and integer values can be hashed.
6244 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
6245 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
6246 # a key encryption key (KEK) stored by KMS).
6247 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
6248 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
6249 # unwrap the data crypto key.
6250 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
6251 # The wrapped key must be a 128/192/256 bit key.
6252 # Authorization requires the following IAM permissions when sending a request
6253 # to perform a crypto transformation using a kms-wrapped crypto key:
6254 # dlp.kms.encrypt
6255 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
6256 "wrappedKey": "A String", # Required. The wrapped data crypto key.
6257 },
6258 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
6259 # leaking the key. Choose another type of key if possible.
6260 "key": "A String", # Required. A 128/192/256 bit key.
6261 },
6262 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
6263 # It will be discarded after the request finishes.
6264 "name": "A String", # Required. Name of the key.
6265 # This is an arbitrary string used to differentiate different keys.
6266 # A unique key is generated per name: two separate `TransientCryptoKey`
6267 # protos share the same generated key if their names are the same.
6268 # When the data crypto key is generated, this name is not used in any way
6269 # (repeating the api call will result in a different key being generated).
6270 },
6271 },
6272 },
6273 "replaceConfig": { # Replace each input value with a given `Value`. # Replace
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6274 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
6275 # Note that for the purposes of inspection or transformation, the number
6276 # of bytes considered to comprise a 'Value' is based on its representation
6277 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
6278 # 123456789, the number of bytes would be counted as 9, even though an
6279 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6280 "floatValue": 3.14, # float
6281 "timestampValue": "A String", # timestamp
6282 "dayOfWeekValue": "A String", # day of week
6283 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6284 # or are specified elsewhere. An API may choose to allow leap seconds. Related
6285 # types are google.type.Date and `google.protobuf.Timestamp`.
6286 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
6287 # to allow the value "24:00:00" for scenarios like business closing time.
6288 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
6289 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
6290 # allow the value 60 if it allows leap-seconds.
6291 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
6292 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6293 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6294 # and time zone are either specified elsewhere or are not significant. The date
6295 # is relative to the Proleptic Gregorian Calendar. This can represent:
6296 #
6297 # * A full date, with non-zero year, month and day values
6298 # * A month and day value, with a zero year, e.g. an anniversary
6299 # * A year on its own, with zero month and day values
6300 # * A year and month value, with a zero day, e.g. a credit card expiration date
6301 #
6302 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6303 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
6304 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6305 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
6306 # if specifying a year by itself or a year and month where the day is not
6307 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6308 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
6309 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6310 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6311 "stringValue": "A String", # string
6312 "booleanValue": True or False, # boolean
6313 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6314 },
6315 },
6316 },
6317 "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
6318 # this transformation to apply to all findings that correspond to
6319 # infoTypes that were requested in `InspectConfig`.
6320 { # Type of information detected by the API.
6321 "name": "A String", # Name of the information type. Either a name of your choosing when
6322 # creating a CustomInfoType, or one of the names listed
6323 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
6324 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6325 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6326 },
6327 ],
6328 },
6329 ],
6330 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6331 },
6332 ],
6333 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6334 "transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default
6335 # mode is `TransformationErrorHandling.ThrowError`.
6336 # transformation error occurs when the requested transformation is incompatible
6337 # with the data. For example, trying to de-identify an IP address using a
6338 # `DateShift` transformation would result in a transformation error, since date
6339 # info cannot be extracted from an IP address.
6340 # Information about any incompatible transformations, and how they were
6341 # handled, is returned in the response as part of the
6342 # `TransformationOverviews`.
6343 "throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error
6344 },
6345 "leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors
6346 # cause an error. For example, if a `DateShift` transformation were applied
6347 # an an IP address, this mode would leave the IP address unchanged in the
6348 # response.
6349 },
6350 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6351 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6352 "createTime": "A String", # Output only. The creation timestamp of an inspectTemplate.
6353 "name": "A String", # Output only. The template name.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6354 #
6355 # The template will have one of the following formats:
6356 # `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR
6357 # `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`
6358 }</pre>
6359</div>
6360
6361<div class="method">
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6362 <code class="details" id="list">list(parent, orderBy=None, pageSize=None, locationId=None, pageToken=None, x__xgafv=None)</code>
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6363 <pre>Lists DeidentifyTemplates.
6364See https://cloud.google.com/dlp/docs/creating-templates-deid to learn
6365more.
6366
6367Args:
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6368 parent: string, Required. The parent resource name, for example projects/my-project-id or
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6369organizations/my-org-id. (required)
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6370 orderBy: string, Comma separated list of fields to order by,
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6371followed by `asc` or `desc` postfix. This list is case-insensitive,
6372default sorting order is ascending, redundant space characters are
6373insignificant.
6374
6375Example: `name asc,update_time, create_time desc`
6376
6377Supported fields are:
6378
6379- `create_time`: corresponds to time the template was created.
6380- `update_time`: corresponds to time the template was last updated.
6381- `name`: corresponds to template's name.
6382- `display_name`: corresponds to template's display name.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6383 pageSize: integer, Size of the page, can be limited by server. If zero server returns
6384a page of max size 100.
6385 locationId: string, The geographic location where deidentifications templates will be retrieved
6386from. Use `-` for all locations. Reserved for future extensions.
6387 pageToken: string, Page token to continue retrieval. Comes from previous call
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6388to `ListDeidentifyTemplates`.
6389 x__xgafv: string, V1 error format.
6390 Allowed values
6391 1 - v1 error format
6392 2 - v2 error format
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6393
6394Returns:
6395 An object of the form:
6396
6397 { # Response message for ListDeidentifyTemplates.
6398 "nextPageToken": "A String", # If the next page is available then the next page token to be used
6399 # in following ListDeidentifyTemplates request.
6400 "deidentifyTemplates": [ # List of deidentify templates, up to page_size in
6401 # ListDeidentifyTemplatesRequest.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6402 { # DeidentifyTemplates contains instructions on how to de-identify content.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6403 # See https://cloud.google.com/dlp/docs/concepts-templates to learn more.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6404 "updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6405 "displayName": "A String", # Display name (max 256 chars).
6406 "description": "A String", # Short description (max 256 chars).
6407 "deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////
6408 "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text
6409 # transformation everywhere.
6410 # apply various `PrimitiveTransformation`s to each finding, where the
6411 # transformation is applied to only values that were identified as a specific
6412 # info_type.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6413 "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one
6414 # for a given infoType.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6415 { # A transformation to apply to text that is identified as a specific
6416 # info_type.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6417 "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
6418 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6419 # input. Outputs a base64 encoded representation of the encrypted output.
6420 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
6421 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
6422 # a key encryption key (KEK) stored by KMS).
6423 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
6424 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
6425 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6426 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6427 # The wrapped key must be a 128/192/256 bit key.
6428 # Authorization requires the following IAM permissions when sending a request
6429 # to perform a crypto transformation using a kms-wrapped crypto key:
6430 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6431 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
6432 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6433 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6434 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6435 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6436 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6437 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6438 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6439 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6440 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6441 # This is an arbitrary string used to differentiate different keys.
6442 # A unique key is generated per name: two separate `TransientCryptoKey`
6443 # protos share the same generated key if their names are the same.
6444 # When the data crypto key is generated, this name is not used in any way
6445 # (repeating the api call will result in a different key being generated).
6446 },
6447 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6448 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6449 # referential integrity such that the same identifier in two different
6450 # contexts will be given a distinct surrogate. The context is appended to
6451 # plaintext value being encrypted. On decryption the provided context is
6452 # validated against the value used during encryption. If a context was
6453 # provided during encryption, same context must be provided during decryption
6454 # as well.
6455 #
6456 # If the context is not set, plaintext would be used as is for encryption.
6457 # If the context is set but:
6458 #
6459 # 1. there is no record present when transforming a given value or
6460 # 2. the field is not present when transforming a given value,
6461 #
6462 # plaintext would be used as is for encryption.
6463 #
6464 # Note that case (1) is expected when an `InfoTypeTransformation` is
6465 # applied to both structured and non-structured `ContentItem`s.
6466 "name": "A String", # Name describing the field.
6467 },
6468 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
6469 # This annotation will be applied to the surrogate by prefixing it with
6470 # the name of the custom info type followed by the number of
6471 # characters comprising the surrogate. The following scheme defines the
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6472 # format: {info type name}({surrogate character count}):{surrogate}
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6473 #
6474 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
6475 # the surrogate is 'abc', the full replacement value
6476 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
6477 #
6478 # This annotation identifies the surrogate when inspecting content using the
6479 # custom info type 'Surrogate'. This facilitates reversal of the
6480 # surrogate when it occurs in free text.
6481 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6482 # Note: For record transformations where the entire cell in a table is being
6483 # transformed, surrogates are not mandatory. Surrogates are used to denote
6484 # the location of the token and are necessary for re-identification in free
6485 # form text.
6486 #
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6487 # In order for inspection to work properly, the name of this info type must
6488 # not occur naturally anywhere in your data; otherwise, inspection may either
6489 #
6490 # - reverse a surrogate that does not correspond to an actual identifier
6491 # - be unable to parse the surrogate and result in an error
6492 #
6493 # Therefore, choose your custom info type name carefully after considering
6494 # what your data looks like. One way to select a name that has a high chance
6495 # of yielding reliable detection is to include one or more unicode characters
6496 # that are highly improbable to exist in your data.
6497 # For example, assuming your data is entered from a regular ASCII keyboard,
6498 # the symbol with the hex code point 29DD might be used like so:
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6499 # ⧝MY_TOKEN_TYPE.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6500 "name": "A String", # Name of the information type. Either a name of your choosing when
6501 # creating a CustomInfoType, or one of the names listed
6502 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
6503 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6504 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6505 },
6506 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6507 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
6508 # fixed character. Masking can start from the beginning or end of the string.
6509 # This can be used on data of any type (numbers, longs, and so on) and when
6510 # de-identifying structured data we'll attempt to preserve the original data's
6511 # type. (This allows you to take a long like 123 and modify it to a string like
6512 # **3.
6513 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
6514 # characters. For example, if the input string is `555-555-5555` and you
6515 # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
6516 # returns `***-**5-5555`.
6517 { # Characters to skip when doing deidentification of a value. These will be left
6518 # alone and skipped.
6519 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
6520 # punctuation.
6521 "charactersToSkip": "A String", # Characters to not transform when masking.
6522 },
6523 ],
6524 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
6525 # masked. Skipped characters do not count towards this tally.
6526 "maskingCharacter": "A String", # Character to use to mask the sensitive values&amp;mdash;for example, `*` for an
6527 # alphabetic string such as a name, or `0` for a numeric string such as ZIP
6528 # code or credit card number. This string must have a length of 1. If not
6529 # supplied, this value defaults to `*` for strings, and `0` for digits.
6530 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
6531 # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
6532 # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
6533 # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
6534 # is `true`, then the string `12345` is masked as `12***`.
6535 },
6536 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
6537 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
6538 # output would be 'My phone number is '.
6539 },
6540 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
6541 },
6542 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6543 # Bucketing transformation can provide all of this functionality,
6544 # but requires more configuration. This message is provided as a convenience to
6545 # the user for simple bucketing strategies.
6546 #
6547 # The transformed value will be a hyphenated string of
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6548 # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6549 # all values that are within this bucket will be replaced with "10-20".
6550 #
6551 # This can be used on data of type: double, long.
6552 #
6553 # If the bound Value type differs from the type of data
6554 # being transformed, we will first attempt converting the type of the data to
6555 # be transformed to match the type of the bound before comparing.
6556 #
6557 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6558 "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6559 # grouped together into a single bucket; for example if `lower_bound` = 10,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6560 # then all values less than 10 are replaced with the value “-10”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6561 # Note that for the purposes of inspection or transformation, the number
6562 # of bytes considered to comprise a 'Value' is based on its representation
6563 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
6564 # 123456789, the number of bytes would be counted as 9, even though an
6565 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6566 "floatValue": 3.14, # float
6567 "timestampValue": "A String", # timestamp
6568 "dayOfWeekValue": "A String", # day of week
6569 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6570 # or are specified elsewhere. An API may choose to allow leap seconds. Related
6571 # types are google.type.Date and `google.protobuf.Timestamp`.
6572 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
6573 # to allow the value "24:00:00" for scenarios like business closing time.
6574 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
6575 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
6576 # allow the value 60 if it allows leap-seconds.
6577 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
6578 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6579 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6580 # and time zone are either specified elsewhere or are not significant. The date
6581 # is relative to the Proleptic Gregorian Calendar. This can represent:
6582 #
6583 # * A full date, with non-zero year, month and day values
6584 # * A month and day value, with a zero year, e.g. an anniversary
6585 # * A year on its own, with zero month and day values
6586 # * A year and month value, with a zero day, e.g. a credit card expiration date
6587 #
6588 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6589 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
6590 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6591 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
6592 # if specifying a year by itself or a year and month where the day is not
6593 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6594 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
6595 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6596 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6597 "stringValue": "A String", # string
6598 "booleanValue": True or False, # boolean
6599 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6600 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6601 "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6602 # grouped together into a single bucket; for example if `upper_bound` = 89,
6603 # then all values greater than 89 are replaced with the value “89+”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6604 # Note that for the purposes of inspection or transformation, the number
6605 # of bytes considered to comprise a 'Value' is based on its representation
6606 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
6607 # 123456789, the number of bytes would be counted as 9, even though an
6608 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6609 "floatValue": 3.14, # float
6610 "timestampValue": "A String", # timestamp
6611 "dayOfWeekValue": "A String", # day of week
6612 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6613 # or are specified elsewhere. An API may choose to allow leap seconds. Related
6614 # types are google.type.Date and `google.protobuf.Timestamp`.
6615 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
6616 # to allow the value "24:00:00" for scenarios like business closing time.
6617 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
6618 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
6619 # allow the value 60 if it allows leap-seconds.
6620 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
6621 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6622 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6623 # and time zone are either specified elsewhere or are not significant. The date
6624 # is relative to the Proleptic Gregorian Calendar. This can represent:
6625 #
6626 # * A full date, with non-zero year, month and day values
6627 # * A month and day value, with a zero year, e.g. an anniversary
6628 # * A year on its own, with zero month and day values
6629 # * A year and month value, with a zero day, e.g. a credit card expiration date
6630 #
6631 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6632 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
6633 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6634 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
6635 # if specifying a year by itself or a year and month where the day is not
6636 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6637 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
6638 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6639 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6640 "stringValue": "A String", # string
6641 "booleanValue": True or False, # boolean
6642 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6643 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6644 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6645 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
6646 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6647 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6648 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6649 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6650 # portion of the value.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6651 "partToExtract": "A String", # The part of the time to keep.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6652 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6653 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6654 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
6655 # to learn more.
6656 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6657 # results in the same shift for the same context and crypto_key. If
6658 # set, must also set context. Can only be applied to table items.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6659 # a key encryption key (KEK) stored by KMS).
6660 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
6661 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
6662 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6663 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6664 # The wrapped key must be a 128/192/256 bit key.
6665 # Authorization requires the following IAM permissions when sending a request
6666 # to perform a crypto transformation using a kms-wrapped crypto key:
6667 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6668 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
6669 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6670 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6671 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6672 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6673 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6674 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6675 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6676 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6677 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6678 # This is an arbitrary string used to differentiate different keys.
6679 # A unique key is generated per name: two separate `TransientCryptoKey`
6680 # protos share the same generated key if their names are the same.
6681 # When the data crypto key is generated, this name is not used in any way
6682 # (repeating the api call will result in a different key being generated).
6683 },
6684 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6685 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
6686 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6687 # range (inclusive ends). Negative means shift to earlier in time. Must not
6688 # be more than 365250 days (1000 years) each direction.
6689 #
6690 # For example, 3 means shift date to at most 3 days into the future.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6691 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6692 # If set, must also set cryptoKey. If set, shift will be consistent for the
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6693 # given context.
6694 "name": "A String", # Name describing the field.
6695 },
6696 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6697 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6698 # (FPE) with the FFX mode of operation; however when used in the
6699 # `ReidentifyContent` API method, it serves the opposite function by reversing
6700 # the surrogate back into the original identifier. The identifier must be
6701 # encoded as ASCII. For a given crypto key and context, the same identifier
6702 # will be replaced with the same surrogate. Identifiers must be at least two
6703 # characters long. In the case that the identifier is the empty string, it will
6704 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
6705 # more.
6706 #
6707 # Note: We recommend using CryptoDeterministicConfig for all use cases which
6708 # do not require preserving the input alphabet space and size, plus warrant
6709 # referential integrity.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6710 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6711 # a key encryption key (KEK) stored by KMS).
6712 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
6713 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
6714 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6715 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6716 # The wrapped key must be a 128/192/256 bit key.
6717 # Authorization requires the following IAM permissions when sending a request
6718 # to perform a crypto transformation using a kms-wrapped crypto key:
6719 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6720 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
6721 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6722 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6723 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6724 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6725 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6726 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6727 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6728 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6729 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6730 # This is an arbitrary string used to differentiate different keys.
6731 # A unique key is generated per name: two separate `TransientCryptoKey`
6732 # protos share the same generated key if their names are the same.
6733 # When the data crypto key is generated, this name is not used in any way
6734 # (repeating the api call will result in a different key being generated).
6735 },
6736 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6737 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
6738 "commonAlphabet": "A String", # Common alphabets.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6739 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
6740 # that the FFX mode natively supports. This happens before/after
6741 # encryption/decryption.
6742 # Each character listed must appear only once.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6743 # Number of characters must be in the range [2, 95].
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6744 # This must be encoded as ASCII.
6745 # The order of characters does not matter.
6746 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
6747 # identifier in two different contexts won't be given the same surrogate. If
6748 # the context is not set, a default tweak will be used.
6749 #
6750 # If the context is set but:
6751 #
6752 # 1. there is no record present when transforming a given value or
6753 # 1. the field is not present when transforming a given value,
6754 #
6755 # a default tweak will be used.
6756 #
6757 # Note that case (1) is expected when an `InfoTypeTransformation` is
6758 # applied to both structured and non-structured `ContentItem`s.
6759 # Currently, the referenced field may be of value type integer or string.
6760 #
6761 # The tweak is constructed as a sequence of bytes in big endian byte order
6762 # such that:
6763 #
6764 # - a 64 bit integer is encoded followed by a single byte of value 1
6765 # - a string is encoded in UTF-8 format followed by a single byte of value 2
6766 "name": "A String", # Name describing the field.
6767 },
6768 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
6769 # This annotation will be applied to the surrogate by prefixing it with
6770 # the name of the custom infoType followed by the number of
6771 # characters comprising the surrogate. The following scheme defines the
6772 # format: info_type_name(surrogate_character_count):surrogate
6773 #
6774 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
6775 # the surrogate is 'abc', the full replacement value
6776 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
6777 #
6778 # This annotation identifies the surrogate when inspecting content using the
6779 # custom infoType
6780 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
6781 # This facilitates reversal of the surrogate when it occurs in free text.
6782 #
6783 # In order for inspection to work properly, the name of this infoType must
6784 # not occur naturally anywhere in your data; otherwise, inspection may
6785 # find a surrogate that does not correspond to an actual identifier.
6786 # Therefore, choose your custom infoType name carefully after considering
6787 # what your data looks like. One way to select a name that has a high chance
6788 # of yielding reliable detection is to include one or more unicode characters
6789 # that are highly improbable to exist in your data.
6790 # For example, assuming your data is entered from a regular ASCII keyboard,
6791 # the symbol with the hex code point 29DD might be used like so:
6792 # ⧝MY_TOKEN_TYPE
6793 "name": "A String", # Name of the information type. Either a name of your choosing when
6794 # creating a CustomInfoType, or one of the names listed
6795 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
6796 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6797 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6798 },
6799 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6800 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
6801 # replacement values are dynamically provided by the user for custom behavior,
6802 # such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH
6803 # This can be used on
6804 # data of type: number, long, string, timestamp.
6805 # If the bound `Value` type differs from the type of data being transformed, we
6806 # will first attempt converting the type of the data to be transformed to match
6807 # the type of the bound before comparing.
6808 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
6809 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
6810 { # Bucket is represented as a range, along with replacement values.
6811 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
6812 # Note that for the purposes of inspection or transformation, the number
6813 # of bytes considered to comprise a 'Value' is based on its representation
6814 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
6815 # 123456789, the number of bytes would be counted as 9, even though an
6816 # int64 only holds up to 8 bytes of data.
6817 "floatValue": 3.14, # float
6818 "timestampValue": "A String", # timestamp
6819 "dayOfWeekValue": "A String", # day of week
6820 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
6821 # or are specified elsewhere. An API may choose to allow leap seconds. Related
6822 # types are google.type.Date and `google.protobuf.Timestamp`.
6823 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
6824 # to allow the value "24:00:00" for scenarios like business closing time.
6825 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
6826 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
6827 # allow the value 60 if it allows leap-seconds.
6828 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
6829 },
6830 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
6831 # and time zone are either specified elsewhere or are not significant. The date
6832 # is relative to the Proleptic Gregorian Calendar. This can represent:
6833 #
6834 # * A full date, with non-zero year, month and day values
6835 # * A month and day value, with a zero year, e.g. an anniversary
6836 # * A year on its own, with zero month and day values
6837 # * A year and month value, with a zero day, e.g. a credit card expiration date
6838 #
6839 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
6840 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
6841 # month and day.
6842 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
6843 # if specifying a year by itself or a year and month where the day is not
6844 # significant.
6845 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
6846 # a year.
6847 },
6848 "stringValue": "A String", # string
6849 "booleanValue": True or False, # boolean
6850 "integerValue": "A String", # integer
6851 },
6852 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
6853 # the default behavior will be to hyphenate the min-max range.
6854 # Note that for the purposes of inspection or transformation, the number
6855 # of bytes considered to comprise a 'Value' is based on its representation
6856 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
6857 # 123456789, the number of bytes would be counted as 9, even though an
6858 # int64 only holds up to 8 bytes of data.
6859 "floatValue": 3.14, # float
6860 "timestampValue": "A String", # timestamp
6861 "dayOfWeekValue": "A String", # day of week
6862 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
6863 # or are specified elsewhere. An API may choose to allow leap seconds. Related
6864 # types are google.type.Date and `google.protobuf.Timestamp`.
6865 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
6866 # to allow the value "24:00:00" for scenarios like business closing time.
6867 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
6868 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
6869 # allow the value 60 if it allows leap-seconds.
6870 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
6871 },
6872 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
6873 # and time zone are either specified elsewhere or are not significant. The date
6874 # is relative to the Proleptic Gregorian Calendar. This can represent:
6875 #
6876 # * A full date, with non-zero year, month and day values
6877 # * A month and day value, with a zero year, e.g. an anniversary
6878 # * A year on its own, with zero month and day values
6879 # * A year and month value, with a zero day, e.g. a credit card expiration date
6880 #
6881 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
6882 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
6883 # month and day.
6884 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
6885 # if specifying a year by itself or a year and month where the day is not
6886 # significant.
6887 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
6888 # a year.
6889 },
6890 "stringValue": "A String", # string
6891 "booleanValue": True or False, # boolean
6892 "integerValue": "A String", # integer
6893 },
6894 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
6895 # used.
6896 # Note that for the purposes of inspection or transformation, the number
6897 # of bytes considered to comprise a 'Value' is based on its representation
6898 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
6899 # 123456789, the number of bytes would be counted as 9, even though an
6900 # int64 only holds up to 8 bytes of data.
6901 "floatValue": 3.14, # float
6902 "timestampValue": "A String", # timestamp
6903 "dayOfWeekValue": "A String", # day of week
6904 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
6905 # or are specified elsewhere. An API may choose to allow leap seconds. Related
6906 # types are google.type.Date and `google.protobuf.Timestamp`.
6907 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
6908 # to allow the value "24:00:00" for scenarios like business closing time.
6909 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
6910 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
6911 # allow the value 60 if it allows leap-seconds.
6912 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
6913 },
6914 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
6915 # and time zone are either specified elsewhere or are not significant. The date
6916 # is relative to the Proleptic Gregorian Calendar. This can represent:
6917 #
6918 # * A full date, with non-zero year, month and day values
6919 # * A month and day value, with a zero year, e.g. an anniversary
6920 # * A year on its own, with zero month and day values
6921 # * A year and month value, with a zero day, e.g. a credit card expiration date
6922 #
6923 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
6924 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
6925 # month and day.
6926 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
6927 # if specifying a year by itself or a year and month where the day is not
6928 # significant.
6929 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
6930 # a year.
6931 },
6932 "stringValue": "A String", # string
6933 "booleanValue": True or False, # boolean
6934 "integerValue": "A String", # integer
6935 },
6936 },
6937 ],
6938 },
6939 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
6940 # Uses SHA-256.
6941 # The key size must be either 32 or 64 bytes.
6942 # Outputs a base64 encoded representation of the hashed output
6943 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
6944 # Currently, only string and integer values can be hashed.
6945 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
6946 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
6947 # a key encryption key (KEK) stored by KMS).
6948 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
6949 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
6950 # unwrap the data crypto key.
6951 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
6952 # The wrapped key must be a 128/192/256 bit key.
6953 # Authorization requires the following IAM permissions when sending a request
6954 # to perform a crypto transformation using a kms-wrapped crypto key:
6955 # dlp.kms.encrypt
6956 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
6957 "wrappedKey": "A String", # Required. The wrapped data crypto key.
6958 },
6959 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
6960 # leaking the key. Choose another type of key if possible.
6961 "key": "A String", # Required. A 128/192/256 bit key.
6962 },
6963 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
6964 # It will be discarded after the request finishes.
6965 "name": "A String", # Required. Name of the key.
6966 # This is an arbitrary string used to differentiate different keys.
6967 # A unique key is generated per name: two separate `TransientCryptoKey`
6968 # protos share the same generated key if their names are the same.
6969 # When the data crypto key is generated, this name is not used in any way
6970 # (repeating the api call will result in a different key being generated).
6971 },
6972 },
6973 },
6974 "replaceConfig": { # Replace each input value with a given `Value`. # Replace
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6975 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
6976 # Note that for the purposes of inspection or transformation, the number
6977 # of bytes considered to comprise a 'Value' is based on its representation
6978 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
6979 # 123456789, the number of bytes would be counted as 9, even though an
6980 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6981 "floatValue": 3.14, # float
6982 "timestampValue": "A String", # timestamp
6983 "dayOfWeekValue": "A String", # day of week
6984 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6985 # or are specified elsewhere. An API may choose to allow leap seconds. Related
6986 # types are google.type.Date and `google.protobuf.Timestamp`.
6987 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
6988 # to allow the value "24:00:00" for scenarios like business closing time.
6989 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
6990 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
6991 # allow the value 60 if it allows leap-seconds.
6992 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
6993 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]6994 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]6995 # and time zone are either specified elsewhere or are not significant. The date
6996 # is relative to the Proleptic Gregorian Calendar. This can represent:
6997 #
6998 # * A full date, with non-zero year, month and day values
6999 # * A month and day value, with a zero year, e.g. an anniversary
7000 # * A year on its own, with zero month and day values
7001 # * A year and month value, with a zero day, e.g. a credit card expiration date
7002 #
7003 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7004 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
7005 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7006 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
7007 # if specifying a year by itself or a year and month where the day is not
7008 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7009 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
7010 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7011 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7012 "stringValue": "A String", # string
7013 "booleanValue": True or False, # boolean
7014 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7015 },
7016 },
7017 },
7018 "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
7019 # this transformation to apply to all findings that correspond to
7020 # infoTypes that were requested in `InspectConfig`.
7021 { # Type of information detected by the API.
7022 "name": "A String", # Name of the information type. Either a name of your choosing when
7023 # creating a CustomInfoType, or one of the names listed
7024 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
7025 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7026 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7027 },
7028 ],
7029 },
7030 ],
7031 },
7032 "recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to
7033 # specific locations within structured datasets, such as transforming
7034 # a column within a table.
7035 # table.
7036 "recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7037 # match any suppression rule are omitted from the output.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7038 { # Configuration to suppress records whose suppression conditions evaluate to
7039 # true.
7040 "condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
7041 # evaluated to be suppressed from the transformed content.
7042 # a field.
7043 "expressions": { # An expression, consisting or an operator and conditions. # An expression.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7044 "conditions": { # A collection of conditions. # Conditions to apply to the expression.
7045 "conditions": [ # A collection of conditions.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7046 { # The field type of `value` and `field` do not need to match to be
7047 # considered equal, but not all comparisons are possible.
7048 # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
7049 # but all other comparisons are invalid with incompatible types.
7050 # A `value` of type:
7051 #
7052 # - `string` can be compared against all other types
7053 # - `boolean` can only be compared against other booleans
7054 # - `integer` can be compared against doubles or a string if the string value
7055 # can be parsed as an integer.
7056 # - `double` can be compared against integers or a string if the string can
7057 # be parsed as a double.
7058 # - `Timestamp` can be compared against strings in RFC 3339 date string
7059 # format.
7060 # - `TimeOfDay` can be compared against timestamps and strings in the format
7061 # of 'HH:mm:ss'.
7062 #
7063 # If we fail to compare do to type mismatch, a warning will be given and
7064 # the condition will evaluate to false.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7065 "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
7066 "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7067 "name": "A String", # Name describing the field.
7068 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7069 "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7070 # Note that for the purposes of inspection or transformation, the number
7071 # of bytes considered to comprise a 'Value' is based on its representation
7072 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
7073 # 123456789, the number of bytes would be counted as 9, even though an
7074 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7075 "floatValue": 3.14, # float
7076 "timestampValue": "A String", # timestamp
7077 "dayOfWeekValue": "A String", # day of week
7078 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7079 # or are specified elsewhere. An API may choose to allow leap seconds. Related
7080 # types are google.type.Date and `google.protobuf.Timestamp`.
7081 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
7082 # to allow the value "24:00:00" for scenarios like business closing time.
7083 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
7084 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
7085 # allow the value 60 if it allows leap-seconds.
7086 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
7087 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7088 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7089 # and time zone are either specified elsewhere or are not significant. The date
7090 # is relative to the Proleptic Gregorian Calendar. This can represent:
7091 #
7092 # * A full date, with non-zero year, month and day values
7093 # * A month and day value, with a zero year, e.g. an anniversary
7094 # * A year on its own, with zero month and day values
7095 # * A year and month value, with a zero day, e.g. a credit card expiration date
7096 #
7097 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7098 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
7099 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7100 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
7101 # if specifying a year by itself or a year and month where the day is not
7102 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7103 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
7104 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7105 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7106 "stringValue": "A String", # string
7107 "booleanValue": True or False, # boolean
7108 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7109 },
7110 },
7111 ],
7112 },
7113 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
7114 # only supported value is `AND`.
7115 },
7116 },
7117 },
7118 ],
7119 "fieldTransformations": [ # Transform the record by applying various field transformations.
7120 { # The transformation to apply to the field.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7121 "fields": [ # Required. Input field(s) to apply the transformation to.
7122 { # General identifier of a data field in a storage service.
7123 "name": "A String", # Name describing the field.
7124 },
7125 ],
7126 "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
7127 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
7128 # input. Outputs a base64 encoded representation of the encrypted output.
7129 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
7130 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
7131 # a key encryption key (KEK) stored by KMS).
7132 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
7133 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
7134 # unwrap the data crypto key.
7135 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
7136 # The wrapped key must be a 128/192/256 bit key.
7137 # Authorization requires the following IAM permissions when sending a request
7138 # to perform a crypto transformation using a kms-wrapped crypto key:
7139 # dlp.kms.encrypt
7140 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
7141 "wrappedKey": "A String", # Required. The wrapped data crypto key.
7142 },
7143 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
7144 # leaking the key. Choose another type of key if possible.
7145 "key": "A String", # Required. A 128/192/256 bit key.
7146 },
7147 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
7148 # It will be discarded after the request finishes.
7149 "name": "A String", # Required. Name of the key.
7150 # This is an arbitrary string used to differentiate different keys.
7151 # A unique key is generated per name: two separate `TransientCryptoKey`
7152 # protos share the same generated key if their names are the same.
7153 # When the data crypto key is generated, this name is not used in any way
7154 # (repeating the api call will result in a different key being generated).
7155 },
7156 },
7157 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
7158 # referential integrity such that the same identifier in two different
7159 # contexts will be given a distinct surrogate. The context is appended to
7160 # plaintext value being encrypted. On decryption the provided context is
7161 # validated against the value used during encryption. If a context was
7162 # provided during encryption, same context must be provided during decryption
7163 # as well.
7164 #
7165 # If the context is not set, plaintext would be used as is for encryption.
7166 # If the context is set but:
7167 #
7168 # 1. there is no record present when transforming a given value or
7169 # 2. the field is not present when transforming a given value,
7170 #
7171 # plaintext would be used as is for encryption.
7172 #
7173 # Note that case (1) is expected when an `InfoTypeTransformation` is
7174 # applied to both structured and non-structured `ContentItem`s.
7175 "name": "A String", # Name describing the field.
7176 },
7177 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
7178 # This annotation will be applied to the surrogate by prefixing it with
7179 # the name of the custom info type followed by the number of
7180 # characters comprising the surrogate. The following scheme defines the
7181 # format: {info type name}({surrogate character count}):{surrogate}
7182 #
7183 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
7184 # the surrogate is 'abc', the full replacement value
7185 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
7186 #
7187 # This annotation identifies the surrogate when inspecting content using the
7188 # custom info type 'Surrogate'. This facilitates reversal of the
7189 # surrogate when it occurs in free text.
7190 #
7191 # Note: For record transformations where the entire cell in a table is being
7192 # transformed, surrogates are not mandatory. Surrogates are used to denote
7193 # the location of the token and are necessary for re-identification in free
7194 # form text.
7195 #
7196 # In order for inspection to work properly, the name of this info type must
7197 # not occur naturally anywhere in your data; otherwise, inspection may either
7198 #
7199 # - reverse a surrogate that does not correspond to an actual identifier
7200 # - be unable to parse the surrogate and result in an error
7201 #
7202 # Therefore, choose your custom info type name carefully after considering
7203 # what your data looks like. One way to select a name that has a high chance
7204 # of yielding reliable detection is to include one or more unicode characters
7205 # that are highly improbable to exist in your data.
7206 # For example, assuming your data is entered from a regular ASCII keyboard,
7207 # the symbol with the hex code point 29DD might be used like so:
7208 # ⧝MY_TOKEN_TYPE.
7209 "name": "A String", # Name of the information type. Either a name of your choosing when
7210 # creating a CustomInfoType, or one of the names listed
7211 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
7212 # a built-in type. InfoType names should conform to the pattern
7213 # `[a-zA-Z0-9_]{1,64}`.
7214 },
7215 },
7216 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
7217 # fixed character. Masking can start from the beginning or end of the string.
7218 # This can be used on data of any type (numbers, longs, and so on) and when
7219 # de-identifying structured data we'll attempt to preserve the original data's
7220 # type. (This allows you to take a long like 123 and modify it to a string like
7221 # **3.
7222 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
7223 # characters. For example, if the input string is `555-555-5555` and you
7224 # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
7225 # returns `***-**5-5555`.
7226 { # Characters to skip when doing deidentification of a value. These will be left
7227 # alone and skipped.
7228 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
7229 # punctuation.
7230 "charactersToSkip": "A String", # Characters to not transform when masking.
7231 },
7232 ],
7233 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
7234 # masked. Skipped characters do not count towards this tally.
7235 "maskingCharacter": "A String", # Character to use to mask the sensitive values&amp;mdash;for example, `*` for an
7236 # alphabetic string such as a name, or `0` for a numeric string such as ZIP
7237 # code or credit card number. This string must have a length of 1. If not
7238 # supplied, this value defaults to `*` for strings, and `0` for digits.
7239 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
7240 # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
7241 # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
7242 # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
7243 # is `true`, then the string `12345` is masked as `12***`.
7244 },
7245 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
7246 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
7247 # output would be 'My phone number is '.
7248 },
7249 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
7250 },
7251 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
7252 # Bucketing transformation can provide all of this functionality,
7253 # but requires more configuration. This message is provided as a convenience to
7254 # the user for simple bucketing strategies.
7255 #
7256 # The transformed value will be a hyphenated string of
7257 # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
7258 # all values that are within this bucket will be replaced with "10-20".
7259 #
7260 # This can be used on data of type: double, long.
7261 #
7262 # If the bound Value type differs from the type of data
7263 # being transformed, we will first attempt converting the type of the data to
7264 # be transformed to match the type of the bound before comparing.
7265 #
7266 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
7267 "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
7268 # grouped together into a single bucket; for example if `lower_bound` = 10,
7269 # then all values less than 10 are replaced with the value “-10”.
7270 # Note that for the purposes of inspection or transformation, the number
7271 # of bytes considered to comprise a 'Value' is based on its representation
7272 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
7273 # 123456789, the number of bytes would be counted as 9, even though an
7274 # int64 only holds up to 8 bytes of data.
7275 "floatValue": 3.14, # float
7276 "timestampValue": "A String", # timestamp
7277 "dayOfWeekValue": "A String", # day of week
7278 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
7279 # or are specified elsewhere. An API may choose to allow leap seconds. Related
7280 # types are google.type.Date and `google.protobuf.Timestamp`.
7281 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
7282 # to allow the value "24:00:00" for scenarios like business closing time.
7283 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
7284 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
7285 # allow the value 60 if it allows leap-seconds.
7286 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
7287 },
7288 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
7289 # and time zone are either specified elsewhere or are not significant. The date
7290 # is relative to the Proleptic Gregorian Calendar. This can represent:
7291 #
7292 # * A full date, with non-zero year, month and day values
7293 # * A month and day value, with a zero year, e.g. an anniversary
7294 # * A year on its own, with zero month and day values
7295 # * A year and month value, with a zero day, e.g. a credit card expiration date
7296 #
7297 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
7298 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
7299 # month and day.
7300 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
7301 # if specifying a year by itself or a year and month where the day is not
7302 # significant.
7303 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
7304 # a year.
7305 },
7306 "stringValue": "A String", # string
7307 "booleanValue": True or False, # boolean
7308 "integerValue": "A String", # integer
7309 },
7310 "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
7311 # grouped together into a single bucket; for example if `upper_bound` = 89,
7312 # then all values greater than 89 are replaced with the value “89+”.
7313 # Note that for the purposes of inspection or transformation, the number
7314 # of bytes considered to comprise a 'Value' is based on its representation
7315 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
7316 # 123456789, the number of bytes would be counted as 9, even though an
7317 # int64 only holds up to 8 bytes of data.
7318 "floatValue": 3.14, # float
7319 "timestampValue": "A String", # timestamp
7320 "dayOfWeekValue": "A String", # day of week
7321 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
7322 # or are specified elsewhere. An API may choose to allow leap seconds. Related
7323 # types are google.type.Date and `google.protobuf.Timestamp`.
7324 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
7325 # to allow the value "24:00:00" for scenarios like business closing time.
7326 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
7327 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
7328 # allow the value 60 if it allows leap-seconds.
7329 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
7330 },
7331 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
7332 # and time zone are either specified elsewhere or are not significant. The date
7333 # is relative to the Proleptic Gregorian Calendar. This can represent:
7334 #
7335 # * A full date, with non-zero year, month and day values
7336 # * A month and day value, with a zero year, e.g. an anniversary
7337 # * A year on its own, with zero month and day values
7338 # * A year and month value, with a zero day, e.g. a credit card expiration date
7339 #
7340 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
7341 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
7342 # month and day.
7343 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
7344 # if specifying a year by itself or a year and month where the day is not
7345 # significant.
7346 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
7347 # a year.
7348 },
7349 "stringValue": "A String", # string
7350 "booleanValue": True or False, # boolean
7351 "integerValue": "A String", # integer
7352 },
7353 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
7354 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
7355 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
7356 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
7357 },
7358 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
7359 # portion of the value.
7360 "partToExtract": "A String", # The part of the time to keep.
7361 },
7362 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
7363 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
7364 # to learn more.
7365 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
7366 # results in the same shift for the same context and crypto_key. If
7367 # set, must also set context. Can only be applied to table items.
7368 # a key encryption key (KEK) stored by KMS).
7369 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
7370 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
7371 # unwrap the data crypto key.
7372 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
7373 # The wrapped key must be a 128/192/256 bit key.
7374 # Authorization requires the following IAM permissions when sending a request
7375 # to perform a crypto transformation using a kms-wrapped crypto key:
7376 # dlp.kms.encrypt
7377 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
7378 "wrappedKey": "A String", # Required. The wrapped data crypto key.
7379 },
7380 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
7381 # leaking the key. Choose another type of key if possible.
7382 "key": "A String", # Required. A 128/192/256 bit key.
7383 },
7384 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
7385 # It will be discarded after the request finishes.
7386 "name": "A String", # Required. Name of the key.
7387 # This is an arbitrary string used to differentiate different keys.
7388 # A unique key is generated per name: two separate `TransientCryptoKey`
7389 # protos share the same generated key if their names are the same.
7390 # When the data crypto key is generated, this name is not used in any way
7391 # (repeating the api call will result in a different key being generated).
7392 },
7393 },
7394 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
7395 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
7396 # range (inclusive ends). Negative means shift to earlier in time. Must not
7397 # be more than 365250 days (1000 years) each direction.
7398 #
7399 # For example, 3 means shift date to at most 3 days into the future.
7400 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
7401 # If set, must also set cryptoKey. If set, shift will be consistent for the
7402 # given context.
7403 "name": "A String", # Name describing the field.
7404 },
7405 },
7406 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
7407 # (FPE) with the FFX mode of operation; however when used in the
7408 # `ReidentifyContent` API method, it serves the opposite function by reversing
7409 # the surrogate back into the original identifier. The identifier must be
7410 # encoded as ASCII. For a given crypto key and context, the same identifier
7411 # will be replaced with the same surrogate. Identifiers must be at least two
7412 # characters long. In the case that the identifier is the empty string, it will
7413 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
7414 # more.
7415 #
7416 # Note: We recommend using CryptoDeterministicConfig for all use cases which
7417 # do not require preserving the input alphabet space and size, plus warrant
7418 # referential integrity.
7419 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
7420 # a key encryption key (KEK) stored by KMS).
7421 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
7422 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
7423 # unwrap the data crypto key.
7424 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
7425 # The wrapped key must be a 128/192/256 bit key.
7426 # Authorization requires the following IAM permissions when sending a request
7427 # to perform a crypto transformation using a kms-wrapped crypto key:
7428 # dlp.kms.encrypt
7429 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
7430 "wrappedKey": "A String", # Required. The wrapped data crypto key.
7431 },
7432 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
7433 # leaking the key. Choose another type of key if possible.
7434 "key": "A String", # Required. A 128/192/256 bit key.
7435 },
7436 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
7437 # It will be discarded after the request finishes.
7438 "name": "A String", # Required. Name of the key.
7439 # This is an arbitrary string used to differentiate different keys.
7440 # A unique key is generated per name: two separate `TransientCryptoKey`
7441 # protos share the same generated key if their names are the same.
7442 # When the data crypto key is generated, this name is not used in any way
7443 # (repeating the api call will result in a different key being generated).
7444 },
7445 },
7446 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
7447 "commonAlphabet": "A String", # Common alphabets.
7448 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
7449 # that the FFX mode natively supports. This happens before/after
7450 # encryption/decryption.
7451 # Each character listed must appear only once.
7452 # Number of characters must be in the range [2, 95].
7453 # This must be encoded as ASCII.
7454 # The order of characters does not matter.
7455 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
7456 # identifier in two different contexts won't be given the same surrogate. If
7457 # the context is not set, a default tweak will be used.
7458 #
7459 # If the context is set but:
7460 #
7461 # 1. there is no record present when transforming a given value or
7462 # 1. the field is not present when transforming a given value,
7463 #
7464 # a default tweak will be used.
7465 #
7466 # Note that case (1) is expected when an `InfoTypeTransformation` is
7467 # applied to both structured and non-structured `ContentItem`s.
7468 # Currently, the referenced field may be of value type integer or string.
7469 #
7470 # The tweak is constructed as a sequence of bytes in big endian byte order
7471 # such that:
7472 #
7473 # - a 64 bit integer is encoded followed by a single byte of value 1
7474 # - a string is encoded in UTF-8 format followed by a single byte of value 2
7475 "name": "A String", # Name describing the field.
7476 },
7477 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
7478 # This annotation will be applied to the surrogate by prefixing it with
7479 # the name of the custom infoType followed by the number of
7480 # characters comprising the surrogate. The following scheme defines the
7481 # format: info_type_name(surrogate_character_count):surrogate
7482 #
7483 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
7484 # the surrogate is 'abc', the full replacement value
7485 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
7486 #
7487 # This annotation identifies the surrogate when inspecting content using the
7488 # custom infoType
7489 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
7490 # This facilitates reversal of the surrogate when it occurs in free text.
7491 #
7492 # In order for inspection to work properly, the name of this infoType must
7493 # not occur naturally anywhere in your data; otherwise, inspection may
7494 # find a surrogate that does not correspond to an actual identifier.
7495 # Therefore, choose your custom infoType name carefully after considering
7496 # what your data looks like. One way to select a name that has a high chance
7497 # of yielding reliable detection is to include one or more unicode characters
7498 # that are highly improbable to exist in your data.
7499 # For example, assuming your data is entered from a regular ASCII keyboard,
7500 # the symbol with the hex code point 29DD might be used like so:
7501 # ⧝MY_TOKEN_TYPE
7502 "name": "A String", # Name of the information type. Either a name of your choosing when
7503 # creating a CustomInfoType, or one of the names listed
7504 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
7505 # a built-in type. InfoType names should conform to the pattern
7506 # `[a-zA-Z0-9_]{1,64}`.
7507 },
7508 },
7509 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
7510 # replacement values are dynamically provided by the user for custom behavior,
7511 # such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH
7512 # This can be used on
7513 # data of type: number, long, string, timestamp.
7514 # If the bound `Value` type differs from the type of data being transformed, we
7515 # will first attempt converting the type of the data to be transformed to match
7516 # the type of the bound before comparing.
7517 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
7518 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
7519 { # Bucket is represented as a range, along with replacement values.
7520 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
7521 # Note that for the purposes of inspection or transformation, the number
7522 # of bytes considered to comprise a 'Value' is based on its representation
7523 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
7524 # 123456789, the number of bytes would be counted as 9, even though an
7525 # int64 only holds up to 8 bytes of data.
7526 "floatValue": 3.14, # float
7527 "timestampValue": "A String", # timestamp
7528 "dayOfWeekValue": "A String", # day of week
7529 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
7530 # or are specified elsewhere. An API may choose to allow leap seconds. Related
7531 # types are google.type.Date and `google.protobuf.Timestamp`.
7532 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
7533 # to allow the value "24:00:00" for scenarios like business closing time.
7534 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
7535 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
7536 # allow the value 60 if it allows leap-seconds.
7537 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
7538 },
7539 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
7540 # and time zone are either specified elsewhere or are not significant. The date
7541 # is relative to the Proleptic Gregorian Calendar. This can represent:
7542 #
7543 # * A full date, with non-zero year, month and day values
7544 # * A month and day value, with a zero year, e.g. an anniversary
7545 # * A year on its own, with zero month and day values
7546 # * A year and month value, with a zero day, e.g. a credit card expiration date
7547 #
7548 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
7549 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
7550 # month and day.
7551 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
7552 # if specifying a year by itself or a year and month where the day is not
7553 # significant.
7554 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
7555 # a year.
7556 },
7557 "stringValue": "A String", # string
7558 "booleanValue": True or False, # boolean
7559 "integerValue": "A String", # integer
7560 },
7561 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
7562 # the default behavior will be to hyphenate the min-max range.
7563 # Note that for the purposes of inspection or transformation, the number
7564 # of bytes considered to comprise a 'Value' is based on its representation
7565 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
7566 # 123456789, the number of bytes would be counted as 9, even though an
7567 # int64 only holds up to 8 bytes of data.
7568 "floatValue": 3.14, # float
7569 "timestampValue": "A String", # timestamp
7570 "dayOfWeekValue": "A String", # day of week
7571 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
7572 # or are specified elsewhere. An API may choose to allow leap seconds. Related
7573 # types are google.type.Date and `google.protobuf.Timestamp`.
7574 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
7575 # to allow the value "24:00:00" for scenarios like business closing time.
7576 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
7577 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
7578 # allow the value 60 if it allows leap-seconds.
7579 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
7580 },
7581 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
7582 # and time zone are either specified elsewhere or are not significant. The date
7583 # is relative to the Proleptic Gregorian Calendar. This can represent:
7584 #
7585 # * A full date, with non-zero year, month and day values
7586 # * A month and day value, with a zero year, e.g. an anniversary
7587 # * A year on its own, with zero month and day values
7588 # * A year and month value, with a zero day, e.g. a credit card expiration date
7589 #
7590 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
7591 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
7592 # month and day.
7593 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
7594 # if specifying a year by itself or a year and month where the day is not
7595 # significant.
7596 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
7597 # a year.
7598 },
7599 "stringValue": "A String", # string
7600 "booleanValue": True or False, # boolean
7601 "integerValue": "A String", # integer
7602 },
7603 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
7604 # used.
7605 # Note that for the purposes of inspection or transformation, the number
7606 # of bytes considered to comprise a 'Value' is based on its representation
7607 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
7608 # 123456789, the number of bytes would be counted as 9, even though an
7609 # int64 only holds up to 8 bytes of data.
7610 "floatValue": 3.14, # float
7611 "timestampValue": "A String", # timestamp
7612 "dayOfWeekValue": "A String", # day of week
7613 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
7614 # or are specified elsewhere. An API may choose to allow leap seconds. Related
7615 # types are google.type.Date and `google.protobuf.Timestamp`.
7616 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
7617 # to allow the value "24:00:00" for scenarios like business closing time.
7618 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
7619 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
7620 # allow the value 60 if it allows leap-seconds.
7621 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
7622 },
7623 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
7624 # and time zone are either specified elsewhere or are not significant. The date
7625 # is relative to the Proleptic Gregorian Calendar. This can represent:
7626 #
7627 # * A full date, with non-zero year, month and day values
7628 # * A month and day value, with a zero year, e.g. an anniversary
7629 # * A year on its own, with zero month and day values
7630 # * A year and month value, with a zero day, e.g. a credit card expiration date
7631 #
7632 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
7633 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
7634 # month and day.
7635 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
7636 # if specifying a year by itself or a year and month where the day is not
7637 # significant.
7638 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
7639 # a year.
7640 },
7641 "stringValue": "A String", # string
7642 "booleanValue": True or False, # boolean
7643 "integerValue": "A String", # integer
7644 },
7645 },
7646 ],
7647 },
7648 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
7649 # Uses SHA-256.
7650 # The key size must be either 32 or 64 bytes.
7651 # Outputs a base64 encoded representation of the hashed output
7652 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
7653 # Currently, only string and integer values can be hashed.
7654 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
7655 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
7656 # a key encryption key (KEK) stored by KMS).
7657 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
7658 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
7659 # unwrap the data crypto key.
7660 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
7661 # The wrapped key must be a 128/192/256 bit key.
7662 # Authorization requires the following IAM permissions when sending a request
7663 # to perform a crypto transformation using a kms-wrapped crypto key:
7664 # dlp.kms.encrypt
7665 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
7666 "wrappedKey": "A String", # Required. The wrapped data crypto key.
7667 },
7668 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
7669 # leaking the key. Choose another type of key if possible.
7670 "key": "A String", # Required. A 128/192/256 bit key.
7671 },
7672 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
7673 # It will be discarded after the request finishes.
7674 "name": "A String", # Required. Name of the key.
7675 # This is an arbitrary string used to differentiate different keys.
7676 # A unique key is generated per name: two separate `TransientCryptoKey`
7677 # protos share the same generated key if their names are the same.
7678 # When the data crypto key is generated, this name is not used in any way
7679 # (repeating the api call will result in a different key being generated).
7680 },
7681 },
7682 },
7683 "replaceConfig": { # Replace each input value with a given `Value`. # Replace
7684 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
7685 # Note that for the purposes of inspection or transformation, the number
7686 # of bytes considered to comprise a 'Value' is based on its representation
7687 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
7688 # 123456789, the number of bytes would be counted as 9, even though an
7689 # int64 only holds up to 8 bytes of data.
7690 "floatValue": 3.14, # float
7691 "timestampValue": "A String", # timestamp
7692 "dayOfWeekValue": "A String", # day of week
7693 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
7694 # or are specified elsewhere. An API may choose to allow leap seconds. Related
7695 # types are google.type.Date and `google.protobuf.Timestamp`.
7696 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
7697 # to allow the value "24:00:00" for scenarios like business closing time.
7698 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
7699 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
7700 # allow the value 60 if it allows leap-seconds.
7701 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
7702 },
7703 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
7704 # and time zone are either specified elsewhere or are not significant. The date
7705 # is relative to the Proleptic Gregorian Calendar. This can represent:
7706 #
7707 # * A full date, with non-zero year, month and day values
7708 # * A month and day value, with a zero year, e.g. an anniversary
7709 # * A year on its own, with zero month and day values
7710 # * A year and month value, with a zero day, e.g. a credit card expiration date
7711 #
7712 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
7713 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
7714 # month and day.
7715 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
7716 # if specifying a year by itself or a year and month where the day is not
7717 # significant.
7718 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
7719 # a year.
7720 },
7721 "stringValue": "A String", # string
7722 "booleanValue": True or False, # boolean
7723 "integerValue": "A String", # integer
7724 },
7725 },
7726 },
7727 "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
7728 # given `RecordCondition`. The conditions are allowed to reference fields
7729 # that are not used in the actual transformation.
7730 #
7731 # Example Use Cases:
7732 #
7733 # - Apply a different bucket transformation to an age column if the zip code
7734 # column for the same record is within a specific range.
7735 # - Redact a field if the date of birth field is greater than 85.
7736 # a field.
7737 "expressions": { # An expression, consisting or an operator and conditions. # An expression.
7738 "conditions": { # A collection of conditions. # Conditions to apply to the expression.
7739 "conditions": [ # A collection of conditions.
7740 { # The field type of `value` and `field` do not need to match to be
7741 # considered equal, but not all comparisons are possible.
7742 # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
7743 # but all other comparisons are invalid with incompatible types.
7744 # A `value` of type:
7745 #
7746 # - `string` can be compared against all other types
7747 # - `boolean` can only be compared against other booleans
7748 # - `integer` can be compared against doubles or a string if the string value
7749 # can be parsed as an integer.
7750 # - `double` can be compared against integers or a string if the string can
7751 # be parsed as a double.
7752 # - `Timestamp` can be compared against strings in RFC 3339 date string
7753 # format.
7754 # - `TimeOfDay` can be compared against timestamps and strings in the format
7755 # of 'HH:mm:ss'.
7756 #
7757 # If we fail to compare do to type mismatch, a warning will be given and
7758 # the condition will evaluate to false.
7759 "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
7760 "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
7761 "name": "A String", # Name describing the field.
7762 },
7763 "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
7764 # Note that for the purposes of inspection or transformation, the number
7765 # of bytes considered to comprise a 'Value' is based on its representation
7766 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
7767 # 123456789, the number of bytes would be counted as 9, even though an
7768 # int64 only holds up to 8 bytes of data.
7769 "floatValue": 3.14, # float
7770 "timestampValue": "A String", # timestamp
7771 "dayOfWeekValue": "A String", # day of week
7772 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
7773 # or are specified elsewhere. An API may choose to allow leap seconds. Related
7774 # types are google.type.Date and `google.protobuf.Timestamp`.
7775 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
7776 # to allow the value "24:00:00" for scenarios like business closing time.
7777 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
7778 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
7779 # allow the value 60 if it allows leap-seconds.
7780 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
7781 },
7782 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
7783 # and time zone are either specified elsewhere or are not significant. The date
7784 # is relative to the Proleptic Gregorian Calendar. This can represent:
7785 #
7786 # * A full date, with non-zero year, month and day values
7787 # * A month and day value, with a zero year, e.g. an anniversary
7788 # * A year on its own, with zero month and day values
7789 # * A year and month value, with a zero day, e.g. a credit card expiration date
7790 #
7791 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
7792 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
7793 # month and day.
7794 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
7795 # if specifying a year by itself or a year and month where the day is not
7796 # significant.
7797 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
7798 # a year.
7799 },
7800 "stringValue": "A String", # string
7801 "booleanValue": True or False, # boolean
7802 "integerValue": "A String", # integer
7803 },
7804 },
7805 ],
7806 },
7807 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
7808 # only supported value is `AND`.
7809 },
7810 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7811 "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
7812 # transform content that matches an `InfoType`.
7813 # apply various `PrimitiveTransformation`s to each finding, where the
7814 # transformation is applied to only values that were identified as a specific
7815 # info_type.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7816 "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one
7817 # for a given infoType.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7818 { # A transformation to apply to text that is identified as a specific
7819 # info_type.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7820 "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
7821 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7822 # input. Outputs a base64 encoded representation of the encrypted output.
7823 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
7824 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
7825 # a key encryption key (KEK) stored by KMS).
7826 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
7827 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
7828 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7829 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7830 # The wrapped key must be a 128/192/256 bit key.
7831 # Authorization requires the following IAM permissions when sending a request
7832 # to perform a crypto transformation using a kms-wrapped crypto key:
7833 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7834 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
7835 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7836 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7837 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7838 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7839 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7840 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7841 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7842 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7843 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7844 # This is an arbitrary string used to differentiate different keys.
7845 # A unique key is generated per name: two separate `TransientCryptoKey`
7846 # protos share the same generated key if their names are the same.
7847 # When the data crypto key is generated, this name is not used in any way
7848 # (repeating the api call will result in a different key being generated).
7849 },
7850 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7851 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7852 # referential integrity such that the same identifier in two different
7853 # contexts will be given a distinct surrogate. The context is appended to
7854 # plaintext value being encrypted. On decryption the provided context is
7855 # validated against the value used during encryption. If a context was
7856 # provided during encryption, same context must be provided during decryption
7857 # as well.
7858 #
7859 # If the context is not set, plaintext would be used as is for encryption.
7860 # If the context is set but:
7861 #
7862 # 1. there is no record present when transforming a given value or
7863 # 2. the field is not present when transforming a given value,
7864 #
7865 # plaintext would be used as is for encryption.
7866 #
7867 # Note that case (1) is expected when an `InfoTypeTransformation` is
7868 # applied to both structured and non-structured `ContentItem`s.
7869 "name": "A String", # Name describing the field.
7870 },
7871 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
7872 # This annotation will be applied to the surrogate by prefixing it with
7873 # the name of the custom info type followed by the number of
7874 # characters comprising the surrogate. The following scheme defines the
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7875 # format: {info type name}({surrogate character count}):{surrogate}
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7876 #
7877 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
7878 # the surrogate is 'abc', the full replacement value
7879 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
7880 #
7881 # This annotation identifies the surrogate when inspecting content using the
7882 # custom info type 'Surrogate'. This facilitates reversal of the
7883 # surrogate when it occurs in free text.
7884 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7885 # Note: For record transformations where the entire cell in a table is being
7886 # transformed, surrogates are not mandatory. Surrogates are used to denote
7887 # the location of the token and are necessary for re-identification in free
7888 # form text.
7889 #
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7890 # In order for inspection to work properly, the name of this info type must
7891 # not occur naturally anywhere in your data; otherwise, inspection may either
7892 #
7893 # - reverse a surrogate that does not correspond to an actual identifier
7894 # - be unable to parse the surrogate and result in an error
7895 #
7896 # Therefore, choose your custom info type name carefully after considering
7897 # what your data looks like. One way to select a name that has a high chance
7898 # of yielding reliable detection is to include one or more unicode characters
7899 # that are highly improbable to exist in your data.
7900 # For example, assuming your data is entered from a regular ASCII keyboard,
7901 # the symbol with the hex code point 29DD might be used like so:
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7902 # ⧝MY_TOKEN_TYPE.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7903 "name": "A String", # Name of the information type. Either a name of your choosing when
7904 # creating a CustomInfoType, or one of the names listed
7905 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
7906 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7907 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7908 },
7909 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7910 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
7911 # fixed character. Masking can start from the beginning or end of the string.
7912 # This can be used on data of any type (numbers, longs, and so on) and when
7913 # de-identifying structured data we'll attempt to preserve the original data's
7914 # type. (This allows you to take a long like 123 and modify it to a string like
7915 # **3.
7916 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
7917 # characters. For example, if the input string is `555-555-5555` and you
7918 # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
7919 # returns `***-**5-5555`.
7920 { # Characters to skip when doing deidentification of a value. These will be left
7921 # alone and skipped.
7922 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
7923 # punctuation.
7924 "charactersToSkip": "A String", # Characters to not transform when masking.
7925 },
7926 ],
7927 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
7928 # masked. Skipped characters do not count towards this tally.
7929 "maskingCharacter": "A String", # Character to use to mask the sensitive values&amp;mdash;for example, `*` for an
7930 # alphabetic string such as a name, or `0` for a numeric string such as ZIP
7931 # code or credit card number. This string must have a length of 1. If not
7932 # supplied, this value defaults to `*` for strings, and `0` for digits.
7933 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
7934 # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
7935 # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
7936 # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
7937 # is `true`, then the string `12345` is masked as `12***`.
7938 },
7939 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
7940 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
7941 # output would be 'My phone number is '.
7942 },
7943 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
7944 },
7945 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7946 # Bucketing transformation can provide all of this functionality,
7947 # but requires more configuration. This message is provided as a convenience to
7948 # the user for simple bucketing strategies.
7949 #
7950 # The transformed value will be a hyphenated string of
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7951 # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7952 # all values that are within this bucket will be replaced with "10-20".
7953 #
7954 # This can be used on data of type: double, long.
7955 #
7956 # If the bound Value type differs from the type of data
7957 # being transformed, we will first attempt converting the type of the data to
7958 # be transformed to match the type of the bound before comparing.
7959 #
7960 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7961 "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7962 # grouped together into a single bucket; for example if `lower_bound` = 10,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7963 # then all values less than 10 are replaced with the value “-10”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7964 # Note that for the purposes of inspection or transformation, the number
7965 # of bytes considered to comprise a 'Value' is based on its representation
7966 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
7967 # 123456789, the number of bytes would be counted as 9, even though an
7968 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7969 "floatValue": 3.14, # float
7970 "timestampValue": "A String", # timestamp
7971 "dayOfWeekValue": "A String", # day of week
7972 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7973 # or are specified elsewhere. An API may choose to allow leap seconds. Related
7974 # types are google.type.Date and `google.protobuf.Timestamp`.
7975 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
7976 # to allow the value "24:00:00" for scenarios like business closing time.
7977 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
7978 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
7979 # allow the value 60 if it allows leap-seconds.
7980 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
7981 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7982 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7983 # and time zone are either specified elsewhere or are not significant. The date
7984 # is relative to the Proleptic Gregorian Calendar. This can represent:
7985 #
7986 # * A full date, with non-zero year, month and day values
7987 # * A month and day value, with a zero year, e.g. an anniversary
7988 # * A year on its own, with zero month and day values
7989 # * A year and month value, with a zero day, e.g. a credit card expiration date
7990 #
7991 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7992 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
7993 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7994 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
7995 # if specifying a year by itself or a year and month where the day is not
7996 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]7997 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
7998 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]7999 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8000 "stringValue": "A String", # string
8001 "booleanValue": True or False, # boolean
8002 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8003 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8004 "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8005 # grouped together into a single bucket; for example if `upper_bound` = 89,
8006 # then all values greater than 89 are replaced with the value “89+”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8007 # Note that for the purposes of inspection or transformation, the number
8008 # of bytes considered to comprise a 'Value' is based on its representation
8009 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
8010 # 123456789, the number of bytes would be counted as 9, even though an
8011 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8012 "floatValue": 3.14, # float
8013 "timestampValue": "A String", # timestamp
8014 "dayOfWeekValue": "A String", # day of week
8015 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8016 # or are specified elsewhere. An API may choose to allow leap seconds. Related
8017 # types are google.type.Date and `google.protobuf.Timestamp`.
8018 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
8019 # to allow the value "24:00:00" for scenarios like business closing time.
8020 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
8021 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
8022 # allow the value 60 if it allows leap-seconds.
8023 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
8024 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8025 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8026 # and time zone are either specified elsewhere or are not significant. The date
8027 # is relative to the Proleptic Gregorian Calendar. This can represent:
8028 #
8029 # * A full date, with non-zero year, month and day values
8030 # * A month and day value, with a zero year, e.g. an anniversary
8031 # * A year on its own, with zero month and day values
8032 # * A year and month value, with a zero day, e.g. a credit card expiration date
8033 #
8034 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8035 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
8036 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8037 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
8038 # if specifying a year by itself or a year and month where the day is not
8039 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8040 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
8041 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8042 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8043 "stringValue": "A String", # string
8044 "booleanValue": True or False, # boolean
8045 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8046 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8047 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8048 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
8049 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8050 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8051 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8052 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8053 # portion of the value.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8054 "partToExtract": "A String", # The part of the time to keep.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8055 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8056 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8057 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
8058 # to learn more.
8059 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8060 # results in the same shift for the same context and crypto_key. If
8061 # set, must also set context. Can only be applied to table items.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8062 # a key encryption key (KEK) stored by KMS).
8063 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
8064 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
8065 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8066 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8067 # The wrapped key must be a 128/192/256 bit key.
8068 # Authorization requires the following IAM permissions when sending a request
8069 # to perform a crypto transformation using a kms-wrapped crypto key:
8070 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8071 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
8072 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8073 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8074 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8075 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8076 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8077 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8078 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8079 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8080 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8081 # This is an arbitrary string used to differentiate different keys.
8082 # A unique key is generated per name: two separate `TransientCryptoKey`
8083 # protos share the same generated key if their names are the same.
8084 # When the data crypto key is generated, this name is not used in any way
8085 # (repeating the api call will result in a different key being generated).
8086 },
8087 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8088 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
8089 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8090 # range (inclusive ends). Negative means shift to earlier in time. Must not
8091 # be more than 365250 days (1000 years) each direction.
8092 #
8093 # For example, 3 means shift date to at most 3 days into the future.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8094 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8095 # If set, must also set cryptoKey. If set, shift will be consistent for the
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8096 # given context.
8097 "name": "A String", # Name describing the field.
8098 },
8099 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8100 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8101 # (FPE) with the FFX mode of operation; however when used in the
8102 # `ReidentifyContent` API method, it serves the opposite function by reversing
8103 # the surrogate back into the original identifier. The identifier must be
8104 # encoded as ASCII. For a given crypto key and context, the same identifier
8105 # will be replaced with the same surrogate. Identifiers must be at least two
8106 # characters long. In the case that the identifier is the empty string, it will
8107 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
8108 # more.
8109 #
8110 # Note: We recommend using CryptoDeterministicConfig for all use cases which
8111 # do not require preserving the input alphabet space and size, plus warrant
8112 # referential integrity.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8113 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8114 # a key encryption key (KEK) stored by KMS).
8115 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
8116 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
8117 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8118 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8119 # The wrapped key must be a 128/192/256 bit key.
8120 # Authorization requires the following IAM permissions when sending a request
8121 # to perform a crypto transformation using a kms-wrapped crypto key:
8122 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8123 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
8124 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8125 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8126 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8127 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8128 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8129 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8130 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8131 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8132 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8133 # This is an arbitrary string used to differentiate different keys.
8134 # A unique key is generated per name: two separate `TransientCryptoKey`
8135 # protos share the same generated key if their names are the same.
8136 # When the data crypto key is generated, this name is not used in any way
8137 # (repeating the api call will result in a different key being generated).
8138 },
8139 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8140 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
8141 "commonAlphabet": "A String", # Common alphabets.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8142 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
8143 # that the FFX mode natively supports. This happens before/after
8144 # encryption/decryption.
8145 # Each character listed must appear only once.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8146 # Number of characters must be in the range [2, 95].
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8147 # This must be encoded as ASCII.
8148 # The order of characters does not matter.
8149 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
8150 # identifier in two different contexts won't be given the same surrogate. If
8151 # the context is not set, a default tweak will be used.
8152 #
8153 # If the context is set but:
8154 #
8155 # 1. there is no record present when transforming a given value or
8156 # 1. the field is not present when transforming a given value,
8157 #
8158 # a default tweak will be used.
8159 #
8160 # Note that case (1) is expected when an `InfoTypeTransformation` is
8161 # applied to both structured and non-structured `ContentItem`s.
8162 # Currently, the referenced field may be of value type integer or string.
8163 #
8164 # The tweak is constructed as a sequence of bytes in big endian byte order
8165 # such that:
8166 #
8167 # - a 64 bit integer is encoded followed by a single byte of value 1
8168 # - a string is encoded in UTF-8 format followed by a single byte of value 2
8169 "name": "A String", # Name describing the field.
8170 },
8171 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
8172 # This annotation will be applied to the surrogate by prefixing it with
8173 # the name of the custom infoType followed by the number of
8174 # characters comprising the surrogate. The following scheme defines the
8175 # format: info_type_name(surrogate_character_count):surrogate
8176 #
8177 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
8178 # the surrogate is 'abc', the full replacement value
8179 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
8180 #
8181 # This annotation identifies the surrogate when inspecting content using the
8182 # custom infoType
8183 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
8184 # This facilitates reversal of the surrogate when it occurs in free text.
8185 #
8186 # In order for inspection to work properly, the name of this infoType must
8187 # not occur naturally anywhere in your data; otherwise, inspection may
8188 # find a surrogate that does not correspond to an actual identifier.
8189 # Therefore, choose your custom infoType name carefully after considering
8190 # what your data looks like. One way to select a name that has a high chance
8191 # of yielding reliable detection is to include one or more unicode characters
8192 # that are highly improbable to exist in your data.
8193 # For example, assuming your data is entered from a regular ASCII keyboard,
8194 # the symbol with the hex code point 29DD might be used like so:
8195 # ⧝MY_TOKEN_TYPE
8196 "name": "A String", # Name of the information type. Either a name of your choosing when
8197 # creating a CustomInfoType, or one of the names listed
8198 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
8199 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8200 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8201 },
8202 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8203 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
8204 # replacement values are dynamically provided by the user for custom behavior,
8205 # such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH
8206 # This can be used on
8207 # data of type: number, long, string, timestamp.
8208 # If the bound `Value` type differs from the type of data being transformed, we
8209 # will first attempt converting the type of the data to be transformed to match
8210 # the type of the bound before comparing.
8211 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
8212 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
8213 { # Bucket is represented as a range, along with replacement values.
8214 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
8215 # Note that for the purposes of inspection or transformation, the number
8216 # of bytes considered to comprise a 'Value' is based on its representation
8217 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
8218 # 123456789, the number of bytes would be counted as 9, even though an
8219 # int64 only holds up to 8 bytes of data.
8220 "floatValue": 3.14, # float
8221 "timestampValue": "A String", # timestamp
8222 "dayOfWeekValue": "A String", # day of week
8223 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
8224 # or are specified elsewhere. An API may choose to allow leap seconds. Related
8225 # types are google.type.Date and `google.protobuf.Timestamp`.
8226 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
8227 # to allow the value "24:00:00" for scenarios like business closing time.
8228 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
8229 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
8230 # allow the value 60 if it allows leap-seconds.
8231 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
8232 },
8233 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
8234 # and time zone are either specified elsewhere or are not significant. The date
8235 # is relative to the Proleptic Gregorian Calendar. This can represent:
8236 #
8237 # * A full date, with non-zero year, month and day values
8238 # * A month and day value, with a zero year, e.g. an anniversary
8239 # * A year on its own, with zero month and day values
8240 # * A year and month value, with a zero day, e.g. a credit card expiration date
8241 #
8242 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
8243 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
8244 # month and day.
8245 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
8246 # if specifying a year by itself or a year and month where the day is not
8247 # significant.
8248 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
8249 # a year.
8250 },
8251 "stringValue": "A String", # string
8252 "booleanValue": True or False, # boolean
8253 "integerValue": "A String", # integer
8254 },
8255 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
8256 # the default behavior will be to hyphenate the min-max range.
8257 # Note that for the purposes of inspection or transformation, the number
8258 # of bytes considered to comprise a 'Value' is based on its representation
8259 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
8260 # 123456789, the number of bytes would be counted as 9, even though an
8261 # int64 only holds up to 8 bytes of data.
8262 "floatValue": 3.14, # float
8263 "timestampValue": "A String", # timestamp
8264 "dayOfWeekValue": "A String", # day of week
8265 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
8266 # or are specified elsewhere. An API may choose to allow leap seconds. Related
8267 # types are google.type.Date and `google.protobuf.Timestamp`.
8268 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
8269 # to allow the value "24:00:00" for scenarios like business closing time.
8270 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
8271 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
8272 # allow the value 60 if it allows leap-seconds.
8273 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
8274 },
8275 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
8276 # and time zone are either specified elsewhere or are not significant. The date
8277 # is relative to the Proleptic Gregorian Calendar. This can represent:
8278 #
8279 # * A full date, with non-zero year, month and day values
8280 # * A month and day value, with a zero year, e.g. an anniversary
8281 # * A year on its own, with zero month and day values
8282 # * A year and month value, with a zero day, e.g. a credit card expiration date
8283 #
8284 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
8285 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
8286 # month and day.
8287 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
8288 # if specifying a year by itself or a year and month where the day is not
8289 # significant.
8290 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
8291 # a year.
8292 },
8293 "stringValue": "A String", # string
8294 "booleanValue": True or False, # boolean
8295 "integerValue": "A String", # integer
8296 },
8297 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
8298 # used.
8299 # Note that for the purposes of inspection or transformation, the number
8300 # of bytes considered to comprise a 'Value' is based on its representation
8301 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
8302 # 123456789, the number of bytes would be counted as 9, even though an
8303 # int64 only holds up to 8 bytes of data.
8304 "floatValue": 3.14, # float
8305 "timestampValue": "A String", # timestamp
8306 "dayOfWeekValue": "A String", # day of week
8307 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
8308 # or are specified elsewhere. An API may choose to allow leap seconds. Related
8309 # types are google.type.Date and `google.protobuf.Timestamp`.
8310 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
8311 # to allow the value "24:00:00" for scenarios like business closing time.
8312 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
8313 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
8314 # allow the value 60 if it allows leap-seconds.
8315 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
8316 },
8317 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
8318 # and time zone are either specified elsewhere or are not significant. The date
8319 # is relative to the Proleptic Gregorian Calendar. This can represent:
8320 #
8321 # * A full date, with non-zero year, month and day values
8322 # * A month and day value, with a zero year, e.g. an anniversary
8323 # * A year on its own, with zero month and day values
8324 # * A year and month value, with a zero day, e.g. a credit card expiration date
8325 #
8326 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
8327 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
8328 # month and day.
8329 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
8330 # if specifying a year by itself or a year and month where the day is not
8331 # significant.
8332 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
8333 # a year.
8334 },
8335 "stringValue": "A String", # string
8336 "booleanValue": True or False, # boolean
8337 "integerValue": "A String", # integer
8338 },
8339 },
8340 ],
8341 },
8342 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
8343 # Uses SHA-256.
8344 # The key size must be either 32 or 64 bytes.
8345 # Outputs a base64 encoded representation of the hashed output
8346 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
8347 # Currently, only string and integer values can be hashed.
8348 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
8349 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
8350 # a key encryption key (KEK) stored by KMS).
8351 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
8352 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
8353 # unwrap the data crypto key.
8354 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
8355 # The wrapped key must be a 128/192/256 bit key.
8356 # Authorization requires the following IAM permissions when sending a request
8357 # to perform a crypto transformation using a kms-wrapped crypto key:
8358 # dlp.kms.encrypt
8359 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
8360 "wrappedKey": "A String", # Required. The wrapped data crypto key.
8361 },
8362 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
8363 # leaking the key. Choose another type of key if possible.
8364 "key": "A String", # Required. A 128/192/256 bit key.
8365 },
8366 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
8367 # It will be discarded after the request finishes.
8368 "name": "A String", # Required. Name of the key.
8369 # This is an arbitrary string used to differentiate different keys.
8370 # A unique key is generated per name: two separate `TransientCryptoKey`
8371 # protos share the same generated key if their names are the same.
8372 # When the data crypto key is generated, this name is not used in any way
8373 # (repeating the api call will result in a different key being generated).
8374 },
8375 },
8376 },
8377 "replaceConfig": { # Replace each input value with a given `Value`. # Replace
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8378 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
8379 # Note that for the purposes of inspection or transformation, the number
8380 # of bytes considered to comprise a 'Value' is based on its representation
8381 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
8382 # 123456789, the number of bytes would be counted as 9, even though an
8383 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8384 "floatValue": 3.14, # float
8385 "timestampValue": "A String", # timestamp
8386 "dayOfWeekValue": "A String", # day of week
8387 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8388 # or are specified elsewhere. An API may choose to allow leap seconds. Related
8389 # types are google.type.Date and `google.protobuf.Timestamp`.
8390 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
8391 # to allow the value "24:00:00" for scenarios like business closing time.
8392 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
8393 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
8394 # allow the value 60 if it allows leap-seconds.
8395 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
8396 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8397 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8398 # and time zone are either specified elsewhere or are not significant. The date
8399 # is relative to the Proleptic Gregorian Calendar. This can represent:
8400 #
8401 # * A full date, with non-zero year, month and day values
8402 # * A month and day value, with a zero year, e.g. an anniversary
8403 # * A year on its own, with zero month and day values
8404 # * A year and month value, with a zero day, e.g. a credit card expiration date
8405 #
8406 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8407 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
8408 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8409 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
8410 # if specifying a year by itself or a year and month where the day is not
8411 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8412 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
8413 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8414 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8415 "stringValue": "A String", # string
8416 "booleanValue": True or False, # boolean
8417 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8418 },
8419 },
8420 },
8421 "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
8422 # this transformation to apply to all findings that correspond to
8423 # infoTypes that were requested in `InspectConfig`.
8424 { # Type of information detected by the API.
8425 "name": "A String", # Name of the information type. Either a name of your choosing when
8426 # creating a CustomInfoType, or one of the names listed
8427 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
8428 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8429 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8430 },
8431 ],
8432 },
8433 ],
8434 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8435 },
8436 ],
8437 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8438 "transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default
8439 # mode is `TransformationErrorHandling.ThrowError`.
8440 # transformation error occurs when the requested transformation is incompatible
8441 # with the data. For example, trying to de-identify an IP address using a
8442 # `DateShift` transformation would result in a transformation error, since date
8443 # info cannot be extracted from an IP address.
8444 # Information about any incompatible transformations, and how they were
8445 # handled, is returned in the response as part of the
8446 # `TransformationOverviews`.
8447 "throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error
8448 },
8449 "leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors
8450 # cause an error. For example, if a `DateShift` transformation were applied
8451 # an an IP address, this mode would leave the IP address unchanged in the
8452 # response.
8453 },
8454 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8455 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8456 "createTime": "A String", # Output only. The creation timestamp of an inspectTemplate.
8457 "name": "A String", # Output only. The template name.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8458 #
8459 # The template will have one of the following formats:
8460 # `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR
8461 # `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`
8462 },
8463 ],
8464 }</pre>
8465</div>
8466
8467<div class="method">
8468 <code class="details" id="list_next">list_next(previous_request, previous_response)</code>
8469 <pre>Retrieves the next page of results.
8470
8471Args:
8472 previous_request: The request for the previous page. (required)
8473 previous_response: The response from the request for the previous page. (required)
8474
8475Returns:
8476 A request object that you can call 'execute()' on to request the next
8477 page. Returns None if there are no more items in the collection.
8478 </pre>
8479</div>
8480
8481<div class="method">
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8482 <code class="details" id="patch">patch(name, body=None, x__xgafv=None)</code>
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8483 <pre>Updates the DeidentifyTemplate.
8484See https://cloud.google.com/dlp/docs/creating-templates-deid to learn
8485more.
8486
8487Args:
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8488 name: string, Required. Resource name of organization and deidentify template to be updated, for
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8489example `organizations/433245324/deidentifyTemplates/432452342` or
8490projects/project-id/deidentifyTemplates/432452342. (required)
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8491 body: object, The request body.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8492 The object takes the form of:
8493
8494{ # Request message for UpdateDeidentifyTemplate.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8495 "deidentifyTemplate": { # DeidentifyTemplates contains instructions on how to de-identify content. # New DeidentifyTemplate value.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8496 # See https://cloud.google.com/dlp/docs/concepts-templates to learn more.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8497 "updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8498 "displayName": "A String", # Display name (max 256 chars).
8499 "description": "A String", # Short description (max 256 chars).
8500 "deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////
8501 "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text
8502 # transformation everywhere.
8503 # apply various `PrimitiveTransformation`s to each finding, where the
8504 # transformation is applied to only values that were identified as a specific
8505 # info_type.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8506 "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one
8507 # for a given infoType.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8508 { # A transformation to apply to text that is identified as a specific
8509 # info_type.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8510 "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
8511 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8512 # input. Outputs a base64 encoded representation of the encrypted output.
8513 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
8514 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
8515 # a key encryption key (KEK) stored by KMS).
8516 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
8517 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
8518 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8519 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8520 # The wrapped key must be a 128/192/256 bit key.
8521 # Authorization requires the following IAM permissions when sending a request
8522 # to perform a crypto transformation using a kms-wrapped crypto key:
8523 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8524 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
8525 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8526 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8527 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8528 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8529 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8530 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8531 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8532 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8533 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8534 # This is an arbitrary string used to differentiate different keys.
8535 # A unique key is generated per name: two separate `TransientCryptoKey`
8536 # protos share the same generated key if their names are the same.
8537 # When the data crypto key is generated, this name is not used in any way
8538 # (repeating the api call will result in a different key being generated).
8539 },
8540 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8541 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8542 # referential integrity such that the same identifier in two different
8543 # contexts will be given a distinct surrogate. The context is appended to
8544 # plaintext value being encrypted. On decryption the provided context is
8545 # validated against the value used during encryption. If a context was
8546 # provided during encryption, same context must be provided during decryption
8547 # as well.
8548 #
8549 # If the context is not set, plaintext would be used as is for encryption.
8550 # If the context is set but:
8551 #
8552 # 1. there is no record present when transforming a given value or
8553 # 2. the field is not present when transforming a given value,
8554 #
8555 # plaintext would be used as is for encryption.
8556 #
8557 # Note that case (1) is expected when an `InfoTypeTransformation` is
8558 # applied to both structured and non-structured `ContentItem`s.
8559 "name": "A String", # Name describing the field.
8560 },
8561 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
8562 # This annotation will be applied to the surrogate by prefixing it with
8563 # the name of the custom info type followed by the number of
8564 # characters comprising the surrogate. The following scheme defines the
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8565 # format: {info type name}({surrogate character count}):{surrogate}
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8566 #
8567 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
8568 # the surrogate is 'abc', the full replacement value
8569 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
8570 #
8571 # This annotation identifies the surrogate when inspecting content using the
8572 # custom info type 'Surrogate'. This facilitates reversal of the
8573 # surrogate when it occurs in free text.
8574 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8575 # Note: For record transformations where the entire cell in a table is being
8576 # transformed, surrogates are not mandatory. Surrogates are used to denote
8577 # the location of the token and are necessary for re-identification in free
8578 # form text.
8579 #
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8580 # In order for inspection to work properly, the name of this info type must
8581 # not occur naturally anywhere in your data; otherwise, inspection may either
8582 #
8583 # - reverse a surrogate that does not correspond to an actual identifier
8584 # - be unable to parse the surrogate and result in an error
8585 #
8586 # Therefore, choose your custom info type name carefully after considering
8587 # what your data looks like. One way to select a name that has a high chance
8588 # of yielding reliable detection is to include one or more unicode characters
8589 # that are highly improbable to exist in your data.
8590 # For example, assuming your data is entered from a regular ASCII keyboard,
8591 # the symbol with the hex code point 29DD might be used like so:
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8592 # ⧝MY_TOKEN_TYPE.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8593 "name": "A String", # Name of the information type. Either a name of your choosing when
8594 # creating a CustomInfoType, or one of the names listed
8595 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
8596 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8597 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8598 },
8599 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8600 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
8601 # fixed character. Masking can start from the beginning or end of the string.
8602 # This can be used on data of any type (numbers, longs, and so on) and when
8603 # de-identifying structured data we'll attempt to preserve the original data's
8604 # type. (This allows you to take a long like 123 and modify it to a string like
8605 # **3.
8606 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
8607 # characters. For example, if the input string is `555-555-5555` and you
8608 # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
8609 # returns `***-**5-5555`.
8610 { # Characters to skip when doing deidentification of a value. These will be left
8611 # alone and skipped.
8612 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
8613 # punctuation.
8614 "charactersToSkip": "A String", # Characters to not transform when masking.
8615 },
8616 ],
8617 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
8618 # masked. Skipped characters do not count towards this tally.
8619 "maskingCharacter": "A String", # Character to use to mask the sensitive values&amp;mdash;for example, `*` for an
8620 # alphabetic string such as a name, or `0` for a numeric string such as ZIP
8621 # code or credit card number. This string must have a length of 1. If not
8622 # supplied, this value defaults to `*` for strings, and `0` for digits.
8623 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
8624 # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
8625 # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
8626 # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
8627 # is `true`, then the string `12345` is masked as `12***`.
8628 },
8629 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
8630 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
8631 # output would be 'My phone number is '.
8632 },
8633 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
8634 },
8635 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8636 # Bucketing transformation can provide all of this functionality,
8637 # but requires more configuration. This message is provided as a convenience to
8638 # the user for simple bucketing strategies.
8639 #
8640 # The transformed value will be a hyphenated string of
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8641 # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8642 # all values that are within this bucket will be replaced with "10-20".
8643 #
8644 # This can be used on data of type: double, long.
8645 #
8646 # If the bound Value type differs from the type of data
8647 # being transformed, we will first attempt converting the type of the data to
8648 # be transformed to match the type of the bound before comparing.
8649 #
8650 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8651 "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8652 # grouped together into a single bucket; for example if `lower_bound` = 10,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8653 # then all values less than 10 are replaced with the value “-10”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8654 # Note that for the purposes of inspection or transformation, the number
8655 # of bytes considered to comprise a 'Value' is based on its representation
8656 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
8657 # 123456789, the number of bytes would be counted as 9, even though an
8658 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8659 "floatValue": 3.14, # float
8660 "timestampValue": "A String", # timestamp
8661 "dayOfWeekValue": "A String", # day of week
8662 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8663 # or are specified elsewhere. An API may choose to allow leap seconds. Related
8664 # types are google.type.Date and `google.protobuf.Timestamp`.
8665 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
8666 # to allow the value "24:00:00" for scenarios like business closing time.
8667 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
8668 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
8669 # allow the value 60 if it allows leap-seconds.
8670 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
8671 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8672 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8673 # and time zone are either specified elsewhere or are not significant. The date
8674 # is relative to the Proleptic Gregorian Calendar. This can represent:
8675 #
8676 # * A full date, with non-zero year, month and day values
8677 # * A month and day value, with a zero year, e.g. an anniversary
8678 # * A year on its own, with zero month and day values
8679 # * A year and month value, with a zero day, e.g. a credit card expiration date
8680 #
8681 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8682 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
8683 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8684 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
8685 # if specifying a year by itself or a year and month where the day is not
8686 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8687 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
8688 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8689 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8690 "stringValue": "A String", # string
8691 "booleanValue": True or False, # boolean
8692 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8693 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8694 "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8695 # grouped together into a single bucket; for example if `upper_bound` = 89,
8696 # then all values greater than 89 are replaced with the value “89+”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8697 # Note that for the purposes of inspection or transformation, the number
8698 # of bytes considered to comprise a 'Value' is based on its representation
8699 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
8700 # 123456789, the number of bytes would be counted as 9, even though an
8701 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8702 "floatValue": 3.14, # float
8703 "timestampValue": "A String", # timestamp
8704 "dayOfWeekValue": "A String", # day of week
8705 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8706 # or are specified elsewhere. An API may choose to allow leap seconds. Related
8707 # types are google.type.Date and `google.protobuf.Timestamp`.
8708 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
8709 # to allow the value "24:00:00" for scenarios like business closing time.
8710 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
8711 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
8712 # allow the value 60 if it allows leap-seconds.
8713 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
8714 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8715 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8716 # and time zone are either specified elsewhere or are not significant. The date
8717 # is relative to the Proleptic Gregorian Calendar. This can represent:
8718 #
8719 # * A full date, with non-zero year, month and day values
8720 # * A month and day value, with a zero year, e.g. an anniversary
8721 # * A year on its own, with zero month and day values
8722 # * A year and month value, with a zero day, e.g. a credit card expiration date
8723 #
8724 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8725 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
8726 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8727 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
8728 # if specifying a year by itself or a year and month where the day is not
8729 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8730 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
8731 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8732 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8733 "stringValue": "A String", # string
8734 "booleanValue": True or False, # boolean
8735 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8736 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8737 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8738 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
8739 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8740 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8741 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8742 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8743 # portion of the value.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8744 "partToExtract": "A String", # The part of the time to keep.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8745 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8746 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8747 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
8748 # to learn more.
8749 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8750 # results in the same shift for the same context and crypto_key. If
8751 # set, must also set context. Can only be applied to table items.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8752 # a key encryption key (KEK) stored by KMS).
8753 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
8754 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
8755 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8756 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8757 # The wrapped key must be a 128/192/256 bit key.
8758 # Authorization requires the following IAM permissions when sending a request
8759 # to perform a crypto transformation using a kms-wrapped crypto key:
8760 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8761 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
8762 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8763 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8764 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8765 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8766 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8767 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8768 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8769 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8770 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8771 # This is an arbitrary string used to differentiate different keys.
8772 # A unique key is generated per name: two separate `TransientCryptoKey`
8773 # protos share the same generated key if their names are the same.
8774 # When the data crypto key is generated, this name is not used in any way
8775 # (repeating the api call will result in a different key being generated).
8776 },
8777 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8778 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
8779 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8780 # range (inclusive ends). Negative means shift to earlier in time. Must not
8781 # be more than 365250 days (1000 years) each direction.
8782 #
8783 # For example, 3 means shift date to at most 3 days into the future.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8784 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8785 # If set, must also set cryptoKey. If set, shift will be consistent for the
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8786 # given context.
8787 "name": "A String", # Name describing the field.
8788 },
8789 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8790 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8791 # (FPE) with the FFX mode of operation; however when used in the
8792 # `ReidentifyContent` API method, it serves the opposite function by reversing
8793 # the surrogate back into the original identifier. The identifier must be
8794 # encoded as ASCII. For a given crypto key and context, the same identifier
8795 # will be replaced with the same surrogate. Identifiers must be at least two
8796 # characters long. In the case that the identifier is the empty string, it will
8797 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
8798 # more.
8799 #
8800 # Note: We recommend using CryptoDeterministicConfig for all use cases which
8801 # do not require preserving the input alphabet space and size, plus warrant
8802 # referential integrity.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8803 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8804 # a key encryption key (KEK) stored by KMS).
8805 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
8806 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
8807 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8808 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8809 # The wrapped key must be a 128/192/256 bit key.
8810 # Authorization requires the following IAM permissions when sending a request
8811 # to perform a crypto transformation using a kms-wrapped crypto key:
8812 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8813 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
8814 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8815 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8816 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8817 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8818 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8819 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8820 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8821 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8822 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8823 # This is an arbitrary string used to differentiate different keys.
8824 # A unique key is generated per name: two separate `TransientCryptoKey`
8825 # protos share the same generated key if their names are the same.
8826 # When the data crypto key is generated, this name is not used in any way
8827 # (repeating the api call will result in a different key being generated).
8828 },
8829 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8830 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
8831 "commonAlphabet": "A String", # Common alphabets.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8832 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
8833 # that the FFX mode natively supports. This happens before/after
8834 # encryption/decryption.
8835 # Each character listed must appear only once.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8836 # Number of characters must be in the range [2, 95].
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8837 # This must be encoded as ASCII.
8838 # The order of characters does not matter.
8839 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
8840 # identifier in two different contexts won't be given the same surrogate. If
8841 # the context is not set, a default tweak will be used.
8842 #
8843 # If the context is set but:
8844 #
8845 # 1. there is no record present when transforming a given value or
8846 # 1. the field is not present when transforming a given value,
8847 #
8848 # a default tweak will be used.
8849 #
8850 # Note that case (1) is expected when an `InfoTypeTransformation` is
8851 # applied to both structured and non-structured `ContentItem`s.
8852 # Currently, the referenced field may be of value type integer or string.
8853 #
8854 # The tweak is constructed as a sequence of bytes in big endian byte order
8855 # such that:
8856 #
8857 # - a 64 bit integer is encoded followed by a single byte of value 1
8858 # - a string is encoded in UTF-8 format followed by a single byte of value 2
8859 "name": "A String", # Name describing the field.
8860 },
8861 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
8862 # This annotation will be applied to the surrogate by prefixing it with
8863 # the name of the custom infoType followed by the number of
8864 # characters comprising the surrogate. The following scheme defines the
8865 # format: info_type_name(surrogate_character_count):surrogate
8866 #
8867 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
8868 # the surrogate is 'abc', the full replacement value
8869 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
8870 #
8871 # This annotation identifies the surrogate when inspecting content using the
8872 # custom infoType
8873 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
8874 # This facilitates reversal of the surrogate when it occurs in free text.
8875 #
8876 # In order for inspection to work properly, the name of this infoType must
8877 # not occur naturally anywhere in your data; otherwise, inspection may
8878 # find a surrogate that does not correspond to an actual identifier.
8879 # Therefore, choose your custom infoType name carefully after considering
8880 # what your data looks like. One way to select a name that has a high chance
8881 # of yielding reliable detection is to include one or more unicode characters
8882 # that are highly improbable to exist in your data.
8883 # For example, assuming your data is entered from a regular ASCII keyboard,
8884 # the symbol with the hex code point 29DD might be used like so:
8885 # ⧝MY_TOKEN_TYPE
8886 "name": "A String", # Name of the information type. Either a name of your choosing when
8887 # creating a CustomInfoType, or one of the names listed
8888 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
8889 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8890 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]8891 },
8892 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]8893 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
8894 # replacement values are dynamically provided by the user for custom behavior,
8895 # such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH
8896 # This can be used on
8897 # data of type: number, long, string, timestamp.
8898 # If the bound `Value` type differs from the type of data being transformed, we
8899 # will first attempt converting the type of the data to be transformed to match
8900 # the type of the bound before comparing.
8901 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
8902 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
8903 { # Bucket is represented as a range, along with replacement values.
8904 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
8905 # Note that for the purposes of inspection or transformation, the number
8906 # of bytes considered to comprise a 'Value' is based on its representation
8907 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
8908 # 123456789, the number of bytes would be counted as 9, even though an
8909 # int64 only holds up to 8 bytes of data.
8910 "floatValue": 3.14, # float
8911 "timestampValue": "A String", # timestamp
8912 "dayOfWeekValue": "A String", # day of week
8913 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
8914 # or are specified elsewhere. An API may choose to allow leap seconds. Related
8915 # types are google.type.Date and `google.protobuf.Timestamp`.
8916 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
8917 # to allow the value "24:00:00" for scenarios like business closing time.
8918 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
8919 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
8920 # allow the value 60 if it allows leap-seconds.
8921 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
8922 },
8923 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
8924 # and time zone are either specified elsewhere or are not significant. The date
8925 # is relative to the Proleptic Gregorian Calendar. This can represent:
8926 #
8927 # * A full date, with non-zero year, month and day values
8928 # * A month and day value, with a zero year, e.g. an anniversary
8929 # * A year on its own, with zero month and day values
8930 # * A year and month value, with a zero day, e.g. a credit card expiration date
8931 #
8932 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
8933 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
8934 # month and day.
8935 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
8936 # if specifying a year by itself or a year and month where the day is not
8937 # significant.
8938 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
8939 # a year.
8940 },
8941 "stringValue": "A String", # string
8942 "booleanValue": True or False, # boolean
8943 "integerValue": "A String", # integer
8944 },
8945 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
8946 # the default behavior will be to hyphenate the min-max range.
8947 # Note that for the purposes of inspection or transformation, the number
8948 # of bytes considered to comprise a 'Value' is based on its representation
8949 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
8950 # 123456789, the number of bytes would be counted as 9, even though an
8951 # int64 only holds up to 8 bytes of data.
8952 "floatValue": 3.14, # float
8953 "timestampValue": "A String", # timestamp
8954 "dayOfWeekValue": "A String", # day of week
8955 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
8956 # or are specified elsewhere. An API may choose to allow leap seconds. Related
8957 # types are google.type.Date and `google.protobuf.Timestamp`.
8958 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
8959 # to allow the value "24:00:00" for scenarios like business closing time.
8960 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
8961 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
8962 # allow the value 60 if it allows leap-seconds.
8963 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
8964 },
8965 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
8966 # and time zone are either specified elsewhere or are not significant. The date
8967 # is relative to the Proleptic Gregorian Calendar. This can represent:
8968 #
8969 # * A full date, with non-zero year, month and day values
8970 # * A month and day value, with a zero year, e.g. an anniversary
8971 # * A year on its own, with zero month and day values
8972 # * A year and month value, with a zero day, e.g. a credit card expiration date
8973 #
8974 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
8975 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
8976 # month and day.
8977 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
8978 # if specifying a year by itself or a year and month where the day is not
8979 # significant.
8980 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
8981 # a year.
8982 },
8983 "stringValue": "A String", # string
8984 "booleanValue": True or False, # boolean
8985 "integerValue": "A String", # integer
8986 },
8987 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
8988 # used.
8989 # Note that for the purposes of inspection or transformation, the number
8990 # of bytes considered to comprise a 'Value' is based on its representation
8991 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
8992 # 123456789, the number of bytes would be counted as 9, even though an
8993 # int64 only holds up to 8 bytes of data.
8994 "floatValue": 3.14, # float
8995 "timestampValue": "A String", # timestamp
8996 "dayOfWeekValue": "A String", # day of week
8997 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
8998 # or are specified elsewhere. An API may choose to allow leap seconds. Related
8999 # types are google.type.Date and `google.protobuf.Timestamp`.
9000 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
9001 # to allow the value "24:00:00" for scenarios like business closing time.
9002 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
9003 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
9004 # allow the value 60 if it allows leap-seconds.
9005 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
9006 },
9007 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
9008 # and time zone are either specified elsewhere or are not significant. The date
9009 # is relative to the Proleptic Gregorian Calendar. This can represent:
9010 #
9011 # * A full date, with non-zero year, month and day values
9012 # * A month and day value, with a zero year, e.g. an anniversary
9013 # * A year on its own, with zero month and day values
9014 # * A year and month value, with a zero day, e.g. a credit card expiration date
9015 #
9016 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
9017 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
9018 # month and day.
9019 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
9020 # if specifying a year by itself or a year and month where the day is not
9021 # significant.
9022 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
9023 # a year.
9024 },
9025 "stringValue": "A String", # string
9026 "booleanValue": True or False, # boolean
9027 "integerValue": "A String", # integer
9028 },
9029 },
9030 ],
9031 },
9032 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
9033 # Uses SHA-256.
9034 # The key size must be either 32 or 64 bytes.
9035 # Outputs a base64 encoded representation of the hashed output
9036 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
9037 # Currently, only string and integer values can be hashed.
9038 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
9039 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
9040 # a key encryption key (KEK) stored by KMS).
9041 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
9042 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
9043 # unwrap the data crypto key.
9044 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
9045 # The wrapped key must be a 128/192/256 bit key.
9046 # Authorization requires the following IAM permissions when sending a request
9047 # to perform a crypto transformation using a kms-wrapped crypto key:
9048 # dlp.kms.encrypt
9049 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
9050 "wrappedKey": "A String", # Required. The wrapped data crypto key.
9051 },
9052 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
9053 # leaking the key. Choose another type of key if possible.
9054 "key": "A String", # Required. A 128/192/256 bit key.
9055 },
9056 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
9057 # It will be discarded after the request finishes.
9058 "name": "A String", # Required. Name of the key.
9059 # This is an arbitrary string used to differentiate different keys.
9060 # A unique key is generated per name: two separate `TransientCryptoKey`
9061 # protos share the same generated key if their names are the same.
9062 # When the data crypto key is generated, this name is not used in any way
9063 # (repeating the api call will result in a different key being generated).
9064 },
9065 },
9066 },
9067 "replaceConfig": { # Replace each input value with a given `Value`. # Replace
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9068 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
9069 # Note that for the purposes of inspection or transformation, the number
9070 # of bytes considered to comprise a 'Value' is based on its representation
9071 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
9072 # 123456789, the number of bytes would be counted as 9, even though an
9073 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9074 "floatValue": 3.14, # float
9075 "timestampValue": "A String", # timestamp
9076 "dayOfWeekValue": "A String", # day of week
9077 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9078 # or are specified elsewhere. An API may choose to allow leap seconds. Related
9079 # types are google.type.Date and `google.protobuf.Timestamp`.
9080 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
9081 # to allow the value "24:00:00" for scenarios like business closing time.
9082 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
9083 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
9084 # allow the value 60 if it allows leap-seconds.
9085 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
9086 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9087 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9088 # and time zone are either specified elsewhere or are not significant. The date
9089 # is relative to the Proleptic Gregorian Calendar. This can represent:
9090 #
9091 # * A full date, with non-zero year, month and day values
9092 # * A month and day value, with a zero year, e.g. an anniversary
9093 # * A year on its own, with zero month and day values
9094 # * A year and month value, with a zero day, e.g. a credit card expiration date
9095 #
9096 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9097 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
9098 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9099 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
9100 # if specifying a year by itself or a year and month where the day is not
9101 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9102 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
9103 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9104 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9105 "stringValue": "A String", # string
9106 "booleanValue": True or False, # boolean
9107 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9108 },
9109 },
9110 },
9111 "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
9112 # this transformation to apply to all findings that correspond to
9113 # infoTypes that were requested in `InspectConfig`.
9114 { # Type of information detected by the API.
9115 "name": "A String", # Name of the information type. Either a name of your choosing when
9116 # creating a CustomInfoType, or one of the names listed
9117 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
9118 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9119 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9120 },
9121 ],
9122 },
9123 ],
9124 },
9125 "recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to
9126 # specific locations within structured datasets, such as transforming
9127 # a column within a table.
9128 # table.
9129 "recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9130 # match any suppression rule are omitted from the output.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9131 { # Configuration to suppress records whose suppression conditions evaluate to
9132 # true.
9133 "condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
9134 # evaluated to be suppressed from the transformed content.
9135 # a field.
9136 "expressions": { # An expression, consisting or an operator and conditions. # An expression.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9137 "conditions": { # A collection of conditions. # Conditions to apply to the expression.
9138 "conditions": [ # A collection of conditions.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9139 { # The field type of `value` and `field` do not need to match to be
9140 # considered equal, but not all comparisons are possible.
9141 # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
9142 # but all other comparisons are invalid with incompatible types.
9143 # A `value` of type:
9144 #
9145 # - `string` can be compared against all other types
9146 # - `boolean` can only be compared against other booleans
9147 # - `integer` can be compared against doubles or a string if the string value
9148 # can be parsed as an integer.
9149 # - `double` can be compared against integers or a string if the string can
9150 # be parsed as a double.
9151 # - `Timestamp` can be compared against strings in RFC 3339 date string
9152 # format.
9153 # - `TimeOfDay` can be compared against timestamps and strings in the format
9154 # of 'HH:mm:ss'.
9155 #
9156 # If we fail to compare do to type mismatch, a warning will be given and
9157 # the condition will evaluate to false.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9158 "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
9159 "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9160 "name": "A String", # Name describing the field.
9161 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9162 "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9163 # Note that for the purposes of inspection or transformation, the number
9164 # of bytes considered to comprise a 'Value' is based on its representation
9165 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
9166 # 123456789, the number of bytes would be counted as 9, even though an
9167 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9168 "floatValue": 3.14, # float
9169 "timestampValue": "A String", # timestamp
9170 "dayOfWeekValue": "A String", # day of week
9171 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9172 # or are specified elsewhere. An API may choose to allow leap seconds. Related
9173 # types are google.type.Date and `google.protobuf.Timestamp`.
9174 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
9175 # to allow the value "24:00:00" for scenarios like business closing time.
9176 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
9177 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
9178 # allow the value 60 if it allows leap-seconds.
9179 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
9180 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9181 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9182 # and time zone are either specified elsewhere or are not significant. The date
9183 # is relative to the Proleptic Gregorian Calendar. This can represent:
9184 #
9185 # * A full date, with non-zero year, month and day values
9186 # * A month and day value, with a zero year, e.g. an anniversary
9187 # * A year on its own, with zero month and day values
9188 # * A year and month value, with a zero day, e.g. a credit card expiration date
9189 #
9190 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9191 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
9192 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9193 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
9194 # if specifying a year by itself or a year and month where the day is not
9195 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9196 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
9197 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9198 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9199 "stringValue": "A String", # string
9200 "booleanValue": True or False, # boolean
9201 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9202 },
9203 },
9204 ],
9205 },
9206 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
9207 # only supported value is `AND`.
9208 },
9209 },
9210 },
9211 ],
9212 "fieldTransformations": [ # Transform the record by applying various field transformations.
9213 { # The transformation to apply to the field.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9214 "fields": [ # Required. Input field(s) to apply the transformation to.
9215 { # General identifier of a data field in a storage service.
9216 "name": "A String", # Name describing the field.
9217 },
9218 ],
9219 "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
9220 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
9221 # input. Outputs a base64 encoded representation of the encrypted output.
9222 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
9223 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
9224 # a key encryption key (KEK) stored by KMS).
9225 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
9226 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
9227 # unwrap the data crypto key.
9228 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
9229 # The wrapped key must be a 128/192/256 bit key.
9230 # Authorization requires the following IAM permissions when sending a request
9231 # to perform a crypto transformation using a kms-wrapped crypto key:
9232 # dlp.kms.encrypt
9233 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
9234 "wrappedKey": "A String", # Required. The wrapped data crypto key.
9235 },
9236 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
9237 # leaking the key. Choose another type of key if possible.
9238 "key": "A String", # Required. A 128/192/256 bit key.
9239 },
9240 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
9241 # It will be discarded after the request finishes.
9242 "name": "A String", # Required. Name of the key.
9243 # This is an arbitrary string used to differentiate different keys.
9244 # A unique key is generated per name: two separate `TransientCryptoKey`
9245 # protos share the same generated key if their names are the same.
9246 # When the data crypto key is generated, this name is not used in any way
9247 # (repeating the api call will result in a different key being generated).
9248 },
9249 },
9250 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
9251 # referential integrity such that the same identifier in two different
9252 # contexts will be given a distinct surrogate. The context is appended to
9253 # plaintext value being encrypted. On decryption the provided context is
9254 # validated against the value used during encryption. If a context was
9255 # provided during encryption, same context must be provided during decryption
9256 # as well.
9257 #
9258 # If the context is not set, plaintext would be used as is for encryption.
9259 # If the context is set but:
9260 #
9261 # 1. there is no record present when transforming a given value or
9262 # 2. the field is not present when transforming a given value,
9263 #
9264 # plaintext would be used as is for encryption.
9265 #
9266 # Note that case (1) is expected when an `InfoTypeTransformation` is
9267 # applied to both structured and non-structured `ContentItem`s.
9268 "name": "A String", # Name describing the field.
9269 },
9270 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
9271 # This annotation will be applied to the surrogate by prefixing it with
9272 # the name of the custom info type followed by the number of
9273 # characters comprising the surrogate. The following scheme defines the
9274 # format: {info type name}({surrogate character count}):{surrogate}
9275 #
9276 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
9277 # the surrogate is 'abc', the full replacement value
9278 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
9279 #
9280 # This annotation identifies the surrogate when inspecting content using the
9281 # custom info type 'Surrogate'. This facilitates reversal of the
9282 # surrogate when it occurs in free text.
9283 #
9284 # Note: For record transformations where the entire cell in a table is being
9285 # transformed, surrogates are not mandatory. Surrogates are used to denote
9286 # the location of the token and are necessary for re-identification in free
9287 # form text.
9288 #
9289 # In order for inspection to work properly, the name of this info type must
9290 # not occur naturally anywhere in your data; otherwise, inspection may either
9291 #
9292 # - reverse a surrogate that does not correspond to an actual identifier
9293 # - be unable to parse the surrogate and result in an error
9294 #
9295 # Therefore, choose your custom info type name carefully after considering
9296 # what your data looks like. One way to select a name that has a high chance
9297 # of yielding reliable detection is to include one or more unicode characters
9298 # that are highly improbable to exist in your data.
9299 # For example, assuming your data is entered from a regular ASCII keyboard,
9300 # the symbol with the hex code point 29DD might be used like so:
9301 # ⧝MY_TOKEN_TYPE.
9302 "name": "A String", # Name of the information type. Either a name of your choosing when
9303 # creating a CustomInfoType, or one of the names listed
9304 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
9305 # a built-in type. InfoType names should conform to the pattern
9306 # `[a-zA-Z0-9_]{1,64}`.
9307 },
9308 },
9309 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
9310 # fixed character. Masking can start from the beginning or end of the string.
9311 # This can be used on data of any type (numbers, longs, and so on) and when
9312 # de-identifying structured data we'll attempt to preserve the original data's
9313 # type. (This allows you to take a long like 123 and modify it to a string like
9314 # **3.
9315 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
9316 # characters. For example, if the input string is `555-555-5555` and you
9317 # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
9318 # returns `***-**5-5555`.
9319 { # Characters to skip when doing deidentification of a value. These will be left
9320 # alone and skipped.
9321 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
9322 # punctuation.
9323 "charactersToSkip": "A String", # Characters to not transform when masking.
9324 },
9325 ],
9326 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
9327 # masked. Skipped characters do not count towards this tally.
9328 "maskingCharacter": "A String", # Character to use to mask the sensitive values&amp;mdash;for example, `*` for an
9329 # alphabetic string such as a name, or `0` for a numeric string such as ZIP
9330 # code or credit card number. This string must have a length of 1. If not
9331 # supplied, this value defaults to `*` for strings, and `0` for digits.
9332 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
9333 # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
9334 # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
9335 # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
9336 # is `true`, then the string `12345` is masked as `12***`.
9337 },
9338 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
9339 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
9340 # output would be 'My phone number is '.
9341 },
9342 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
9343 },
9344 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
9345 # Bucketing transformation can provide all of this functionality,
9346 # but requires more configuration. This message is provided as a convenience to
9347 # the user for simple bucketing strategies.
9348 #
9349 # The transformed value will be a hyphenated string of
9350 # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
9351 # all values that are within this bucket will be replaced with "10-20".
9352 #
9353 # This can be used on data of type: double, long.
9354 #
9355 # If the bound Value type differs from the type of data
9356 # being transformed, we will first attempt converting the type of the data to
9357 # be transformed to match the type of the bound before comparing.
9358 #
9359 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
9360 "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
9361 # grouped together into a single bucket; for example if `lower_bound` = 10,
9362 # then all values less than 10 are replaced with the value “-10”.
9363 # Note that for the purposes of inspection or transformation, the number
9364 # of bytes considered to comprise a 'Value' is based on its representation
9365 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
9366 # 123456789, the number of bytes would be counted as 9, even though an
9367 # int64 only holds up to 8 bytes of data.
9368 "floatValue": 3.14, # float
9369 "timestampValue": "A String", # timestamp
9370 "dayOfWeekValue": "A String", # day of week
9371 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
9372 # or are specified elsewhere. An API may choose to allow leap seconds. Related
9373 # types are google.type.Date and `google.protobuf.Timestamp`.
9374 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
9375 # to allow the value "24:00:00" for scenarios like business closing time.
9376 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
9377 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
9378 # allow the value 60 if it allows leap-seconds.
9379 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
9380 },
9381 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
9382 # and time zone are either specified elsewhere or are not significant. The date
9383 # is relative to the Proleptic Gregorian Calendar. This can represent:
9384 #
9385 # * A full date, with non-zero year, month and day values
9386 # * A month and day value, with a zero year, e.g. an anniversary
9387 # * A year on its own, with zero month and day values
9388 # * A year and month value, with a zero day, e.g. a credit card expiration date
9389 #
9390 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
9391 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
9392 # month and day.
9393 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
9394 # if specifying a year by itself or a year and month where the day is not
9395 # significant.
9396 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
9397 # a year.
9398 },
9399 "stringValue": "A String", # string
9400 "booleanValue": True or False, # boolean
9401 "integerValue": "A String", # integer
9402 },
9403 "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
9404 # grouped together into a single bucket; for example if `upper_bound` = 89,
9405 # then all values greater than 89 are replaced with the value “89+”.
9406 # Note that for the purposes of inspection or transformation, the number
9407 # of bytes considered to comprise a 'Value' is based on its representation
9408 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
9409 # 123456789, the number of bytes would be counted as 9, even though an
9410 # int64 only holds up to 8 bytes of data.
9411 "floatValue": 3.14, # float
9412 "timestampValue": "A String", # timestamp
9413 "dayOfWeekValue": "A String", # day of week
9414 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
9415 # or are specified elsewhere. An API may choose to allow leap seconds. Related
9416 # types are google.type.Date and `google.protobuf.Timestamp`.
9417 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
9418 # to allow the value "24:00:00" for scenarios like business closing time.
9419 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
9420 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
9421 # allow the value 60 if it allows leap-seconds.
9422 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
9423 },
9424 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
9425 # and time zone are either specified elsewhere or are not significant. The date
9426 # is relative to the Proleptic Gregorian Calendar. This can represent:
9427 #
9428 # * A full date, with non-zero year, month and day values
9429 # * A month and day value, with a zero year, e.g. an anniversary
9430 # * A year on its own, with zero month and day values
9431 # * A year and month value, with a zero day, e.g. a credit card expiration date
9432 #
9433 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
9434 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
9435 # month and day.
9436 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
9437 # if specifying a year by itself or a year and month where the day is not
9438 # significant.
9439 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
9440 # a year.
9441 },
9442 "stringValue": "A String", # string
9443 "booleanValue": True or False, # boolean
9444 "integerValue": "A String", # integer
9445 },
9446 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
9447 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
9448 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
9449 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
9450 },
9451 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
9452 # portion of the value.
9453 "partToExtract": "A String", # The part of the time to keep.
9454 },
9455 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
9456 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
9457 # to learn more.
9458 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
9459 # results in the same shift for the same context and crypto_key. If
9460 # set, must also set context. Can only be applied to table items.
9461 # a key encryption key (KEK) stored by KMS).
9462 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
9463 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
9464 # unwrap the data crypto key.
9465 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
9466 # The wrapped key must be a 128/192/256 bit key.
9467 # Authorization requires the following IAM permissions when sending a request
9468 # to perform a crypto transformation using a kms-wrapped crypto key:
9469 # dlp.kms.encrypt
9470 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
9471 "wrappedKey": "A String", # Required. The wrapped data crypto key.
9472 },
9473 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
9474 # leaking the key. Choose another type of key if possible.
9475 "key": "A String", # Required. A 128/192/256 bit key.
9476 },
9477 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
9478 # It will be discarded after the request finishes.
9479 "name": "A String", # Required. Name of the key.
9480 # This is an arbitrary string used to differentiate different keys.
9481 # A unique key is generated per name: two separate `TransientCryptoKey`
9482 # protos share the same generated key if their names are the same.
9483 # When the data crypto key is generated, this name is not used in any way
9484 # (repeating the api call will result in a different key being generated).
9485 },
9486 },
9487 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
9488 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
9489 # range (inclusive ends). Negative means shift to earlier in time. Must not
9490 # be more than 365250 days (1000 years) each direction.
9491 #
9492 # For example, 3 means shift date to at most 3 days into the future.
9493 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
9494 # If set, must also set cryptoKey. If set, shift will be consistent for the
9495 # given context.
9496 "name": "A String", # Name describing the field.
9497 },
9498 },
9499 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
9500 # (FPE) with the FFX mode of operation; however when used in the
9501 # `ReidentifyContent` API method, it serves the opposite function by reversing
9502 # the surrogate back into the original identifier. The identifier must be
9503 # encoded as ASCII. For a given crypto key and context, the same identifier
9504 # will be replaced with the same surrogate. Identifiers must be at least two
9505 # characters long. In the case that the identifier is the empty string, it will
9506 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
9507 # more.
9508 #
9509 # Note: We recommend using CryptoDeterministicConfig for all use cases which
9510 # do not require preserving the input alphabet space and size, plus warrant
9511 # referential integrity.
9512 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
9513 # a key encryption key (KEK) stored by KMS).
9514 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
9515 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
9516 # unwrap the data crypto key.
9517 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
9518 # The wrapped key must be a 128/192/256 bit key.
9519 # Authorization requires the following IAM permissions when sending a request
9520 # to perform a crypto transformation using a kms-wrapped crypto key:
9521 # dlp.kms.encrypt
9522 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
9523 "wrappedKey": "A String", # Required. The wrapped data crypto key.
9524 },
9525 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
9526 # leaking the key. Choose another type of key if possible.
9527 "key": "A String", # Required. A 128/192/256 bit key.
9528 },
9529 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
9530 # It will be discarded after the request finishes.
9531 "name": "A String", # Required. Name of the key.
9532 # This is an arbitrary string used to differentiate different keys.
9533 # A unique key is generated per name: two separate `TransientCryptoKey`
9534 # protos share the same generated key if their names are the same.
9535 # When the data crypto key is generated, this name is not used in any way
9536 # (repeating the api call will result in a different key being generated).
9537 },
9538 },
9539 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
9540 "commonAlphabet": "A String", # Common alphabets.
9541 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
9542 # that the FFX mode natively supports. This happens before/after
9543 # encryption/decryption.
9544 # Each character listed must appear only once.
9545 # Number of characters must be in the range [2, 95].
9546 # This must be encoded as ASCII.
9547 # The order of characters does not matter.
9548 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
9549 # identifier in two different contexts won't be given the same surrogate. If
9550 # the context is not set, a default tweak will be used.
9551 #
9552 # If the context is set but:
9553 #
9554 # 1. there is no record present when transforming a given value or
9555 # 1. the field is not present when transforming a given value,
9556 #
9557 # a default tweak will be used.
9558 #
9559 # Note that case (1) is expected when an `InfoTypeTransformation` is
9560 # applied to both structured and non-structured `ContentItem`s.
9561 # Currently, the referenced field may be of value type integer or string.
9562 #
9563 # The tweak is constructed as a sequence of bytes in big endian byte order
9564 # such that:
9565 #
9566 # - a 64 bit integer is encoded followed by a single byte of value 1
9567 # - a string is encoded in UTF-8 format followed by a single byte of value 2
9568 "name": "A String", # Name describing the field.
9569 },
9570 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
9571 # This annotation will be applied to the surrogate by prefixing it with
9572 # the name of the custom infoType followed by the number of
9573 # characters comprising the surrogate. The following scheme defines the
9574 # format: info_type_name(surrogate_character_count):surrogate
9575 #
9576 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
9577 # the surrogate is 'abc', the full replacement value
9578 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
9579 #
9580 # This annotation identifies the surrogate when inspecting content using the
9581 # custom infoType
9582 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
9583 # This facilitates reversal of the surrogate when it occurs in free text.
9584 #
9585 # In order for inspection to work properly, the name of this infoType must
9586 # not occur naturally anywhere in your data; otherwise, inspection may
9587 # find a surrogate that does not correspond to an actual identifier.
9588 # Therefore, choose your custom infoType name carefully after considering
9589 # what your data looks like. One way to select a name that has a high chance
9590 # of yielding reliable detection is to include one or more unicode characters
9591 # that are highly improbable to exist in your data.
9592 # For example, assuming your data is entered from a regular ASCII keyboard,
9593 # the symbol with the hex code point 29DD might be used like so:
9594 # ⧝MY_TOKEN_TYPE
9595 "name": "A String", # Name of the information type. Either a name of your choosing when
9596 # creating a CustomInfoType, or one of the names listed
9597 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
9598 # a built-in type. InfoType names should conform to the pattern
9599 # `[a-zA-Z0-9_]{1,64}`.
9600 },
9601 },
9602 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
9603 # replacement values are dynamically provided by the user for custom behavior,
9604 # such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH
9605 # This can be used on
9606 # data of type: number, long, string, timestamp.
9607 # If the bound `Value` type differs from the type of data being transformed, we
9608 # will first attempt converting the type of the data to be transformed to match
9609 # the type of the bound before comparing.
9610 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
9611 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
9612 { # Bucket is represented as a range, along with replacement values.
9613 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
9614 # Note that for the purposes of inspection or transformation, the number
9615 # of bytes considered to comprise a 'Value' is based on its representation
9616 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
9617 # 123456789, the number of bytes would be counted as 9, even though an
9618 # int64 only holds up to 8 bytes of data.
9619 "floatValue": 3.14, # float
9620 "timestampValue": "A String", # timestamp
9621 "dayOfWeekValue": "A String", # day of week
9622 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
9623 # or are specified elsewhere. An API may choose to allow leap seconds. Related
9624 # types are google.type.Date and `google.protobuf.Timestamp`.
9625 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
9626 # to allow the value "24:00:00" for scenarios like business closing time.
9627 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
9628 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
9629 # allow the value 60 if it allows leap-seconds.
9630 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
9631 },
9632 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
9633 # and time zone are either specified elsewhere or are not significant. The date
9634 # is relative to the Proleptic Gregorian Calendar. This can represent:
9635 #
9636 # * A full date, with non-zero year, month and day values
9637 # * A month and day value, with a zero year, e.g. an anniversary
9638 # * A year on its own, with zero month and day values
9639 # * A year and month value, with a zero day, e.g. a credit card expiration date
9640 #
9641 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
9642 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
9643 # month and day.
9644 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
9645 # if specifying a year by itself or a year and month where the day is not
9646 # significant.
9647 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
9648 # a year.
9649 },
9650 "stringValue": "A String", # string
9651 "booleanValue": True or False, # boolean
9652 "integerValue": "A String", # integer
9653 },
9654 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
9655 # the default behavior will be to hyphenate the min-max range.
9656 # Note that for the purposes of inspection or transformation, the number
9657 # of bytes considered to comprise a 'Value' is based on its representation
9658 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
9659 # 123456789, the number of bytes would be counted as 9, even though an
9660 # int64 only holds up to 8 bytes of data.
9661 "floatValue": 3.14, # float
9662 "timestampValue": "A String", # timestamp
9663 "dayOfWeekValue": "A String", # day of week
9664 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
9665 # or are specified elsewhere. An API may choose to allow leap seconds. Related
9666 # types are google.type.Date and `google.protobuf.Timestamp`.
9667 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
9668 # to allow the value "24:00:00" for scenarios like business closing time.
9669 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
9670 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
9671 # allow the value 60 if it allows leap-seconds.
9672 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
9673 },
9674 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
9675 # and time zone are either specified elsewhere or are not significant. The date
9676 # is relative to the Proleptic Gregorian Calendar. This can represent:
9677 #
9678 # * A full date, with non-zero year, month and day values
9679 # * A month and day value, with a zero year, e.g. an anniversary
9680 # * A year on its own, with zero month and day values
9681 # * A year and month value, with a zero day, e.g. a credit card expiration date
9682 #
9683 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
9684 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
9685 # month and day.
9686 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
9687 # if specifying a year by itself or a year and month where the day is not
9688 # significant.
9689 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
9690 # a year.
9691 },
9692 "stringValue": "A String", # string
9693 "booleanValue": True or False, # boolean
9694 "integerValue": "A String", # integer
9695 },
9696 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
9697 # used.
9698 # Note that for the purposes of inspection or transformation, the number
9699 # of bytes considered to comprise a 'Value' is based on its representation
9700 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
9701 # 123456789, the number of bytes would be counted as 9, even though an
9702 # int64 only holds up to 8 bytes of data.
9703 "floatValue": 3.14, # float
9704 "timestampValue": "A String", # timestamp
9705 "dayOfWeekValue": "A String", # day of week
9706 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
9707 # or are specified elsewhere. An API may choose to allow leap seconds. Related
9708 # types are google.type.Date and `google.protobuf.Timestamp`.
9709 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
9710 # to allow the value "24:00:00" for scenarios like business closing time.
9711 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
9712 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
9713 # allow the value 60 if it allows leap-seconds.
9714 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
9715 },
9716 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
9717 # and time zone are either specified elsewhere or are not significant. The date
9718 # is relative to the Proleptic Gregorian Calendar. This can represent:
9719 #
9720 # * A full date, with non-zero year, month and day values
9721 # * A month and day value, with a zero year, e.g. an anniversary
9722 # * A year on its own, with zero month and day values
9723 # * A year and month value, with a zero day, e.g. a credit card expiration date
9724 #
9725 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
9726 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
9727 # month and day.
9728 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
9729 # if specifying a year by itself or a year and month where the day is not
9730 # significant.
9731 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
9732 # a year.
9733 },
9734 "stringValue": "A String", # string
9735 "booleanValue": True or False, # boolean
9736 "integerValue": "A String", # integer
9737 },
9738 },
9739 ],
9740 },
9741 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
9742 # Uses SHA-256.
9743 # The key size must be either 32 or 64 bytes.
9744 # Outputs a base64 encoded representation of the hashed output
9745 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
9746 # Currently, only string and integer values can be hashed.
9747 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
9748 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
9749 # a key encryption key (KEK) stored by KMS).
9750 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
9751 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
9752 # unwrap the data crypto key.
9753 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
9754 # The wrapped key must be a 128/192/256 bit key.
9755 # Authorization requires the following IAM permissions when sending a request
9756 # to perform a crypto transformation using a kms-wrapped crypto key:
9757 # dlp.kms.encrypt
9758 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
9759 "wrappedKey": "A String", # Required. The wrapped data crypto key.
9760 },
9761 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
9762 # leaking the key. Choose another type of key if possible.
9763 "key": "A String", # Required. A 128/192/256 bit key.
9764 },
9765 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
9766 # It will be discarded after the request finishes.
9767 "name": "A String", # Required. Name of the key.
9768 # This is an arbitrary string used to differentiate different keys.
9769 # A unique key is generated per name: two separate `TransientCryptoKey`
9770 # protos share the same generated key if their names are the same.
9771 # When the data crypto key is generated, this name is not used in any way
9772 # (repeating the api call will result in a different key being generated).
9773 },
9774 },
9775 },
9776 "replaceConfig": { # Replace each input value with a given `Value`. # Replace
9777 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
9778 # Note that for the purposes of inspection or transformation, the number
9779 # of bytes considered to comprise a 'Value' is based on its representation
9780 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
9781 # 123456789, the number of bytes would be counted as 9, even though an
9782 # int64 only holds up to 8 bytes of data.
9783 "floatValue": 3.14, # float
9784 "timestampValue": "A String", # timestamp
9785 "dayOfWeekValue": "A String", # day of week
9786 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
9787 # or are specified elsewhere. An API may choose to allow leap seconds. Related
9788 # types are google.type.Date and `google.protobuf.Timestamp`.
9789 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
9790 # to allow the value "24:00:00" for scenarios like business closing time.
9791 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
9792 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
9793 # allow the value 60 if it allows leap-seconds.
9794 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
9795 },
9796 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
9797 # and time zone are either specified elsewhere or are not significant. The date
9798 # is relative to the Proleptic Gregorian Calendar. This can represent:
9799 #
9800 # * A full date, with non-zero year, month and day values
9801 # * A month and day value, with a zero year, e.g. an anniversary
9802 # * A year on its own, with zero month and day values
9803 # * A year and month value, with a zero day, e.g. a credit card expiration date
9804 #
9805 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
9806 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
9807 # month and day.
9808 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
9809 # if specifying a year by itself or a year and month where the day is not
9810 # significant.
9811 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
9812 # a year.
9813 },
9814 "stringValue": "A String", # string
9815 "booleanValue": True or False, # boolean
9816 "integerValue": "A String", # integer
9817 },
9818 },
9819 },
9820 "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
9821 # given `RecordCondition`. The conditions are allowed to reference fields
9822 # that are not used in the actual transformation.
9823 #
9824 # Example Use Cases:
9825 #
9826 # - Apply a different bucket transformation to an age column if the zip code
9827 # column for the same record is within a specific range.
9828 # - Redact a field if the date of birth field is greater than 85.
9829 # a field.
9830 "expressions": { # An expression, consisting or an operator and conditions. # An expression.
9831 "conditions": { # A collection of conditions. # Conditions to apply to the expression.
9832 "conditions": [ # A collection of conditions.
9833 { # The field type of `value` and `field` do not need to match to be
9834 # considered equal, but not all comparisons are possible.
9835 # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
9836 # but all other comparisons are invalid with incompatible types.
9837 # A `value` of type:
9838 #
9839 # - `string` can be compared against all other types
9840 # - `boolean` can only be compared against other booleans
9841 # - `integer` can be compared against doubles or a string if the string value
9842 # can be parsed as an integer.
9843 # - `double` can be compared against integers or a string if the string can
9844 # be parsed as a double.
9845 # - `Timestamp` can be compared against strings in RFC 3339 date string
9846 # format.
9847 # - `TimeOfDay` can be compared against timestamps and strings in the format
9848 # of 'HH:mm:ss'.
9849 #
9850 # If we fail to compare do to type mismatch, a warning will be given and
9851 # the condition will evaluate to false.
9852 "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
9853 "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
9854 "name": "A String", # Name describing the field.
9855 },
9856 "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
9857 # Note that for the purposes of inspection or transformation, the number
9858 # of bytes considered to comprise a 'Value' is based on its representation
9859 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
9860 # 123456789, the number of bytes would be counted as 9, even though an
9861 # int64 only holds up to 8 bytes of data.
9862 "floatValue": 3.14, # float
9863 "timestampValue": "A String", # timestamp
9864 "dayOfWeekValue": "A String", # day of week
9865 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
9866 # or are specified elsewhere. An API may choose to allow leap seconds. Related
9867 # types are google.type.Date and `google.protobuf.Timestamp`.
9868 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
9869 # to allow the value "24:00:00" for scenarios like business closing time.
9870 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
9871 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
9872 # allow the value 60 if it allows leap-seconds.
9873 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
9874 },
9875 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
9876 # and time zone are either specified elsewhere or are not significant. The date
9877 # is relative to the Proleptic Gregorian Calendar. This can represent:
9878 #
9879 # * A full date, with non-zero year, month and day values
9880 # * A month and day value, with a zero year, e.g. an anniversary
9881 # * A year on its own, with zero month and day values
9882 # * A year and month value, with a zero day, e.g. a credit card expiration date
9883 #
9884 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
9885 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
9886 # month and day.
9887 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
9888 # if specifying a year by itself or a year and month where the day is not
9889 # significant.
9890 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
9891 # a year.
9892 },
9893 "stringValue": "A String", # string
9894 "booleanValue": True or False, # boolean
9895 "integerValue": "A String", # integer
9896 },
9897 },
9898 ],
9899 },
9900 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
9901 # only supported value is `AND`.
9902 },
9903 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9904 "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
9905 # transform content that matches an `InfoType`.
9906 # apply various `PrimitiveTransformation`s to each finding, where the
9907 # transformation is applied to only values that were identified as a specific
9908 # info_type.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9909 "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one
9910 # for a given infoType.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9911 { # A transformation to apply to text that is identified as a specific
9912 # info_type.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9913 "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
9914 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9915 # input. Outputs a base64 encoded representation of the encrypted output.
9916 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
9917 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
9918 # a key encryption key (KEK) stored by KMS).
9919 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
9920 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
9921 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9922 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9923 # The wrapped key must be a 128/192/256 bit key.
9924 # Authorization requires the following IAM permissions when sending a request
9925 # to perform a crypto transformation using a kms-wrapped crypto key:
9926 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9927 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
9928 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9929 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9930 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9931 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9932 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9933 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9934 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9935 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9936 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9937 # This is an arbitrary string used to differentiate different keys.
9938 # A unique key is generated per name: two separate `TransientCryptoKey`
9939 # protos share the same generated key if their names are the same.
9940 # When the data crypto key is generated, this name is not used in any way
9941 # (repeating the api call will result in a different key being generated).
9942 },
9943 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9944 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9945 # referential integrity such that the same identifier in two different
9946 # contexts will be given a distinct surrogate. The context is appended to
9947 # plaintext value being encrypted. On decryption the provided context is
9948 # validated against the value used during encryption. If a context was
9949 # provided during encryption, same context must be provided during decryption
9950 # as well.
9951 #
9952 # If the context is not set, plaintext would be used as is for encryption.
9953 # If the context is set but:
9954 #
9955 # 1. there is no record present when transforming a given value or
9956 # 2. the field is not present when transforming a given value,
9957 #
9958 # plaintext would be used as is for encryption.
9959 #
9960 # Note that case (1) is expected when an `InfoTypeTransformation` is
9961 # applied to both structured and non-structured `ContentItem`s.
9962 "name": "A String", # Name describing the field.
9963 },
9964 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
9965 # This annotation will be applied to the surrogate by prefixing it with
9966 # the name of the custom info type followed by the number of
9967 # characters comprising the surrogate. The following scheme defines the
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9968 # format: {info type name}({surrogate character count}):{surrogate}
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9969 #
9970 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
9971 # the surrogate is 'abc', the full replacement value
9972 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
9973 #
9974 # This annotation identifies the surrogate when inspecting content using the
9975 # custom info type 'Surrogate'. This facilitates reversal of the
9976 # surrogate when it occurs in free text.
9977 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9978 # Note: For record transformations where the entire cell in a table is being
9979 # transformed, surrogates are not mandatory. Surrogates are used to denote
9980 # the location of the token and are necessary for re-identification in free
9981 # form text.
9982 #
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9983 # In order for inspection to work properly, the name of this info type must
9984 # not occur naturally anywhere in your data; otherwise, inspection may either
9985 #
9986 # - reverse a surrogate that does not correspond to an actual identifier
9987 # - be unable to parse the surrogate and result in an error
9988 #
9989 # Therefore, choose your custom info type name carefully after considering
9990 # what your data looks like. One way to select a name that has a high chance
9991 # of yielding reliable detection is to include one or more unicode characters
9992 # that are highly improbable to exist in your data.
9993 # For example, assuming your data is entered from a regular ASCII keyboard,
9994 # the symbol with the hex code point 29DD might be used like so:
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]9995 # ⧝MY_TOKEN_TYPE.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]9996 "name": "A String", # Name of the information type. Either a name of your choosing when
9997 # creating a CustomInfoType, or one of the names listed
9998 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
9999 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10000 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10001 },
10002 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10003 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
10004 # fixed character. Masking can start from the beginning or end of the string.
10005 # This can be used on data of any type (numbers, longs, and so on) and when
10006 # de-identifying structured data we'll attempt to preserve the original data's
10007 # type. (This allows you to take a long like 123 and modify it to a string like
10008 # **3.
10009 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
10010 # characters. For example, if the input string is `555-555-5555` and you
10011 # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
10012 # returns `***-**5-5555`.
10013 { # Characters to skip when doing deidentification of a value. These will be left
10014 # alone and skipped.
10015 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
10016 # punctuation.
10017 "charactersToSkip": "A String", # Characters to not transform when masking.
10018 },
10019 ],
10020 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
10021 # masked. Skipped characters do not count towards this tally.
10022 "maskingCharacter": "A String", # Character to use to mask the sensitive values&amp;mdash;for example, `*` for an
10023 # alphabetic string such as a name, or `0` for a numeric string such as ZIP
10024 # code or credit card number. This string must have a length of 1. If not
10025 # supplied, this value defaults to `*` for strings, and `0` for digits.
10026 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
10027 # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
10028 # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
10029 # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
10030 # is `true`, then the string `12345` is masked as `12***`.
10031 },
10032 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
10033 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
10034 # output would be 'My phone number is '.
10035 },
10036 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
10037 },
10038 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10039 # Bucketing transformation can provide all of this functionality,
10040 # but requires more configuration. This message is provided as a convenience to
10041 # the user for simple bucketing strategies.
10042 #
10043 # The transformed value will be a hyphenated string of
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10044 # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10045 # all values that are within this bucket will be replaced with "10-20".
10046 #
10047 # This can be used on data of type: double, long.
10048 #
10049 # If the bound Value type differs from the type of data
10050 # being transformed, we will first attempt converting the type of the data to
10051 # be transformed to match the type of the bound before comparing.
10052 #
10053 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10054 "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10055 # grouped together into a single bucket; for example if `lower_bound` = 10,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10056 # then all values less than 10 are replaced with the value “-10”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10057 # Note that for the purposes of inspection or transformation, the number
10058 # of bytes considered to comprise a 'Value' is based on its representation
10059 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
10060 # 123456789, the number of bytes would be counted as 9, even though an
10061 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10062 "floatValue": 3.14, # float
10063 "timestampValue": "A String", # timestamp
10064 "dayOfWeekValue": "A String", # day of week
10065 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10066 # or are specified elsewhere. An API may choose to allow leap seconds. Related
10067 # types are google.type.Date and `google.protobuf.Timestamp`.
10068 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
10069 # to allow the value "24:00:00" for scenarios like business closing time.
10070 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
10071 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
10072 # allow the value 60 if it allows leap-seconds.
10073 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
10074 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10075 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10076 # and time zone are either specified elsewhere or are not significant. The date
10077 # is relative to the Proleptic Gregorian Calendar. This can represent:
10078 #
10079 # * A full date, with non-zero year, month and day values
10080 # * A month and day value, with a zero year, e.g. an anniversary
10081 # * A year on its own, with zero month and day values
10082 # * A year and month value, with a zero day, e.g. a credit card expiration date
10083 #
10084 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10085 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
10086 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10087 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
10088 # if specifying a year by itself or a year and month where the day is not
10089 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10090 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
10091 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10092 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10093 "stringValue": "A String", # string
10094 "booleanValue": True or False, # boolean
10095 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10096 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10097 "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10098 # grouped together into a single bucket; for example if `upper_bound` = 89,
10099 # then all values greater than 89 are replaced with the value “89+”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10100 # Note that for the purposes of inspection or transformation, the number
10101 # of bytes considered to comprise a 'Value' is based on its representation
10102 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
10103 # 123456789, the number of bytes would be counted as 9, even though an
10104 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10105 "floatValue": 3.14, # float
10106 "timestampValue": "A String", # timestamp
10107 "dayOfWeekValue": "A String", # day of week
10108 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10109 # or are specified elsewhere. An API may choose to allow leap seconds. Related
10110 # types are google.type.Date and `google.protobuf.Timestamp`.
10111 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
10112 # to allow the value "24:00:00" for scenarios like business closing time.
10113 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
10114 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
10115 # allow the value 60 if it allows leap-seconds.
10116 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
10117 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10118 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10119 # and time zone are either specified elsewhere or are not significant. The date
10120 # is relative to the Proleptic Gregorian Calendar. This can represent:
10121 #
10122 # * A full date, with non-zero year, month and day values
10123 # * A month and day value, with a zero year, e.g. an anniversary
10124 # * A year on its own, with zero month and day values
10125 # * A year and month value, with a zero day, e.g. a credit card expiration date
10126 #
10127 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10128 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
10129 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10130 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
10131 # if specifying a year by itself or a year and month where the day is not
10132 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10133 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
10134 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10135 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10136 "stringValue": "A String", # string
10137 "booleanValue": True or False, # boolean
10138 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10139 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10140 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10141 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
10142 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10143 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10144 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10145 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10146 # portion of the value.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10147 "partToExtract": "A String", # The part of the time to keep.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10148 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10149 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10150 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
10151 # to learn more.
10152 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10153 # results in the same shift for the same context and crypto_key. If
10154 # set, must also set context. Can only be applied to table items.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10155 # a key encryption key (KEK) stored by KMS).
10156 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
10157 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
10158 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10159 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10160 # The wrapped key must be a 128/192/256 bit key.
10161 # Authorization requires the following IAM permissions when sending a request
10162 # to perform a crypto transformation using a kms-wrapped crypto key:
10163 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10164 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
10165 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10166 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10167 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10168 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10169 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10170 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10171 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10172 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10173 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10174 # This is an arbitrary string used to differentiate different keys.
10175 # A unique key is generated per name: two separate `TransientCryptoKey`
10176 # protos share the same generated key if their names are the same.
10177 # When the data crypto key is generated, this name is not used in any way
10178 # (repeating the api call will result in a different key being generated).
10179 },
10180 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10181 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
10182 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10183 # range (inclusive ends). Negative means shift to earlier in time. Must not
10184 # be more than 365250 days (1000 years) each direction.
10185 #
10186 # For example, 3 means shift date to at most 3 days into the future.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10187 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10188 # If set, must also set cryptoKey. If set, shift will be consistent for the
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10189 # given context.
10190 "name": "A String", # Name describing the field.
10191 },
10192 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10193 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10194 # (FPE) with the FFX mode of operation; however when used in the
10195 # `ReidentifyContent` API method, it serves the opposite function by reversing
10196 # the surrogate back into the original identifier. The identifier must be
10197 # encoded as ASCII. For a given crypto key and context, the same identifier
10198 # will be replaced with the same surrogate. Identifiers must be at least two
10199 # characters long. In the case that the identifier is the empty string, it will
10200 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
10201 # more.
10202 #
10203 # Note: We recommend using CryptoDeterministicConfig for all use cases which
10204 # do not require preserving the input alphabet space and size, plus warrant
10205 # referential integrity.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10206 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10207 # a key encryption key (KEK) stored by KMS).
10208 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
10209 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
10210 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10211 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10212 # The wrapped key must be a 128/192/256 bit key.
10213 # Authorization requires the following IAM permissions when sending a request
10214 # to perform a crypto transformation using a kms-wrapped crypto key:
10215 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10216 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
10217 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10218 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10219 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10220 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10221 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10222 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10223 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10224 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10225 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10226 # This is an arbitrary string used to differentiate different keys.
10227 # A unique key is generated per name: two separate `TransientCryptoKey`
10228 # protos share the same generated key if their names are the same.
10229 # When the data crypto key is generated, this name is not used in any way
10230 # (repeating the api call will result in a different key being generated).
10231 },
10232 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10233 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
10234 "commonAlphabet": "A String", # Common alphabets.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10235 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
10236 # that the FFX mode natively supports. This happens before/after
10237 # encryption/decryption.
10238 # Each character listed must appear only once.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10239 # Number of characters must be in the range [2, 95].
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10240 # This must be encoded as ASCII.
10241 # The order of characters does not matter.
10242 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
10243 # identifier in two different contexts won't be given the same surrogate. If
10244 # the context is not set, a default tweak will be used.
10245 #
10246 # If the context is set but:
10247 #
10248 # 1. there is no record present when transforming a given value or
10249 # 1. the field is not present when transforming a given value,
10250 #
10251 # a default tweak will be used.
10252 #
10253 # Note that case (1) is expected when an `InfoTypeTransformation` is
10254 # applied to both structured and non-structured `ContentItem`s.
10255 # Currently, the referenced field may be of value type integer or string.
10256 #
10257 # The tweak is constructed as a sequence of bytes in big endian byte order
10258 # such that:
10259 #
10260 # - a 64 bit integer is encoded followed by a single byte of value 1
10261 # - a string is encoded in UTF-8 format followed by a single byte of value 2
10262 "name": "A String", # Name describing the field.
10263 },
10264 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
10265 # This annotation will be applied to the surrogate by prefixing it with
10266 # the name of the custom infoType followed by the number of
10267 # characters comprising the surrogate. The following scheme defines the
10268 # format: info_type_name(surrogate_character_count):surrogate
10269 #
10270 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
10271 # the surrogate is 'abc', the full replacement value
10272 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
10273 #
10274 # This annotation identifies the surrogate when inspecting content using the
10275 # custom infoType
10276 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
10277 # This facilitates reversal of the surrogate when it occurs in free text.
10278 #
10279 # In order for inspection to work properly, the name of this infoType must
10280 # not occur naturally anywhere in your data; otherwise, inspection may
10281 # find a surrogate that does not correspond to an actual identifier.
10282 # Therefore, choose your custom infoType name carefully after considering
10283 # what your data looks like. One way to select a name that has a high chance
10284 # of yielding reliable detection is to include one or more unicode characters
10285 # that are highly improbable to exist in your data.
10286 # For example, assuming your data is entered from a regular ASCII keyboard,
10287 # the symbol with the hex code point 29DD might be used like so:
10288 # ⧝MY_TOKEN_TYPE
10289 "name": "A String", # Name of the information type. Either a name of your choosing when
10290 # creating a CustomInfoType, or one of the names listed
10291 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
10292 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10293 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10294 },
10295 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10296 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
10297 # replacement values are dynamically provided by the user for custom behavior,
10298 # such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH
10299 # This can be used on
10300 # data of type: number, long, string, timestamp.
10301 # If the bound `Value` type differs from the type of data being transformed, we
10302 # will first attempt converting the type of the data to be transformed to match
10303 # the type of the bound before comparing.
10304 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
10305 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
10306 { # Bucket is represented as a range, along with replacement values.
10307 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
10308 # Note that for the purposes of inspection or transformation, the number
10309 # of bytes considered to comprise a 'Value' is based on its representation
10310 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
10311 # 123456789, the number of bytes would be counted as 9, even though an
10312 # int64 only holds up to 8 bytes of data.
10313 "floatValue": 3.14, # float
10314 "timestampValue": "A String", # timestamp
10315 "dayOfWeekValue": "A String", # day of week
10316 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
10317 # or are specified elsewhere. An API may choose to allow leap seconds. Related
10318 # types are google.type.Date and `google.protobuf.Timestamp`.
10319 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
10320 # to allow the value "24:00:00" for scenarios like business closing time.
10321 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
10322 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
10323 # allow the value 60 if it allows leap-seconds.
10324 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
10325 },
10326 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
10327 # and time zone are either specified elsewhere or are not significant. The date
10328 # is relative to the Proleptic Gregorian Calendar. This can represent:
10329 #
10330 # * A full date, with non-zero year, month and day values
10331 # * A month and day value, with a zero year, e.g. an anniversary
10332 # * A year on its own, with zero month and day values
10333 # * A year and month value, with a zero day, e.g. a credit card expiration date
10334 #
10335 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
10336 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
10337 # month and day.
10338 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
10339 # if specifying a year by itself or a year and month where the day is not
10340 # significant.
10341 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
10342 # a year.
10343 },
10344 "stringValue": "A String", # string
10345 "booleanValue": True or False, # boolean
10346 "integerValue": "A String", # integer
10347 },
10348 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
10349 # the default behavior will be to hyphenate the min-max range.
10350 # Note that for the purposes of inspection or transformation, the number
10351 # of bytes considered to comprise a 'Value' is based on its representation
10352 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
10353 # 123456789, the number of bytes would be counted as 9, even though an
10354 # int64 only holds up to 8 bytes of data.
10355 "floatValue": 3.14, # float
10356 "timestampValue": "A String", # timestamp
10357 "dayOfWeekValue": "A String", # day of week
10358 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
10359 # or are specified elsewhere. An API may choose to allow leap seconds. Related
10360 # types are google.type.Date and `google.protobuf.Timestamp`.
10361 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
10362 # to allow the value "24:00:00" for scenarios like business closing time.
10363 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
10364 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
10365 # allow the value 60 if it allows leap-seconds.
10366 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
10367 },
10368 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
10369 # and time zone are either specified elsewhere or are not significant. The date
10370 # is relative to the Proleptic Gregorian Calendar. This can represent:
10371 #
10372 # * A full date, with non-zero year, month and day values
10373 # * A month and day value, with a zero year, e.g. an anniversary
10374 # * A year on its own, with zero month and day values
10375 # * A year and month value, with a zero day, e.g. a credit card expiration date
10376 #
10377 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
10378 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
10379 # month and day.
10380 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
10381 # if specifying a year by itself or a year and month where the day is not
10382 # significant.
10383 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
10384 # a year.
10385 },
10386 "stringValue": "A String", # string
10387 "booleanValue": True or False, # boolean
10388 "integerValue": "A String", # integer
10389 },
10390 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
10391 # used.
10392 # Note that for the purposes of inspection or transformation, the number
10393 # of bytes considered to comprise a 'Value' is based on its representation
10394 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
10395 # 123456789, the number of bytes would be counted as 9, even though an
10396 # int64 only holds up to 8 bytes of data.
10397 "floatValue": 3.14, # float
10398 "timestampValue": "A String", # timestamp
10399 "dayOfWeekValue": "A String", # day of week
10400 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
10401 # or are specified elsewhere. An API may choose to allow leap seconds. Related
10402 # types are google.type.Date and `google.protobuf.Timestamp`.
10403 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
10404 # to allow the value "24:00:00" for scenarios like business closing time.
10405 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
10406 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
10407 # allow the value 60 if it allows leap-seconds.
10408 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
10409 },
10410 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
10411 # and time zone are either specified elsewhere or are not significant. The date
10412 # is relative to the Proleptic Gregorian Calendar. This can represent:
10413 #
10414 # * A full date, with non-zero year, month and day values
10415 # * A month and day value, with a zero year, e.g. an anniversary
10416 # * A year on its own, with zero month and day values
10417 # * A year and month value, with a zero day, e.g. a credit card expiration date
10418 #
10419 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
10420 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
10421 # month and day.
10422 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
10423 # if specifying a year by itself or a year and month where the day is not
10424 # significant.
10425 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
10426 # a year.
10427 },
10428 "stringValue": "A String", # string
10429 "booleanValue": True or False, # boolean
10430 "integerValue": "A String", # integer
10431 },
10432 },
10433 ],
10434 },
10435 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
10436 # Uses SHA-256.
10437 # The key size must be either 32 or 64 bytes.
10438 # Outputs a base64 encoded representation of the hashed output
10439 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
10440 # Currently, only string and integer values can be hashed.
10441 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
10442 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
10443 # a key encryption key (KEK) stored by KMS).
10444 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
10445 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
10446 # unwrap the data crypto key.
10447 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
10448 # The wrapped key must be a 128/192/256 bit key.
10449 # Authorization requires the following IAM permissions when sending a request
10450 # to perform a crypto transformation using a kms-wrapped crypto key:
10451 # dlp.kms.encrypt
10452 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
10453 "wrappedKey": "A String", # Required. The wrapped data crypto key.
10454 },
10455 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
10456 # leaking the key. Choose another type of key if possible.
10457 "key": "A String", # Required. A 128/192/256 bit key.
10458 },
10459 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
10460 # It will be discarded after the request finishes.
10461 "name": "A String", # Required. Name of the key.
10462 # This is an arbitrary string used to differentiate different keys.
10463 # A unique key is generated per name: two separate `TransientCryptoKey`
10464 # protos share the same generated key if their names are the same.
10465 # When the data crypto key is generated, this name is not used in any way
10466 # (repeating the api call will result in a different key being generated).
10467 },
10468 },
10469 },
10470 "replaceConfig": { # Replace each input value with a given `Value`. # Replace
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10471 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
10472 # Note that for the purposes of inspection or transformation, the number
10473 # of bytes considered to comprise a 'Value' is based on its representation
10474 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
10475 # 123456789, the number of bytes would be counted as 9, even though an
10476 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10477 "floatValue": 3.14, # float
10478 "timestampValue": "A String", # timestamp
10479 "dayOfWeekValue": "A String", # day of week
10480 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10481 # or are specified elsewhere. An API may choose to allow leap seconds. Related
10482 # types are google.type.Date and `google.protobuf.Timestamp`.
10483 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
10484 # to allow the value "24:00:00" for scenarios like business closing time.
10485 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
10486 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
10487 # allow the value 60 if it allows leap-seconds.
10488 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
10489 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10490 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10491 # and time zone are either specified elsewhere or are not significant. The date
10492 # is relative to the Proleptic Gregorian Calendar. This can represent:
10493 #
10494 # * A full date, with non-zero year, month and day values
10495 # * A month and day value, with a zero year, e.g. an anniversary
10496 # * A year on its own, with zero month and day values
10497 # * A year and month value, with a zero day, e.g. a credit card expiration date
10498 #
10499 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10500 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
10501 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10502 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
10503 # if specifying a year by itself or a year and month where the day is not
10504 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10505 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
10506 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10507 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10508 "stringValue": "A String", # string
10509 "booleanValue": True or False, # boolean
10510 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10511 },
10512 },
10513 },
10514 "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
10515 # this transformation to apply to all findings that correspond to
10516 # infoTypes that were requested in `InspectConfig`.
10517 { # Type of information detected by the API.
10518 "name": "A String", # Name of the information type. Either a name of your choosing when
10519 # creating a CustomInfoType, or one of the names listed
10520 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
10521 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10522 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10523 },
10524 ],
10525 },
10526 ],
10527 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10528 },
10529 ],
10530 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10531 "transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default
10532 # mode is `TransformationErrorHandling.ThrowError`.
10533 # transformation error occurs when the requested transformation is incompatible
10534 # with the data. For example, trying to de-identify an IP address using a
10535 # `DateShift` transformation would result in a transformation error, since date
10536 # info cannot be extracted from an IP address.
10537 # Information about any incompatible transformations, and how they were
10538 # handled, is returned in the response as part of the
10539 # `TransformationOverviews`.
10540 "throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error
10541 },
10542 "leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors
10543 # cause an error. For example, if a `DateShift` transformation were applied
10544 # an an IP address, this mode would leave the IP address unchanged in the
10545 # response.
10546 },
10547 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10548 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10549 "createTime": "A String", # Output only. The creation timestamp of an inspectTemplate.
10550 "name": "A String", # Output only. The template name.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10551 #
10552 # The template will have one of the following formats:
10553 # `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR
10554 # `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`
10555 },
10556 "updateMask": "A String", # Mask to control which fields get updated.
10557 }
10558
10559 x__xgafv: string, V1 error format.
10560 Allowed values
10561 1 - v1 error format
10562 2 - v2 error format
10563
10564Returns:
10565 An object of the form:
10566
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10567 { # DeidentifyTemplates contains instructions on how to de-identify content.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10568 # See https://cloud.google.com/dlp/docs/concepts-templates to learn more.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10569 "updateTime": "A String", # Output only. The last update timestamp of an inspectTemplate.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10570 "displayName": "A String", # Display name (max 256 chars).
10571 "description": "A String", # Short description (max 256 chars).
10572 "deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////
10573 "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text
10574 # transformation everywhere.
10575 # apply various `PrimitiveTransformation`s to each finding, where the
10576 # transformation is applied to only values that were identified as a specific
10577 # info_type.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10578 "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one
10579 # for a given infoType.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10580 { # A transformation to apply to text that is identified as a specific
10581 # info_type.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10582 "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
10583 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10584 # input. Outputs a base64 encoded representation of the encrypted output.
10585 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
10586 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
10587 # a key encryption key (KEK) stored by KMS).
10588 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
10589 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
10590 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10591 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10592 # The wrapped key must be a 128/192/256 bit key.
10593 # Authorization requires the following IAM permissions when sending a request
10594 # to perform a crypto transformation using a kms-wrapped crypto key:
10595 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10596 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
10597 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10598 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10599 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10600 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10601 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10602 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10603 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10604 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10605 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10606 # This is an arbitrary string used to differentiate different keys.
10607 # A unique key is generated per name: two separate `TransientCryptoKey`
10608 # protos share the same generated key if their names are the same.
10609 # When the data crypto key is generated, this name is not used in any way
10610 # (repeating the api call will result in a different key being generated).
10611 },
10612 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10613 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10614 # referential integrity such that the same identifier in two different
10615 # contexts will be given a distinct surrogate. The context is appended to
10616 # plaintext value being encrypted. On decryption the provided context is
10617 # validated against the value used during encryption. If a context was
10618 # provided during encryption, same context must be provided during decryption
10619 # as well.
10620 #
10621 # If the context is not set, plaintext would be used as is for encryption.
10622 # If the context is set but:
10623 #
10624 # 1. there is no record present when transforming a given value or
10625 # 2. the field is not present when transforming a given value,
10626 #
10627 # plaintext would be used as is for encryption.
10628 #
10629 # Note that case (1) is expected when an `InfoTypeTransformation` is
10630 # applied to both structured and non-structured `ContentItem`s.
10631 "name": "A String", # Name describing the field.
10632 },
10633 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
10634 # This annotation will be applied to the surrogate by prefixing it with
10635 # the name of the custom info type followed by the number of
10636 # characters comprising the surrogate. The following scheme defines the
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10637 # format: {info type name}({surrogate character count}):{surrogate}
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10638 #
10639 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
10640 # the surrogate is 'abc', the full replacement value
10641 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
10642 #
10643 # This annotation identifies the surrogate when inspecting content using the
10644 # custom info type 'Surrogate'. This facilitates reversal of the
10645 # surrogate when it occurs in free text.
10646 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10647 # Note: For record transformations where the entire cell in a table is being
10648 # transformed, surrogates are not mandatory. Surrogates are used to denote
10649 # the location of the token and are necessary for re-identification in free
10650 # form text.
10651 #
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10652 # In order for inspection to work properly, the name of this info type must
10653 # not occur naturally anywhere in your data; otherwise, inspection may either
10654 #
10655 # - reverse a surrogate that does not correspond to an actual identifier
10656 # - be unable to parse the surrogate and result in an error
10657 #
10658 # Therefore, choose your custom info type name carefully after considering
10659 # what your data looks like. One way to select a name that has a high chance
10660 # of yielding reliable detection is to include one or more unicode characters
10661 # that are highly improbable to exist in your data.
10662 # For example, assuming your data is entered from a regular ASCII keyboard,
10663 # the symbol with the hex code point 29DD might be used like so:
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10664 # ⧝MY_TOKEN_TYPE.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10665 "name": "A String", # Name of the information type. Either a name of your choosing when
10666 # creating a CustomInfoType, or one of the names listed
10667 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
10668 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10669 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10670 },
10671 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10672 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
10673 # fixed character. Masking can start from the beginning or end of the string.
10674 # This can be used on data of any type (numbers, longs, and so on) and when
10675 # de-identifying structured data we'll attempt to preserve the original data's
10676 # type. (This allows you to take a long like 123 and modify it to a string like
10677 # **3.
10678 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
10679 # characters. For example, if the input string is `555-555-5555` and you
10680 # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
10681 # returns `***-**5-5555`.
10682 { # Characters to skip when doing deidentification of a value. These will be left
10683 # alone and skipped.
10684 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
10685 # punctuation.
10686 "charactersToSkip": "A String", # Characters to not transform when masking.
10687 },
10688 ],
10689 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
10690 # masked. Skipped characters do not count towards this tally.
10691 "maskingCharacter": "A String", # Character to use to mask the sensitive values&amp;mdash;for example, `*` for an
10692 # alphabetic string such as a name, or `0` for a numeric string such as ZIP
10693 # code or credit card number. This string must have a length of 1. If not
10694 # supplied, this value defaults to `*` for strings, and `0` for digits.
10695 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
10696 # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
10697 # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
10698 # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
10699 # is `true`, then the string `12345` is masked as `12***`.
10700 },
10701 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
10702 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
10703 # output would be 'My phone number is '.
10704 },
10705 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
10706 },
10707 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10708 # Bucketing transformation can provide all of this functionality,
10709 # but requires more configuration. This message is provided as a convenience to
10710 # the user for simple bucketing strategies.
10711 #
10712 # The transformed value will be a hyphenated string of
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10713 # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10714 # all values that are within this bucket will be replaced with "10-20".
10715 #
10716 # This can be used on data of type: double, long.
10717 #
10718 # If the bound Value type differs from the type of data
10719 # being transformed, we will first attempt converting the type of the data to
10720 # be transformed to match the type of the bound before comparing.
10721 #
10722 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10723 "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10724 # grouped together into a single bucket; for example if `lower_bound` = 10,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10725 # then all values less than 10 are replaced with the value “-10”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10726 # Note that for the purposes of inspection or transformation, the number
10727 # of bytes considered to comprise a 'Value' is based on its representation
10728 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
10729 # 123456789, the number of bytes would be counted as 9, even though an
10730 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10731 "floatValue": 3.14, # float
10732 "timestampValue": "A String", # timestamp
10733 "dayOfWeekValue": "A String", # day of week
10734 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10735 # or are specified elsewhere. An API may choose to allow leap seconds. Related
10736 # types are google.type.Date and `google.protobuf.Timestamp`.
10737 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
10738 # to allow the value "24:00:00" for scenarios like business closing time.
10739 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
10740 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
10741 # allow the value 60 if it allows leap-seconds.
10742 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
10743 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10744 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10745 # and time zone are either specified elsewhere or are not significant. The date
10746 # is relative to the Proleptic Gregorian Calendar. This can represent:
10747 #
10748 # * A full date, with non-zero year, month and day values
10749 # * A month and day value, with a zero year, e.g. an anniversary
10750 # * A year on its own, with zero month and day values
10751 # * A year and month value, with a zero day, e.g. a credit card expiration date
10752 #
10753 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10754 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
10755 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10756 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
10757 # if specifying a year by itself or a year and month where the day is not
10758 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10759 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
10760 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10761 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10762 "stringValue": "A String", # string
10763 "booleanValue": True or False, # boolean
10764 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10765 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10766 "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10767 # grouped together into a single bucket; for example if `upper_bound` = 89,
10768 # then all values greater than 89 are replaced with the value “89+”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10769 # Note that for the purposes of inspection or transformation, the number
10770 # of bytes considered to comprise a 'Value' is based on its representation
10771 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
10772 # 123456789, the number of bytes would be counted as 9, even though an
10773 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10774 "floatValue": 3.14, # float
10775 "timestampValue": "A String", # timestamp
10776 "dayOfWeekValue": "A String", # day of week
10777 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10778 # or are specified elsewhere. An API may choose to allow leap seconds. Related
10779 # types are google.type.Date and `google.protobuf.Timestamp`.
10780 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
10781 # to allow the value "24:00:00" for scenarios like business closing time.
10782 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
10783 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
10784 # allow the value 60 if it allows leap-seconds.
10785 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
10786 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10787 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10788 # and time zone are either specified elsewhere or are not significant. The date
10789 # is relative to the Proleptic Gregorian Calendar. This can represent:
10790 #
10791 # * A full date, with non-zero year, month and day values
10792 # * A month and day value, with a zero year, e.g. an anniversary
10793 # * A year on its own, with zero month and day values
10794 # * A year and month value, with a zero day, e.g. a credit card expiration date
10795 #
10796 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10797 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
10798 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10799 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
10800 # if specifying a year by itself or a year and month where the day is not
10801 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10802 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
10803 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10804 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10805 "stringValue": "A String", # string
10806 "booleanValue": True or False, # boolean
10807 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10808 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10809 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10810 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
10811 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10812 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10813 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10814 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10815 # portion of the value.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10816 "partToExtract": "A String", # The part of the time to keep.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10817 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10818 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10819 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
10820 # to learn more.
10821 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10822 # results in the same shift for the same context and crypto_key. If
10823 # set, must also set context. Can only be applied to table items.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10824 # a key encryption key (KEK) stored by KMS).
10825 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
10826 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
10827 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10828 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10829 # The wrapped key must be a 128/192/256 bit key.
10830 # Authorization requires the following IAM permissions when sending a request
10831 # to perform a crypto transformation using a kms-wrapped crypto key:
10832 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10833 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
10834 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10835 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10836 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10837 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10838 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10839 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10840 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10841 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10842 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10843 # This is an arbitrary string used to differentiate different keys.
10844 # A unique key is generated per name: two separate `TransientCryptoKey`
10845 # protos share the same generated key if their names are the same.
10846 # When the data crypto key is generated, this name is not used in any way
10847 # (repeating the api call will result in a different key being generated).
10848 },
10849 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10850 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
10851 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10852 # range (inclusive ends). Negative means shift to earlier in time. Must not
10853 # be more than 365250 days (1000 years) each direction.
10854 #
10855 # For example, 3 means shift date to at most 3 days into the future.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10856 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10857 # If set, must also set cryptoKey. If set, shift will be consistent for the
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10858 # given context.
10859 "name": "A String", # Name describing the field.
10860 },
10861 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10862 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10863 # (FPE) with the FFX mode of operation; however when used in the
10864 # `ReidentifyContent` API method, it serves the opposite function by reversing
10865 # the surrogate back into the original identifier. The identifier must be
10866 # encoded as ASCII. For a given crypto key and context, the same identifier
10867 # will be replaced with the same surrogate. Identifiers must be at least two
10868 # characters long. In the case that the identifier is the empty string, it will
10869 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
10870 # more.
10871 #
10872 # Note: We recommend using CryptoDeterministicConfig for all use cases which
10873 # do not require preserving the input alphabet space and size, plus warrant
10874 # referential integrity.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10875 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10876 # a key encryption key (KEK) stored by KMS).
10877 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
10878 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
10879 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10880 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10881 # The wrapped key must be a 128/192/256 bit key.
10882 # Authorization requires the following IAM permissions when sending a request
10883 # to perform a crypto transformation using a kms-wrapped crypto key:
10884 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10885 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
10886 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10887 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10888 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10889 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10890 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10891 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10892 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10893 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10894 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10895 # This is an arbitrary string used to differentiate different keys.
10896 # A unique key is generated per name: two separate `TransientCryptoKey`
10897 # protos share the same generated key if their names are the same.
10898 # When the data crypto key is generated, this name is not used in any way
10899 # (repeating the api call will result in a different key being generated).
10900 },
10901 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10902 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
10903 "commonAlphabet": "A String", # Common alphabets.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10904 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
10905 # that the FFX mode natively supports. This happens before/after
10906 # encryption/decryption.
10907 # Each character listed must appear only once.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10908 # Number of characters must be in the range [2, 95].
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10909 # This must be encoded as ASCII.
10910 # The order of characters does not matter.
10911 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
10912 # identifier in two different contexts won't be given the same surrogate. If
10913 # the context is not set, a default tweak will be used.
10914 #
10915 # If the context is set but:
10916 #
10917 # 1. there is no record present when transforming a given value or
10918 # 1. the field is not present when transforming a given value,
10919 #
10920 # a default tweak will be used.
10921 #
10922 # Note that case (1) is expected when an `InfoTypeTransformation` is
10923 # applied to both structured and non-structured `ContentItem`s.
10924 # Currently, the referenced field may be of value type integer or string.
10925 #
10926 # The tweak is constructed as a sequence of bytes in big endian byte order
10927 # such that:
10928 #
10929 # - a 64 bit integer is encoded followed by a single byte of value 1
10930 # - a string is encoded in UTF-8 format followed by a single byte of value 2
10931 "name": "A String", # Name describing the field.
10932 },
10933 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
10934 # This annotation will be applied to the surrogate by prefixing it with
10935 # the name of the custom infoType followed by the number of
10936 # characters comprising the surrogate. The following scheme defines the
10937 # format: info_type_name(surrogate_character_count):surrogate
10938 #
10939 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
10940 # the surrogate is 'abc', the full replacement value
10941 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
10942 #
10943 # This annotation identifies the surrogate when inspecting content using the
10944 # custom infoType
10945 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
10946 # This facilitates reversal of the surrogate when it occurs in free text.
10947 #
10948 # In order for inspection to work properly, the name of this infoType must
10949 # not occur naturally anywhere in your data; otherwise, inspection may
10950 # find a surrogate that does not correspond to an actual identifier.
10951 # Therefore, choose your custom infoType name carefully after considering
10952 # what your data looks like. One way to select a name that has a high chance
10953 # of yielding reliable detection is to include one or more unicode characters
10954 # that are highly improbable to exist in your data.
10955 # For example, assuming your data is entered from a regular ASCII keyboard,
10956 # the symbol with the hex code point 29DD might be used like so:
10957 # ⧝MY_TOKEN_TYPE
10958 "name": "A String", # Name of the information type. Either a name of your choosing when
10959 # creating a CustomInfoType, or one of the names listed
10960 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
10961 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10962 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]10963 },
10964 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]10965 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
10966 # replacement values are dynamically provided by the user for custom behavior,
10967 # such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH
10968 # This can be used on
10969 # data of type: number, long, string, timestamp.
10970 # If the bound `Value` type differs from the type of data being transformed, we
10971 # will first attempt converting the type of the data to be transformed to match
10972 # the type of the bound before comparing.
10973 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
10974 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
10975 { # Bucket is represented as a range, along with replacement values.
10976 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
10977 # Note that for the purposes of inspection or transformation, the number
10978 # of bytes considered to comprise a 'Value' is based on its representation
10979 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
10980 # 123456789, the number of bytes would be counted as 9, even though an
10981 # int64 only holds up to 8 bytes of data.
10982 "floatValue": 3.14, # float
10983 "timestampValue": "A String", # timestamp
10984 "dayOfWeekValue": "A String", # day of week
10985 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
10986 # or are specified elsewhere. An API may choose to allow leap seconds. Related
10987 # types are google.type.Date and `google.protobuf.Timestamp`.
10988 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
10989 # to allow the value "24:00:00" for scenarios like business closing time.
10990 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
10991 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
10992 # allow the value 60 if it allows leap-seconds.
10993 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
10994 },
10995 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
10996 # and time zone are either specified elsewhere or are not significant. The date
10997 # is relative to the Proleptic Gregorian Calendar. This can represent:
10998 #
10999 # * A full date, with non-zero year, month and day values
11000 # * A month and day value, with a zero year, e.g. an anniversary
11001 # * A year on its own, with zero month and day values
11002 # * A year and month value, with a zero day, e.g. a credit card expiration date
11003 #
11004 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
11005 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
11006 # month and day.
11007 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
11008 # if specifying a year by itself or a year and month where the day is not
11009 # significant.
11010 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
11011 # a year.
11012 },
11013 "stringValue": "A String", # string
11014 "booleanValue": True or False, # boolean
11015 "integerValue": "A String", # integer
11016 },
11017 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
11018 # the default behavior will be to hyphenate the min-max range.
11019 # Note that for the purposes of inspection or transformation, the number
11020 # of bytes considered to comprise a 'Value' is based on its representation
11021 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
11022 # 123456789, the number of bytes would be counted as 9, even though an
11023 # int64 only holds up to 8 bytes of data.
11024 "floatValue": 3.14, # float
11025 "timestampValue": "A String", # timestamp
11026 "dayOfWeekValue": "A String", # day of week
11027 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
11028 # or are specified elsewhere. An API may choose to allow leap seconds. Related
11029 # types are google.type.Date and `google.protobuf.Timestamp`.
11030 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
11031 # to allow the value "24:00:00" for scenarios like business closing time.
11032 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
11033 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
11034 # allow the value 60 if it allows leap-seconds.
11035 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
11036 },
11037 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
11038 # and time zone are either specified elsewhere or are not significant. The date
11039 # is relative to the Proleptic Gregorian Calendar. This can represent:
11040 #
11041 # * A full date, with non-zero year, month and day values
11042 # * A month and day value, with a zero year, e.g. an anniversary
11043 # * A year on its own, with zero month and day values
11044 # * A year and month value, with a zero day, e.g. a credit card expiration date
11045 #
11046 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
11047 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
11048 # month and day.
11049 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
11050 # if specifying a year by itself or a year and month where the day is not
11051 # significant.
11052 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
11053 # a year.
11054 },
11055 "stringValue": "A String", # string
11056 "booleanValue": True or False, # boolean
11057 "integerValue": "A String", # integer
11058 },
11059 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
11060 # used.
11061 # Note that for the purposes of inspection or transformation, the number
11062 # of bytes considered to comprise a 'Value' is based on its representation
11063 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
11064 # 123456789, the number of bytes would be counted as 9, even though an
11065 # int64 only holds up to 8 bytes of data.
11066 "floatValue": 3.14, # float
11067 "timestampValue": "A String", # timestamp
11068 "dayOfWeekValue": "A String", # day of week
11069 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
11070 # or are specified elsewhere. An API may choose to allow leap seconds. Related
11071 # types are google.type.Date and `google.protobuf.Timestamp`.
11072 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
11073 # to allow the value "24:00:00" for scenarios like business closing time.
11074 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
11075 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
11076 # allow the value 60 if it allows leap-seconds.
11077 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
11078 },
11079 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
11080 # and time zone are either specified elsewhere or are not significant. The date
11081 # is relative to the Proleptic Gregorian Calendar. This can represent:
11082 #
11083 # * A full date, with non-zero year, month and day values
11084 # * A month and day value, with a zero year, e.g. an anniversary
11085 # * A year on its own, with zero month and day values
11086 # * A year and month value, with a zero day, e.g. a credit card expiration date
11087 #
11088 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
11089 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
11090 # month and day.
11091 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
11092 # if specifying a year by itself or a year and month where the day is not
11093 # significant.
11094 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
11095 # a year.
11096 },
11097 "stringValue": "A String", # string
11098 "booleanValue": True or False, # boolean
11099 "integerValue": "A String", # integer
11100 },
11101 },
11102 ],
11103 },
11104 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
11105 # Uses SHA-256.
11106 # The key size must be either 32 or 64 bytes.
11107 # Outputs a base64 encoded representation of the hashed output
11108 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
11109 # Currently, only string and integer values can be hashed.
11110 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
11111 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
11112 # a key encryption key (KEK) stored by KMS).
11113 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
11114 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
11115 # unwrap the data crypto key.
11116 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
11117 # The wrapped key must be a 128/192/256 bit key.
11118 # Authorization requires the following IAM permissions when sending a request
11119 # to perform a crypto transformation using a kms-wrapped crypto key:
11120 # dlp.kms.encrypt
11121 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
11122 "wrappedKey": "A String", # Required. The wrapped data crypto key.
11123 },
11124 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
11125 # leaking the key. Choose another type of key if possible.
11126 "key": "A String", # Required. A 128/192/256 bit key.
11127 },
11128 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
11129 # It will be discarded after the request finishes.
11130 "name": "A String", # Required. Name of the key.
11131 # This is an arbitrary string used to differentiate different keys.
11132 # A unique key is generated per name: two separate `TransientCryptoKey`
11133 # protos share the same generated key if their names are the same.
11134 # When the data crypto key is generated, this name is not used in any way
11135 # (repeating the api call will result in a different key being generated).
11136 },
11137 },
11138 },
11139 "replaceConfig": { # Replace each input value with a given `Value`. # Replace
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]11140 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
11141 # Note that for the purposes of inspection or transformation, the number
11142 # of bytes considered to comprise a 'Value' is based on its representation
11143 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
11144 # 123456789, the number of bytes would be counted as 9, even though an
11145 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]11146 "floatValue": 3.14, # float
11147 "timestampValue": "A String", # timestamp
11148 "dayOfWeekValue": "A String", # day of week
11149 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]11150 # or are specified elsewhere. An API may choose to allow leap seconds. Related
11151 # types are google.type.Date and `google.protobuf.Timestamp`.
11152 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
11153 # to allow the value "24:00:00" for scenarios like business closing time.
11154 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
11155 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
11156 # allow the value 60 if it allows leap-seconds.
11157 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
11158 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]11159 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]11160 # and time zone are either specified elsewhere or are not significant. The date
11161 # is relative to the Proleptic Gregorian Calendar. This can represent:
11162 #
11163 # * A full date, with non-zero year, month and day values
11164 # * A month and day value, with a zero year, e.g. an anniversary
11165 # * A year on its own, with zero month and day values
11166 # * A year and month value, with a zero day, e.g. a credit card expiration date
11167 #
11168 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]11169 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
11170 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]11171 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
11172 # if specifying a year by itself or a year and month where the day is not
11173 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]11174 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
11175 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]11176 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]11177 "stringValue": "A String", # string
11178 "booleanValue": True or False, # boolean
11179 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]11180 },
11181 },
11182 },
11183 "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
11184 # this transformation to apply to all findings that correspond to
11185 # infoTypes that were requested in `InspectConfig`.
11186 { # Type of information detected by the API.
11187 "name": "A String", # Name of the information type. Either a name of your choosing when
11188 # creating a CustomInfoType, or one of the names listed
11189 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
11190 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]11191 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]11192 },
11193 ],
11194 },
11195 ],
11196 },
11197 "recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to
11198 # specific locations within structured datasets, such as transforming
11199 # a column within a table.
11200 # table.
11201 "recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]11202 # match any suppression rule are omitted from the output.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]11203 { # Configuration to suppress records whose suppression conditions evaluate to
11204 # true.
11205 "condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
11206 # evaluated to be suppressed from the transformed content.
11207 # a field.
11208 "expressions": { # An expression, consisting or an operator and conditions. # An expression.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]11209 "conditions": { # A collection of conditions. # Conditions to apply to the expression.
11210 "conditions": [ # A collection of conditions.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]11211 { # The field type of `value` and `field` do not need to match to be
11212 # considered equal, but not all comparisons are possible.
11213 # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
11214 # but all other comparisons are invalid with incompatible types.
11215 # A `value` of type:
11216 #
11217 # - `string` can be compared against all other types
11218 # - `boolean` can only be compared against other booleans
11219 # - `integer` can be compared against doubles or a string if the string value
11220 # can be parsed as an integer.
11221 # - `double` can be compared against integers or a string if the string can
11222 # be parsed as a double.
11223 # - `Timestamp` can be compared against strings in RFC 3339 date string
11224 # format.
11225 # - `TimeOfDay` can be compared against timestamps and strings in the format
11226 # of 'HH:mm:ss'.
11227 #
11228 # If we fail to compare do to type mismatch, a warning will be given and
11229 # the condition will evaluate to false.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]11230 "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
11231 "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]11232 "name": "A String", # Name describing the field.
11233 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]11234 "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]11235 # Note that for the purposes of inspection or transformation, the number
11236 # of bytes considered to comprise a 'Value' is based on its representation
11237 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
11238 # 123456789, the number of bytes would be counted as 9, even though an
11239 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]11240 "floatValue": 3.14, # float
11241 "timestampValue": "A String", # timestamp
11242 "dayOfWeekValue": "A String", # day of week
11243 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]11244 # or are specified elsewhere. An API may choose to allow leap seconds. Related
11245 # types are google.type.Date and `google.protobuf.Timestamp`.
11246 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
11247 # to allow the value "24:00:00" for scenarios like business closing time.
11248 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
11249 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
11250 # allow the value 60 if it allows leap-seconds.
11251 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
11252 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]11253 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]11254 # and time zone are either specified elsewhere or are not significant. The date
11255 # is relative to the Proleptic Gregorian Calendar. This can represent:
11256 #
11257 # * A full date, with non-zero year, month and day values
11258 # * A month and day value, with a zero year, e.g. an anniversary
11259 # * A year on its own, with zero month and day values
11260 # * A year and month value, with a zero day, e.g. a credit card expiration date
11261 #
11262 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]11263 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
11264 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]11265 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
11266 # if specifying a year by itself or a year and month where the day is not
11267 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]11268 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
11269 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]11270 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]11271 "stringValue": "A String", # string
11272 "booleanValue": True or False, # boolean
11273 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]11274 },
11275 },
11276 ],
11277 },
11278 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
11279 # only supported value is `AND`.
11280 },
11281 },
11282 },
11283 ],
11284 "fieldTransformations": [ # Transform the record by applying various field transformations.
11285 { # The transformation to apply to the field.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]11286 "fields": [ # Required. Input field(s) to apply the transformation to.
11287 { # General identifier of a data field in a storage service.
11288 "name": "A String", # Name describing the field.
11289 },
11290 ],
11291 "primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
11292 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
11293 # input. Outputs a base64 encoded representation of the encrypted output.
11294 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
11295 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
11296 # a key encryption key (KEK) stored by KMS).
11297 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
11298 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
11299 # unwrap the data crypto key.
11300 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
11301 # The wrapped key must be a 128/192/256 bit key.
11302 # Authorization requires the following IAM permissions when sending a request
11303 # to perform a crypto transformation using a kms-wrapped crypto key:
11304 # dlp.kms.encrypt
11305 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
11306 "wrappedKey": "A String", # Required. The wrapped data crypto key.
11307 },
11308 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
11309 # leaking the key. Choose another type of key if possible.
11310 "key": "A String", # Required. A 128/192/256 bit key.
11311 },
11312 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
11313 # It will be discarded after the request finishes.
11314 "name": "A String", # Required. Name of the key.
11315 # This is an arbitrary string used to differentiate different keys.
11316 # A unique key is generated per name: two separate `TransientCryptoKey`
11317 # protos share the same generated key if their names are the same.
11318 # When the data crypto key is generated, this name is not used in any way
11319 # (repeating the api call will result in a different key being generated).
11320 },
11321 },
11322 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
11323 # referential integrity such that the same identifier in two different
11324 # contexts will be given a distinct surrogate. The context is appended to
11325 # plaintext value being encrypted. On decryption the provided context is
11326 # validated against the value used during encryption. If a context was
11327 # provided during encryption, same context must be provided during decryption
11328 # as well.
11329 #
11330 # If the context is not set, plaintext would be used as is for encryption.
11331 # If the context is set but:
11332 #
11333 # 1. there is no record present when transforming a given value or
11334 # 2. the field is not present when transforming a given value,
11335 #
11336 # plaintext would be used as is for encryption.
11337 #
11338 # Note that case (1) is expected when an `InfoTypeTransformation` is
11339 # applied to both structured and non-structured `ContentItem`s.
11340 "name": "A String", # Name describing the field.
11341 },
11342 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
11343 # This annotation will be applied to the surrogate by prefixing it with
11344 # the name of the custom info type followed by the number of
11345 # characters comprising the surrogate. The following scheme defines the
11346 # format: {info type name}({surrogate character count}):{surrogate}
11347 #
11348 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
11349 # the surrogate is 'abc', the full replacement value
11350 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
11351 #
11352 # This annotation identifies the surrogate when inspecting content using the
11353 # custom info type 'Surrogate'. This facilitates reversal of the
11354 # surrogate when it occurs in free text.
11355 #
11356 # Note: For record transformations where the entire cell in a table is being
11357 # transformed, surrogates are not mandatory. Surrogates are used to denote
11358 # the location of the token and are necessary for re-identification in free
11359 # form text.
11360 #
11361 # In order for inspection to work properly, the name of this info type must
11362 # not occur naturally anywhere in your data; otherwise, inspection may either
11363 #
11364 # - reverse a surrogate that does not correspond to an actual identifier
11365 # - be unable to parse the surrogate and result in an error
11366 #
11367 # Therefore, choose your custom info type name carefully after considering
11368 # what your data looks like. One way to select a name that has a high chance
11369 # of yielding reliable detection is to include one or more unicode characters
11370 # that are highly improbable to exist in your data.
11371 # For example, assuming your data is entered from a regular ASCII keyboard,
11372 # the symbol with the hex code point 29DD might be used like so:
11373 # ⧝MY_TOKEN_TYPE.
11374 "name": "A String", # Name of the information type. Either a name of your choosing when
11375 # creating a CustomInfoType, or one of the names listed
11376 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
11377 # a built-in type. InfoType names should conform to the pattern
11378 # `[a-zA-Z0-9_]{1,64}`.
11379 },
11380 },
11381 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
11382 # fixed character. Masking can start from the beginning or end of the string.
11383 # This can be used on data of any type (numbers, longs, and so on) and when
11384 # de-identifying structured data we'll attempt to preserve the original data's
11385 # type. (This allows you to take a long like 123 and modify it to a string like
11386 # **3.
11387 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
11388 # characters. For example, if the input string is `555-555-5555` and you
11389 # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
11390 # returns `***-**5-5555`.
11391 { # Characters to skip when doing deidentification of a value. These will be left
11392 # alone and skipped.
11393 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
11394 # punctuation.
11395 "charactersToSkip": "A String", # Characters to not transform when masking.
11396 },
11397 ],
11398 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
11399 # masked. Skipped characters do not count towards this tally.
11400 "maskingCharacter": "A String", # Character to use to mask the sensitive values&amp;mdash;for example, `*` for an
11401 # alphabetic string such as a name, or `0` for a numeric string such as ZIP
11402 # code or credit card number. This string must have a length of 1. If not
11403 # supplied, this value defaults to `*` for strings, and `0` for digits.
11404 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
11405 # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
11406 # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
11407 # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
11408 # is `true`, then the string `12345` is masked as `12***`.
11409 },
11410 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
11411 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
11412 # output would be 'My phone number is '.
11413 },
11414 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
11415 },
11416 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
11417 # Bucketing transformation can provide all of this functionality,
11418 # but requires more configuration. This message is provided as a convenience to
11419 # the user for simple bucketing strategies.
11420 #
11421 # The transformed value will be a hyphenated string of
11422 # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
11423 # all values that are within this bucket will be replaced with "10-20".
11424 #
11425 # This can be used on data of type: double, long.
11426 #
11427 # If the bound Value type differs from the type of data
11428 # being transformed, we will first attempt converting the type of the data to
11429 # be transformed to match the type of the bound before comparing.
11430 #
11431 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
11432 "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
11433 # grouped together into a single bucket; for example if `lower_bound` = 10,
11434 # then all values less than 10 are replaced with the value “-10”.
11435 # Note that for the purposes of inspection or transformation, the number
11436 # of bytes considered to comprise a 'Value' is based on its representation
11437 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
11438 # 123456789, the number of bytes would be counted as 9, even though an
11439 # int64 only holds up to 8 bytes of data.
11440 "floatValue": 3.14, # float
11441 "timestampValue": "A String", # timestamp
11442 "dayOfWeekValue": "A String", # day of week
11443 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
11444 # or are specified elsewhere. An API may choose to allow leap seconds. Related
11445 # types are google.type.Date and `google.protobuf.Timestamp`.
11446 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
11447 # to allow the value "24:00:00" for scenarios like business closing time.
11448 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
11449 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
11450 # allow the value 60 if it allows leap-seconds.
11451 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
11452 },
11453 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
11454 # and time zone are either specified elsewhere or are not significant. The date
11455 # is relative to the Proleptic Gregorian Calendar. This can represent:
11456 #
11457 # * A full date, with non-zero year, month and day values
11458 # * A month and day value, with a zero year, e.g. an anniversary
11459 # * A year on its own, with zero month and day values
11460 # * A year and month value, with a zero day, e.g. a credit card expiration date
11461 #
11462 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
11463 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
11464 # month and day.
11465 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
11466 # if specifying a year by itself or a year and month where the day is not
11467 # significant.
11468 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
11469 # a year.
11470 },
11471 "stringValue": "A String", # string
11472 "booleanValue": True or False, # boolean
11473 "integerValue": "A String", # integer
11474 },
11475 "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
11476 # grouped together into a single bucket; for example if `upper_bound` = 89,
11477 # then all values greater than 89 are replaced with the value “89+”.
11478 # Note that for the purposes of inspection or transformation, the number
11479 # of bytes considered to comprise a 'Value' is based on its representation
11480 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
11481 # 123456789, the number of bytes would be counted as 9, even though an
11482 # int64 only holds up to 8 bytes of data.
11483 "floatValue": 3.14, # float
11484 "timestampValue": "A String", # timestamp
11485 "dayOfWeekValue": "A String", # day of week
11486 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
11487 # or are specified elsewhere. An API may choose to allow leap seconds. Related
11488 # types are google.type.Date and `google.protobuf.Timestamp`.
11489 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
11490 # to allow the value "24:00:00" for scenarios like business closing time.
11491 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
11492 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
11493 # allow the value 60 if it allows leap-seconds.
11494 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
11495 },
11496 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
11497 # and time zone are either specified elsewhere or are not significant. The date
11498 # is relative to the Proleptic Gregorian Calendar. This can represent:
11499 #
11500 # * A full date, with non-zero year, month and day values
11501 # * A month and day value, with a zero year, e.g. an anniversary
11502 # * A year on its own, with zero month and day values
11503 # * A year and month value, with a zero day, e.g. a credit card expiration date
11504 #
11505 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
11506 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
11507 # month and day.
11508 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
11509 # if specifying a year by itself or a year and month where the day is not
11510 # significant.
11511 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
11512 # a year.
11513 },
11514 "stringValue": "A String", # string
11515 "booleanValue": True or False, # boolean
11516 "integerValue": "A String", # integer
11517 },
11518 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
11519 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
11520 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
11521 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
11522 },
11523 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
11524 # portion of the value.
11525 "partToExtract": "A String", # The part of the time to keep.
11526 },
11527 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
11528 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
11529 # to learn more.
11530 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
11531 # results in the same shift for the same context and crypto_key. If
11532 # set, must also set context. Can only be applied to table items.
11533 # a key encryption key (KEK) stored by KMS).
11534 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
11535 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
11536 # unwrap the data crypto key.
11537 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
11538 # The wrapped key must be a 128/192/256 bit key.
11539 # Authorization requires the following IAM permissions when sending a request
11540 # to perform a crypto transformation using a kms-wrapped crypto key:
11541 # dlp.kms.encrypt
11542 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
11543 "wrappedKey": "A String", # Required. The wrapped data crypto key.
11544 },
11545 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
11546 # leaking the key. Choose another type of key if possible.
11547 "key": "A String", # Required. A 128/192/256 bit key.
11548 },
11549 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
11550 # It will be discarded after the request finishes.
11551 "name": "A String", # Required. Name of the key.
11552 # This is an arbitrary string used to differentiate different keys.
11553 # A unique key is generated per name: two separate `TransientCryptoKey`
11554 # protos share the same generated key if their names are the same.
11555 # When the data crypto key is generated, this name is not used in any way
11556 # (repeating the api call will result in a different key being generated).
11557 },
11558 },
11559 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
11560 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
11561 # range (inclusive ends). Negative means shift to earlier in time. Must not
11562 # be more than 365250 days (1000 years) each direction.
11563 #
11564 # For example, 3 means shift date to at most 3 days into the future.
11565 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
11566 # If set, must also set cryptoKey. If set, shift will be consistent for the
11567 # given context.
11568 "name": "A String", # Name describing the field.
11569 },
11570 },
11571 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
11572 # (FPE) with the FFX mode of operation; however when used in the
11573 # `ReidentifyContent` API method, it serves the opposite function by reversing
11574 # the surrogate back into the original identifier. The identifier must be
11575 # encoded as ASCII. For a given crypto key and context, the same identifier
11576 # will be replaced with the same surrogate. Identifiers must be at least two
11577 # characters long. In the case that the identifier is the empty string, it will
11578 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
11579 # more.
11580 #
11581 # Note: We recommend using CryptoDeterministicConfig for all use cases which
11582 # do not require preserving the input alphabet space and size, plus warrant
11583 # referential integrity.
11584 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
11585 # a key encryption key (KEK) stored by KMS).
11586 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
11587 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
11588 # unwrap the data crypto key.
11589 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
11590 # The wrapped key must be a 128/192/256 bit key.
11591 # Authorization requires the following IAM permissions when sending a request
11592 # to perform a crypto transformation using a kms-wrapped crypto key:
11593 # dlp.kms.encrypt
11594 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
11595 "wrappedKey": "A String", # Required. The wrapped data crypto key.
11596 },
11597 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
11598 # leaking the key. Choose another type of key if possible.
11599 "key": "A String", # Required. A 128/192/256 bit key.
11600 },
11601 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
11602 # It will be discarded after the request finishes.
11603 "name": "A String", # Required. Name of the key.
11604 # This is an arbitrary string used to differentiate different keys.
11605 # A unique key is generated per name: two separate `TransientCryptoKey`
11606 # protos share the same generated key if their names are the same.
11607 # When the data crypto key is generated, this name is not used in any way
11608 # (repeating the api call will result in a different key being generated).
11609 },
11610 },
11611 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
11612 "commonAlphabet": "A String", # Common alphabets.
11613 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
11614 # that the FFX mode natively supports. This happens before/after
11615 # encryption/decryption.
11616 # Each character listed must appear only once.
11617 # Number of characters must be in the range [2, 95].
11618 # This must be encoded as ASCII.
11619 # The order of characters does not matter.
11620 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
11621 # identifier in two different contexts won't be given the same surrogate. If
11622 # the context is not set, a default tweak will be used.
11623 #
11624 # If the context is set but:
11625 #
11626 # 1. there is no record present when transforming a given value or
11627 # 1. the field is not present when transforming a given value,
11628 #
11629 # a default tweak will be used.
11630 #
11631 # Note that case (1) is expected when an `InfoTypeTransformation` is
11632 # applied to both structured and non-structured `ContentItem`s.
11633 # Currently, the referenced field may be of value type integer or string.
11634 #
11635 # The tweak is constructed as a sequence of bytes in big endian byte order
11636 # such that:
11637 #
11638 # - a 64 bit integer is encoded followed by a single byte of value 1
11639 # - a string is encoded in UTF-8 format followed by a single byte of value 2
11640 "name": "A String", # Name describing the field.
11641 },
11642 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
11643 # This annotation will be applied to the surrogate by prefixing it with
11644 # the name of the custom infoType followed by the number of
11645 # characters comprising the surrogate. The following scheme defines the
11646 # format: info_type_name(surrogate_character_count):surrogate
11647 #
11648 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
11649 # the surrogate is 'abc', the full replacement value
11650 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
11651 #
11652 # This annotation identifies the surrogate when inspecting content using the
11653 # custom infoType
11654 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
11655 # This facilitates reversal of the surrogate when it occurs in free text.
11656 #
11657 # In order for inspection to work properly, the name of this infoType must
11658 # not occur naturally anywhere in your data; otherwise, inspection may
11659 # find a surrogate that does not correspond to an actual identifier.
11660 # Therefore, choose your custom infoType name carefully after considering
11661 # what your data looks like. One way to select a name that has a high chance
11662 # of yielding reliable detection is to include one or more unicode characters
11663 # that are highly improbable to exist in your data.
11664 # For example, assuming your data is entered from a regular ASCII keyboard,
11665 # the symbol with the hex code point 29DD might be used like so:
11666 # ⧝MY_TOKEN_TYPE
11667 "name": "A String", # Name of the information type. Either a name of your choosing when
11668 # creating a CustomInfoType, or one of the names listed
11669 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
11670 # a built-in type. InfoType names should conform to the pattern
11671 # `[a-zA-Z0-9_]{1,64}`.
11672 },
11673 },
11674 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
11675 # replacement values are dynamically provided by the user for custom behavior,
11676 # such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH
11677 # This can be used on
11678 # data of type: number, long, string, timestamp.
11679 # If the bound `Value` type differs from the type of data being transformed, we
11680 # will first attempt converting the type of the data to be transformed to match
11681 # the type of the bound before comparing.
11682 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
11683 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
11684 { # Bucket is represented as a range, along with replacement values.
11685 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
11686 # Note that for the purposes of inspection or transformation, the number
11687 # of bytes considered to comprise a 'Value' is based on its representation
11688 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
11689 # 123456789, the number of bytes would be counted as 9, even though an
11690 # int64 only holds up to 8 bytes of data.
11691 "floatValue": 3.14, # float
11692 "timestampValue": "A String", # timestamp
11693 "dayOfWeekValue": "A String", # day of week
11694 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
11695 # or are specified elsewhere. An API may choose to allow leap seconds. Related
11696 # types are google.type.Date and `google.protobuf.Timestamp`.
11697 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
11698 # to allow the value "24:00:00" for scenarios like business closing time.
11699 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
11700 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
11701 # allow the value 60 if it allows leap-seconds.
11702 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
11703 },
11704 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
11705 # and time zone are either specified elsewhere or are not significant. The date
11706 # is relative to the Proleptic Gregorian Calendar. This can represent:
11707 #
11708 # * A full date, with non-zero year, month and day values
11709 # * A month and day value, with a zero year, e.g. an anniversary
11710 # * A year on its own, with zero month and day values
11711 # * A year and month value, with a zero day, e.g. a credit card expiration date
11712 #
11713 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
11714 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
11715 # month and day.
11716 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
11717 # if specifying a year by itself or a year and month where the day is not
11718 # significant.
11719 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
11720 # a year.
11721 },
11722 "stringValue": "A String", # string
11723 "booleanValue": True or False, # boolean
11724 "integerValue": "A String", # integer
11725 },
11726 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
11727 # the default behavior will be to hyphenate the min-max range.
11728 # Note that for the purposes of inspection or transformation, the number
11729 # of bytes considered to comprise a 'Value' is based on its representation
11730 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
11731 # 123456789, the number of bytes would be counted as 9, even though an
11732 # int64 only holds up to 8 bytes of data.
11733 "floatValue": 3.14, # float
11734 "timestampValue": "A String", # timestamp
11735 "dayOfWeekValue": "A String", # day of week
11736 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
11737 # or are specified elsewhere. An API may choose to allow leap seconds. Related
11738 # types are google.type.Date and `google.protobuf.Timestamp`.
11739 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
11740 # to allow the value "24:00:00" for scenarios like business closing time.
11741 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
11742 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
11743 # allow the value 60 if it allows leap-seconds.
11744 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
11745 },
11746 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
11747 # and time zone are either specified elsewhere or are not significant. The date
11748 # is relative to the Proleptic Gregorian Calendar. This can represent:
11749 #
11750 # * A full date, with non-zero year, month and day values
11751 # * A month and day value, with a zero year, e.g. an anniversary
11752 # * A year on its own, with zero month and day values
11753 # * A year and month value, with a zero day, e.g. a credit card expiration date
11754 #
11755 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
11756 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
11757 # month and day.
11758 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
11759 # if specifying a year by itself or a year and month where the day is not
11760 # significant.
11761 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
11762 # a year.
11763 },
11764 "stringValue": "A String", # string
11765 "booleanValue": True or False, # boolean
11766 "integerValue": "A String", # integer
11767 },
11768 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
11769 # used.
11770 # Note that for the purposes of inspection or transformation, the number
11771 # of bytes considered to comprise a 'Value' is based on its representation
11772 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
11773 # 123456789, the number of bytes would be counted as 9, even though an
11774 # int64 only holds up to 8 bytes of data.
11775 "floatValue": 3.14, # float
11776 "timestampValue": "A String", # timestamp
11777 "dayOfWeekValue": "A String", # day of week
11778 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
11779 # or are specified elsewhere. An API may choose to allow leap seconds. Related
11780 # types are google.type.Date and `google.protobuf.Timestamp`.
11781 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
11782 # to allow the value "24:00:00" for scenarios like business closing time.
11783 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
11784 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
11785 # allow the value 60 if it allows leap-seconds.
11786 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
11787 },
11788 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
11789 # and time zone are either specified elsewhere or are not significant. The date
11790 # is relative to the Proleptic Gregorian Calendar. This can represent:
11791 #
11792 # * A full date, with non-zero year, month and day values
11793 # * A month and day value, with a zero year, e.g. an anniversary
11794 # * A year on its own, with zero month and day values
11795 # * A year and month value, with a zero day, e.g. a credit card expiration date
11796 #
11797 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
11798 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
11799 # month and day.
11800 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
11801 # if specifying a year by itself or a year and month where the day is not
11802 # significant.
11803 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
11804 # a year.
11805 },
11806 "stringValue": "A String", # string
11807 "booleanValue": True or False, # boolean
11808 "integerValue": "A String", # integer
11809 },
11810 },
11811 ],
11812 },
11813 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
11814 # Uses SHA-256.
11815 # The key size must be either 32 or 64 bytes.
11816 # Outputs a base64 encoded representation of the hashed output
11817 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
11818 # Currently, only string and integer values can be hashed.
11819 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
11820 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
11821 # a key encryption key (KEK) stored by KMS).
11822 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
11823 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
11824 # unwrap the data crypto key.
11825 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
11826 # The wrapped key must be a 128/192/256 bit key.
11827 # Authorization requires the following IAM permissions when sending a request
11828 # to perform a crypto transformation using a kms-wrapped crypto key:
11829 # dlp.kms.encrypt
11830 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
11831 "wrappedKey": "A String", # Required. The wrapped data crypto key.
11832 },
11833 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
11834 # leaking the key. Choose another type of key if possible.
11835 "key": "A String", # Required. A 128/192/256 bit key.
11836 },
11837 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
11838 # It will be discarded after the request finishes.
11839 "name": "A String", # Required. Name of the key.
11840 # This is an arbitrary string used to differentiate different keys.
11841 # A unique key is generated per name: two separate `TransientCryptoKey`
11842 # protos share the same generated key if their names are the same.
11843 # When the data crypto key is generated, this name is not used in any way
11844 # (repeating the api call will result in a different key being generated).
11845 },
11846 },
11847 },
11848 "replaceConfig": { # Replace each input value with a given `Value`. # Replace
11849 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
11850 # Note that for the purposes of inspection or transformation, the number
11851 # of bytes considered to comprise a 'Value' is based on its representation
11852 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
11853 # 123456789, the number of bytes would be counted as 9, even though an
11854 # int64 only holds up to 8 bytes of data.
11855 "floatValue": 3.14, # float
11856 "timestampValue": "A String", # timestamp
11857 "dayOfWeekValue": "A String", # day of week
11858 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
11859 # or are specified elsewhere. An API may choose to allow leap seconds. Related
11860 # types are google.type.Date and `google.protobuf.Timestamp`.
11861 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
11862 # to allow the value "24:00:00" for scenarios like business closing time.
11863 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
11864 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
11865 # allow the value 60 if it allows leap-seconds.
11866 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
11867 },
11868 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
11869 # and time zone are either specified elsewhere or are not significant. The date
11870 # is relative to the Proleptic Gregorian Calendar. This can represent:
11871 #
11872 # * A full date, with non-zero year, month and day values
11873 # * A month and day value, with a zero year, e.g. an anniversary
11874 # * A year on its own, with zero month and day values
11875 # * A year and month value, with a zero day, e.g. a credit card expiration date
11876 #
11877 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
11878 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
11879 # month and day.
11880 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
11881 # if specifying a year by itself or a year and month where the day is not
11882 # significant.
11883 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
11884 # a year.
11885 },
11886 "stringValue": "A String", # string
11887 "booleanValue": True or False, # boolean
11888 "integerValue": "A String", # integer
11889 },
11890 },
11891 },
11892 "condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
11893 # given `RecordCondition`. The conditions are allowed to reference fields
11894 # that are not used in the actual transformation.
11895 #
11896 # Example Use Cases:
11897 #
11898 # - Apply a different bucket transformation to an age column if the zip code
11899 # column for the same record is within a specific range.
11900 # - Redact a field if the date of birth field is greater than 85.
11901 # a field.
11902 "expressions": { # An expression, consisting or an operator and conditions. # An expression.
11903 "conditions": { # A collection of conditions. # Conditions to apply to the expression.
11904 "conditions": [ # A collection of conditions.
11905 { # The field type of `value` and `field` do not need to match to be
11906 # considered equal, but not all comparisons are possible.
11907 # EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
11908 # but all other comparisons are invalid with incompatible types.
11909 # A `value` of type:
11910 #
11911 # - `string` can be compared against all other types
11912 # - `boolean` can only be compared against other booleans
11913 # - `integer` can be compared against doubles or a string if the string value
11914 # can be parsed as an integer.
11915 # - `double` can be compared against integers or a string if the string can
11916 # be parsed as a double.
11917 # - `Timestamp` can be compared against strings in RFC 3339 date string
11918 # format.
11919 # - `TimeOfDay` can be compared against timestamps and strings in the format
11920 # of 'HH:mm:ss'.
11921 #
11922 # If we fail to compare do to type mismatch, a warning will be given and
11923 # the condition will evaluate to false.
11924 "operator": "A String", # Required. Operator used to compare the field or infoType to the value.
11925 "field": { # General identifier of a data field in a storage service. # Required. Field within the record this condition is evaluated against.
11926 "name": "A String", # Name describing the field.
11927 },
11928 "value": { # Set of primitive values supported by the system. # Value to compare against. [Mandatory, except for `EXISTS` tests.]
11929 # Note that for the purposes of inspection or transformation, the number
11930 # of bytes considered to comprise a 'Value' is based on its representation
11931 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
11932 # 123456789, the number of bytes would be counted as 9, even though an
11933 # int64 only holds up to 8 bytes of data.
11934 "floatValue": 3.14, # float
11935 "timestampValue": "A String", # timestamp
11936 "dayOfWeekValue": "A String", # day of week
11937 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
11938 # or are specified elsewhere. An API may choose to allow leap seconds. Related
11939 # types are google.type.Date and `google.protobuf.Timestamp`.
11940 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
11941 # to allow the value "24:00:00" for scenarios like business closing time.
11942 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
11943 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
11944 # allow the value 60 if it allows leap-seconds.
11945 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
11946 },
11947 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
11948 # and time zone are either specified elsewhere or are not significant. The date
11949 # is relative to the Proleptic Gregorian Calendar. This can represent:
11950 #
11951 # * A full date, with non-zero year, month and day values
11952 # * A month and day value, with a zero year, e.g. an anniversary
11953 # * A year on its own, with zero month and day values
11954 # * A year and month value, with a zero day, e.g. a credit card expiration date
11955 #
11956 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
11957 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
11958 # month and day.
11959 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
11960 # if specifying a year by itself or a year and month where the day is not
11961 # significant.
11962 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
11963 # a year.
11964 },
11965 "stringValue": "A String", # string
11966 "booleanValue": True or False, # boolean
11967 "integerValue": "A String", # integer
11968 },
11969 },
11970 ],
11971 },
11972 "logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
11973 # only supported value is `AND`.
11974 },
11975 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]11976 "infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
11977 # transform content that matches an `InfoType`.
11978 # apply various `PrimitiveTransformation`s to each finding, where the
11979 # transformation is applied to only values that were identified as a specific
11980 # info_type.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]11981 "transformations": [ # Required. Transformation for each infoType. Cannot specify more than one
11982 # for a given infoType.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]11983 { # A transformation to apply to text that is identified as a specific
11984 # info_type.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]11985 "primitiveTransformation": { # A rule for transforming a value. # Required. Primitive transformation to apply to the infoType.
11986 "cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given # Deterministic Crypto
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]11987 # input. Outputs a base64 encoded representation of the encrypted output.
11988 # Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
11989 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
11990 # a key encryption key (KEK) stored by KMS).
11991 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
11992 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
11993 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]11994 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]11995 # The wrapped key must be a 128/192/256 bit key.
11996 # Authorization requires the following IAM permissions when sending a request
11997 # to perform a crypto transformation using a kms-wrapped crypto key:
11998 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]11999 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
12000 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12001 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12002 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12003 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12004 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12005 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12006 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12007 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12008 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12009 # This is an arbitrary string used to differentiate different keys.
12010 # A unique key is generated per name: two separate `TransientCryptoKey`
12011 # protos share the same generated key if their names are the same.
12012 # When the data crypto key is generated, this name is not used in any way
12013 # (repeating the api call will result in a different key being generated).
12014 },
12015 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12016 "context": { # General identifier of a data field in a storage service. # A context may be used for higher security and maintaining
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12017 # referential integrity such that the same identifier in two different
12018 # contexts will be given a distinct surrogate. The context is appended to
12019 # plaintext value being encrypted. On decryption the provided context is
12020 # validated against the value used during encryption. If a context was
12021 # provided during encryption, same context must be provided during decryption
12022 # as well.
12023 #
12024 # If the context is not set, plaintext would be used as is for encryption.
12025 # If the context is set but:
12026 #
12027 # 1. there is no record present when transforming a given value or
12028 # 2. the field is not present when transforming a given value,
12029 #
12030 # plaintext would be used as is for encryption.
12031 #
12032 # Note that case (1) is expected when an `InfoTypeTransformation` is
12033 # applied to both structured and non-structured `ContentItem`s.
12034 "name": "A String", # Name describing the field.
12035 },
12036 "surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
12037 # This annotation will be applied to the surrogate by prefixing it with
12038 # the name of the custom info type followed by the number of
12039 # characters comprising the surrogate. The following scheme defines the
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12040 # format: {info type name}({surrogate character count}):{surrogate}
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12041 #
12042 # For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
12043 # the surrogate is 'abc', the full replacement value
12044 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
12045 #
12046 # This annotation identifies the surrogate when inspecting content using the
12047 # custom info type 'Surrogate'. This facilitates reversal of the
12048 # surrogate when it occurs in free text.
12049 #
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12050 # Note: For record transformations where the entire cell in a table is being
12051 # transformed, surrogates are not mandatory. Surrogates are used to denote
12052 # the location of the token and are necessary for re-identification in free
12053 # form text.
12054 #
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12055 # In order for inspection to work properly, the name of this info type must
12056 # not occur naturally anywhere in your data; otherwise, inspection may either
12057 #
12058 # - reverse a surrogate that does not correspond to an actual identifier
12059 # - be unable to parse the surrogate and result in an error
12060 #
12061 # Therefore, choose your custom info type name carefully after considering
12062 # what your data looks like. One way to select a name that has a high chance
12063 # of yielding reliable detection is to include one or more unicode characters
12064 # that are highly improbable to exist in your data.
12065 # For example, assuming your data is entered from a regular ASCII keyboard,
12066 # the symbol with the hex code point 29DD might be used like so:
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12067 # ⧝MY_TOKEN_TYPE.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12068 "name": "A String", # Name of the information type. Either a name of your choosing when
12069 # creating a CustomInfoType, or one of the names listed
12070 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
12071 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12072 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12073 },
12074 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12075 "characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a # Mask
12076 # fixed character. Masking can start from the beginning or end of the string.
12077 # This can be used on data of any type (numbers, longs, and so on) and when
12078 # de-identifying structured data we'll attempt to preserve the original data's
12079 # type. (This allows you to take a long like 123 and modify it to a string like
12080 # **3.
12081 "charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing
12082 # characters. For example, if the input string is `555-555-5555` and you
12083 # instruct Cloud DLP to skip `-` and mask 5 characters with `*`, Cloud DLP
12084 # returns `***-**5-5555`.
12085 { # Characters to skip when doing deidentification of a value. These will be left
12086 # alone and skipped.
12087 "commonCharactersToIgnore": "A String", # Common characters to not transform when masking. Useful to avoid removing
12088 # punctuation.
12089 "charactersToSkip": "A String", # Characters to not transform when masking.
12090 },
12091 ],
12092 "numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
12093 # masked. Skipped characters do not count towards this tally.
12094 "maskingCharacter": "A String", # Character to use to mask the sensitive values&amp;mdash;for example, `*` for an
12095 # alphabetic string such as a name, or `0` for a numeric string such as ZIP
12096 # code or credit card number. This string must have a length of 1. If not
12097 # supplied, this value defaults to `*` for strings, and `0` for digits.
12098 "reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
12099 # `0`, `number_to_mask` is `14`, and `reverse_order` is `false`, then the
12100 # input string `1234-5678-9012-3456` is masked as `00000000000000-3456`.
12101 # If `masking_character` is `*`, `number_to_mask` is `3`, and `reverse_order`
12102 # is `true`, then the string `12345` is masked as `12***`.
12103 },
12104 "redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation` # Redact
12105 # transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
12106 # output would be 'My phone number is '.
12107 },
12108 "replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type. # Replace with infotype
12109 },
12110 "fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The # Fixed size bucketing
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12111 # Bucketing transformation can provide all of this functionality,
12112 # but requires more configuration. This message is provided as a convenience to
12113 # the user for simple bucketing strategies.
12114 #
12115 # The transformed value will be a hyphenated string of
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12116 # {lower_bound}-{upper_bound}, i.e if lower_bound = 10 and upper_bound = 20
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12117 # all values that are within this bucket will be replaced with "10-20".
12118 #
12119 # This can be used on data of type: double, long.
12120 #
12121 # If the bound Value type differs from the type of data
12122 # being transformed, we will first attempt converting the type of the data to
12123 # be transformed to match the type of the bound before comparing.
12124 #
12125 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12126 "lowerBound": { # Set of primitive values supported by the system. # Required. Lower bound value of buckets. All values less than `lower_bound` are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12127 # grouped together into a single bucket; for example if `lower_bound` = 10,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12128 # then all values less than 10 are replaced with the value “-10”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12129 # Note that for the purposes of inspection or transformation, the number
12130 # of bytes considered to comprise a 'Value' is based on its representation
12131 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
12132 # 123456789, the number of bytes would be counted as 9, even though an
12133 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12134 "floatValue": 3.14, # float
12135 "timestampValue": "A String", # timestamp
12136 "dayOfWeekValue": "A String", # day of week
12137 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12138 # or are specified elsewhere. An API may choose to allow leap seconds. Related
12139 # types are google.type.Date and `google.protobuf.Timestamp`.
12140 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
12141 # to allow the value "24:00:00" for scenarios like business closing time.
12142 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
12143 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
12144 # allow the value 60 if it allows leap-seconds.
12145 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
12146 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12147 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12148 # and time zone are either specified elsewhere or are not significant. The date
12149 # is relative to the Proleptic Gregorian Calendar. This can represent:
12150 #
12151 # * A full date, with non-zero year, month and day values
12152 # * A month and day value, with a zero year, e.g. an anniversary
12153 # * A year on its own, with zero month and day values
12154 # * A year and month value, with a zero day, e.g. a credit card expiration date
12155 #
12156 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12157 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
12158 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12159 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
12160 # if specifying a year by itself or a year and month where the day is not
12161 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12162 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
12163 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12164 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12165 "stringValue": "A String", # string
12166 "booleanValue": True or False, # boolean
12167 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12168 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12169 "upperBound": { # Set of primitive values supported by the system. # Required. Upper bound value of buckets. All values greater than upper_bound are
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12170 # grouped together into a single bucket; for example if `upper_bound` = 89,
12171 # then all values greater than 89 are replaced with the value “89+”.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12172 # Note that for the purposes of inspection or transformation, the number
12173 # of bytes considered to comprise a 'Value' is based on its representation
12174 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
12175 # 123456789, the number of bytes would be counted as 9, even though an
12176 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12177 "floatValue": 3.14, # float
12178 "timestampValue": "A String", # timestamp
12179 "dayOfWeekValue": "A String", # day of week
12180 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12181 # or are specified elsewhere. An API may choose to allow leap seconds. Related
12182 # types are google.type.Date and `google.protobuf.Timestamp`.
12183 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
12184 # to allow the value "24:00:00" for scenarios like business closing time.
12185 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
12186 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
12187 # allow the value 60 if it allows leap-seconds.
12188 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
12189 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12190 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12191 # and time zone are either specified elsewhere or are not significant. The date
12192 # is relative to the Proleptic Gregorian Calendar. This can represent:
12193 #
12194 # * A full date, with non-zero year, month and day values
12195 # * A month and day value, with a zero year, e.g. an anniversary
12196 # * A year on its own, with zero month and day values
12197 # * A year and month value, with a zero day, e.g. a credit card expiration date
12198 #
12199 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12200 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
12201 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12202 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
12203 # if specifying a year by itself or a year and month where the day is not
12204 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12205 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
12206 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12207 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12208 "stringValue": "A String", # string
12209 "booleanValue": True or False, # boolean
12210 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12211 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12212 "bucketSize": 3.14, # Required. Size of each bucket (except for minimum and maximum buckets). So if
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12213 # `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
12214 # following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12215 # 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12216 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12217 "timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a # Time extraction
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12218 # portion of the value.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12219 "partToExtract": "A String", # The part of the time to keep.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12220 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12221 "dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the # Date Shift
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12222 # same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
12223 # to learn more.
12224 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12225 # results in the same shift for the same context and crypto_key. If
12226 # set, must also set context. Can only be applied to table items.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12227 # a key encryption key (KEK) stored by KMS).
12228 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
12229 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
12230 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12231 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12232 # The wrapped key must be a 128/192/256 bit key.
12233 # Authorization requires the following IAM permissions when sending a request
12234 # to perform a crypto transformation using a kms-wrapped crypto key:
12235 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12236 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
12237 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12238 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12239 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12240 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12241 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12242 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12243 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12244 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12245 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12246 # This is an arbitrary string used to differentiate different keys.
12247 # A unique key is generated per name: two separate `TransientCryptoKey`
12248 # protos share the same generated key if their names are the same.
12249 # When the data crypto key is generated, this name is not used in any way
12250 # (repeating the api call will result in a different key being generated).
12251 },
12252 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12253 "lowerBoundDays": 42, # Required. For example, -5 means shift date to at most 5 days back in the past.
12254 "upperBoundDays": 42, # Required. Range of shift in days. Actual shift will be selected at random within this
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12255 # range (inclusive ends). Negative means shift to earlier in time. Must not
12256 # be more than 365250 days (1000 years) each direction.
12257 #
12258 # For example, 3 means shift date to at most 3 days into the future.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12259 "context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12260 # If set, must also set cryptoKey. If set, shift will be consistent for the
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12261 # given context.
12262 "name": "A String", # Name describing the field.
12263 },
12264 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12265 "cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption # Ffx-Fpe
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12266 # (FPE) with the FFX mode of operation; however when used in the
12267 # `ReidentifyContent` API method, it serves the opposite function by reversing
12268 # the surrogate back into the original identifier. The identifier must be
12269 # encoded as ASCII. For a given crypto key and context, the same identifier
12270 # will be replaced with the same surrogate. Identifiers must be at least two
12271 # characters long. In the case that the identifier is the empty string, it will
12272 # be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
12273 # more.
12274 #
12275 # Note: We recommend using CryptoDeterministicConfig for all use cases which
12276 # do not require preserving the input alphabet space and size, plus warrant
12277 # referential integrity.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12278 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Required. The key used by the encryption algorithm.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12279 # a key encryption key (KEK) stored by KMS).
12280 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
12281 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
12282 # unwrap the data crypto key.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12283 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12284 # The wrapped key must be a 128/192/256 bit key.
12285 # Authorization requires the following IAM permissions when sending a request
12286 # to perform a crypto transformation using a kms-wrapped crypto key:
12287 # dlp.kms.encrypt
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12288 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
12289 "wrappedKey": "A String", # Required. The wrapped data crypto key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12290 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12291 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12292 # leaking the key. Choose another type of key if possible.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12293 "key": "A String", # Required. A 128/192/256 bit key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12294 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12295 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12296 # It will be discarded after the request finishes.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12297 "name": "A String", # Required. Name of the key.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12298 # This is an arbitrary string used to differentiate different keys.
12299 # A unique key is generated per name: two separate `TransientCryptoKey`
12300 # protos share the same generated key if their names are the same.
12301 # When the data crypto key is generated, this name is not used in any way
12302 # (repeating the api call will result in a different key being generated).
12303 },
12304 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12305 "radix": 42, # The native way to select the alphabet. Must be in the range [2, 95].
12306 "commonAlphabet": "A String", # Common alphabets.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12307 "customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
12308 # that the FFX mode natively supports. This happens before/after
12309 # encryption/decryption.
12310 # Each character listed must appear only once.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12311 # Number of characters must be in the range [2, 95].
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12312 # This must be encoded as ASCII.
12313 # The order of characters does not matter.
12314 "context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
12315 # identifier in two different contexts won't be given the same surrogate. If
12316 # the context is not set, a default tweak will be used.
12317 #
12318 # If the context is set but:
12319 #
12320 # 1. there is no record present when transforming a given value or
12321 # 1. the field is not present when transforming a given value,
12322 #
12323 # a default tweak will be used.
12324 #
12325 # Note that case (1) is expected when an `InfoTypeTransformation` is
12326 # applied to both structured and non-structured `ContentItem`s.
12327 # Currently, the referenced field may be of value type integer or string.
12328 #
12329 # The tweak is constructed as a sequence of bytes in big endian byte order
12330 # such that:
12331 #
12332 # - a 64 bit integer is encoded followed by a single byte of value 1
12333 # - a string is encoded in UTF-8 format followed by a single byte of value 2
12334 "name": "A String", # Name describing the field.
12335 },
12336 "surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
12337 # This annotation will be applied to the surrogate by prefixing it with
12338 # the name of the custom infoType followed by the number of
12339 # characters comprising the surrogate. The following scheme defines the
12340 # format: info_type_name(surrogate_character_count):surrogate
12341 #
12342 # For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
12343 # the surrogate is 'abc', the full replacement value
12344 # will be: 'MY_TOKEN_INFO_TYPE(3):abc'
12345 #
12346 # This annotation identifies the surrogate when inspecting content using the
12347 # custom infoType
12348 # [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
12349 # This facilitates reversal of the surrogate when it occurs in free text.
12350 #
12351 # In order for inspection to work properly, the name of this infoType must
12352 # not occur naturally anywhere in your data; otherwise, inspection may
12353 # find a surrogate that does not correspond to an actual identifier.
12354 # Therefore, choose your custom infoType name carefully after considering
12355 # what your data looks like. One way to select a name that has a high chance
12356 # of yielding reliable detection is to include one or more unicode characters
12357 # that are highly improbable to exist in your data.
12358 # For example, assuming your data is entered from a regular ASCII keyboard,
12359 # the symbol with the hex code point 29DD might be used like so:
12360 # ⧝MY_TOKEN_TYPE
12361 "name": "A String", # Name of the information type. Either a name of your choosing when
12362 # creating a CustomInfoType, or one of the names listed
12363 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
12364 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12365 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12366 },
12367 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12368 "bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and # Bucketing
12369 # replacement values are dynamically provided by the user for custom behavior,
12370 # such as 1-30 -&gt; LOW 31-65 -&gt; MEDIUM 66-100 -&gt; HIGH
12371 # This can be used on
12372 # data of type: number, long, string, timestamp.
12373 # If the bound `Value` type differs from the type of data being transformed, we
12374 # will first attempt converting the type of the data to be transformed to match
12375 # the type of the bound before comparing.
12376 # See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
12377 "buckets": [ # Set of buckets. Ranges must be non-overlapping.
12378 { # Bucket is represented as a range, along with replacement values.
12379 "max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
12380 # Note that for the purposes of inspection or transformation, the number
12381 # of bytes considered to comprise a 'Value' is based on its representation
12382 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
12383 # 123456789, the number of bytes would be counted as 9, even though an
12384 # int64 only holds up to 8 bytes of data.
12385 "floatValue": 3.14, # float
12386 "timestampValue": "A String", # timestamp
12387 "dayOfWeekValue": "A String", # day of week
12388 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
12389 # or are specified elsewhere. An API may choose to allow leap seconds. Related
12390 # types are google.type.Date and `google.protobuf.Timestamp`.
12391 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
12392 # to allow the value "24:00:00" for scenarios like business closing time.
12393 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
12394 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
12395 # allow the value 60 if it allows leap-seconds.
12396 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
12397 },
12398 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
12399 # and time zone are either specified elsewhere or are not significant. The date
12400 # is relative to the Proleptic Gregorian Calendar. This can represent:
12401 #
12402 # * A full date, with non-zero year, month and day values
12403 # * A month and day value, with a zero year, e.g. an anniversary
12404 # * A year on its own, with zero month and day values
12405 # * A year and month value, with a zero day, e.g. a credit card expiration date
12406 #
12407 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
12408 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
12409 # month and day.
12410 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
12411 # if specifying a year by itself or a year and month where the day is not
12412 # significant.
12413 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
12414 # a year.
12415 },
12416 "stringValue": "A String", # string
12417 "booleanValue": True or False, # boolean
12418 "integerValue": "A String", # integer
12419 },
12420 "replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
12421 # the default behavior will be to hyphenate the min-max range.
12422 # Note that for the purposes of inspection or transformation, the number
12423 # of bytes considered to comprise a 'Value' is based on its representation
12424 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
12425 # 123456789, the number of bytes would be counted as 9, even though an
12426 # int64 only holds up to 8 bytes of data.
12427 "floatValue": 3.14, # float
12428 "timestampValue": "A String", # timestamp
12429 "dayOfWeekValue": "A String", # day of week
12430 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
12431 # or are specified elsewhere. An API may choose to allow leap seconds. Related
12432 # types are google.type.Date and `google.protobuf.Timestamp`.
12433 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
12434 # to allow the value "24:00:00" for scenarios like business closing time.
12435 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
12436 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
12437 # allow the value 60 if it allows leap-seconds.
12438 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
12439 },
12440 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
12441 # and time zone are either specified elsewhere or are not significant. The date
12442 # is relative to the Proleptic Gregorian Calendar. This can represent:
12443 #
12444 # * A full date, with non-zero year, month and day values
12445 # * A month and day value, with a zero year, e.g. an anniversary
12446 # * A year on its own, with zero month and day values
12447 # * A year and month value, with a zero day, e.g. a credit card expiration date
12448 #
12449 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
12450 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
12451 # month and day.
12452 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
12453 # if specifying a year by itself or a year and month where the day is not
12454 # significant.
12455 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
12456 # a year.
12457 },
12458 "stringValue": "A String", # string
12459 "booleanValue": True or False, # boolean
12460 "integerValue": "A String", # integer
12461 },
12462 "min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
12463 # used.
12464 # Note that for the purposes of inspection or transformation, the number
12465 # of bytes considered to comprise a 'Value' is based on its representation
12466 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
12467 # 123456789, the number of bytes would be counted as 9, even though an
12468 # int64 only holds up to 8 bytes of data.
12469 "floatValue": 3.14, # float
12470 "timestampValue": "A String", # timestamp
12471 "dayOfWeekValue": "A String", # day of week
12472 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
12473 # or are specified elsewhere. An API may choose to allow leap seconds. Related
12474 # types are google.type.Date and `google.protobuf.Timestamp`.
12475 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
12476 # to allow the value "24:00:00" for scenarios like business closing time.
12477 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
12478 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
12479 # allow the value 60 if it allows leap-seconds.
12480 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
12481 },
12482 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
12483 # and time zone are either specified elsewhere or are not significant. The date
12484 # is relative to the Proleptic Gregorian Calendar. This can represent:
12485 #
12486 # * A full date, with non-zero year, month and day values
12487 # * A month and day value, with a zero year, e.g. an anniversary
12488 # * A year on its own, with zero month and day values
12489 # * A year and month value, with a zero day, e.g. a credit card expiration date
12490 #
12491 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
12492 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
12493 # month and day.
12494 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
12495 # if specifying a year by itself or a year and month where the day is not
12496 # significant.
12497 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
12498 # a year.
12499 },
12500 "stringValue": "A String", # string
12501 "booleanValue": True or False, # boolean
12502 "integerValue": "A String", # integer
12503 },
12504 },
12505 ],
12506 },
12507 "cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing. # Crypto
12508 # Uses SHA-256.
12509 # The key size must be either 32 or 64 bytes.
12510 # Outputs a base64 encoded representation of the hashed output
12511 # (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
12512 # Currently, only string and integer values can be hashed.
12513 # See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
12514 "cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
12515 # a key encryption key (KEK) stored by KMS).
12516 # When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
12517 # IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
12518 # unwrap the data crypto key.
12519 "kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS. # Kms wrapped key
12520 # The wrapped key must be a 128/192/256 bit key.
12521 # Authorization requires the following IAM permissions when sending a request
12522 # to perform a crypto transformation using a kms-wrapped crypto key:
12523 # dlp.kms.encrypt
12524 "cryptoKeyName": "A String", # Required. The resource name of the KMS CryptoKey to use for unwrapping.
12525 "wrappedKey": "A String", # Required. The wrapped data crypto key.
12526 },
12527 "unwrapped": { # Using raw keys is prone to security risks due to accidentally # Unwrapped crypto key
12528 # leaking the key. Choose another type of key if possible.
12529 "key": "A String", # Required. A 128/192/256 bit key.
12530 },
12531 "transient": { # Use this to have a random data crypto key generated. # Transient crypto key
12532 # It will be discarded after the request finishes.
12533 "name": "A String", # Required. Name of the key.
12534 # This is an arbitrary string used to differentiate different keys.
12535 # A unique key is generated per name: two separate `TransientCryptoKey`
12536 # protos share the same generated key if their names are the same.
12537 # When the data crypto key is generated, this name is not used in any way
12538 # (repeating the api call will result in a different key being generated).
12539 },
12540 },
12541 },
12542 "replaceConfig": { # Replace each input value with a given `Value`. # Replace
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12543 "newValue": { # Set of primitive values supported by the system. # Value to replace it with.
12544 # Note that for the purposes of inspection or transformation, the number
12545 # of bytes considered to comprise a 'Value' is based on its representation
12546 # as a UTF-8 encoded string. For example, if 'integer_value' is set to
12547 # 123456789, the number of bytes would be counted as 9, even though an
12548 # int64 only holds up to 8 bytes of data.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12549 "floatValue": 3.14, # float
12550 "timestampValue": "A String", # timestamp
12551 "dayOfWeekValue": "A String", # day of week
12552 "timeValue": { # Represents a time of day. The date and time zone are either not significant # time of day
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12553 # or are specified elsewhere. An API may choose to allow leap seconds. Related
12554 # types are google.type.Date and `google.protobuf.Timestamp`.
12555 "hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
12556 # to allow the value "24:00:00" for scenarios like business closing time.
12557 "nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
12558 "seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
12559 # allow the value 60 if it allows leap-seconds.
12560 "minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
12561 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12562 "dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # date
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12563 # and time zone are either specified elsewhere or are not significant. The date
12564 # is relative to the Proleptic Gregorian Calendar. This can represent:
12565 #
12566 # * A full date, with non-zero year, month and day values
12567 # * A month and day value, with a zero year, e.g. an anniversary
12568 # * A year on its own, with zero month and day values
12569 # * A year and month value, with a zero day, e.g. a credit card expiration date
12570 #
12571 # Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12572 "month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
12573 # month and day.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12574 "day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
12575 # if specifying a year by itself or a year and month where the day is not
12576 # significant.
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12577 "year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
12578 # a year.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12579 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12580 "stringValue": "A String", # string
12581 "booleanValue": True or False, # boolean
12582 "integerValue": "A String", # integer
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12583 },
12584 },
12585 },
12586 "infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
12587 # this transformation to apply to all findings that correspond to
12588 # infoTypes that were requested in `InspectConfig`.
12589 { # Type of information detected by the API.
12590 "name": "A String", # Name of the information type. Either a name of your choosing when
12591 # creating a CustomInfoType, or one of the names listed
12592 # at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
12593 # a built-in type. InfoType names should conform to the pattern
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12594 # `[a-zA-Z0-9_]{1,64}`.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12595 },
12596 ],
12597 },
12598 ],
12599 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12600 },
12601 ],
12602 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12603 "transformationErrorHandling": { # How to handle transformation errors during de-identification. A # Mode for handling transformation errors. If left unspecified, the default
12604 # mode is `TransformationErrorHandling.ThrowError`.
12605 # transformation error occurs when the requested transformation is incompatible
12606 # with the data. For example, trying to de-identify an IP address using a
12607 # `DateShift` transformation would result in a transformation error, since date
12608 # info cannot be extracted from an IP address.
12609 # Information about any incompatible transformations, and how they were
12610 # handled, is returned in the response as part of the
12611 # `TransformationOverviews`.
12612 "throwError": { # Throw an error and fail the request when a transformation error occurs. # Throw an error
12613 },
12614 "leaveUntransformed": { # Skips the data without modifying it if the requested transformation would # Ignore errors
12615 # cause an error. For example, if a `DateShift` transformation were applied
12616 # an an IP address, this mode would leave the IP address unchanged in the
12617 # response.
12618 },
12619 },
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12620 },
Dan O'Mearadd494642020-05-01 07:42:23 -0700[diff] [blame^]12621 "createTime": "A String", # Output only. The creation timestamp of an inspectTemplate.
12622 "name": "A String", # Output only. The template name.
Bu Sun Kim715bd7f2019-06-14 16:50:42 -0700[diff] [blame]12623 #
12624 # The template will have one of the following formats:
12625 # `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR
12626 # `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`
12627 }</pre>
12628</div>
12629
12630</body></html>