create(parent, body, x__xgafv=None)
Creates a DeidentifyTemplate for re-using frequently used configuration
Deletes a DeidentifyTemplate.
Gets a DeidentifyTemplate.
list(parent, orderBy=None, pageToken=None, x__xgafv=None, pageSize=None)
Lists DeidentifyTemplates.
list_next(previous_request, previous_response)
Retrieves the next page of results.
patch(name, body, x__xgafv=None)
Updates the DeidentifyTemplate.
create(parent, body, x__xgafv=None)
Creates a DeidentifyTemplate for re-using frequently used configuration
for de-identifying content, images, and storage.
See https://cloud.google.com/dlp/docs/creating-templates-deid to learn
more.
Args:
parent: string, The parent resource name, for example projects/my-project-id or
organizations/my-org-id. (required)
body: object, The request body. (required)
The object takes the form of:
{ # Request message for CreateDeidentifyTemplate.
"deidentifyTemplate": { # The DeidentifyTemplates contains instructions on how to deidentify content. # The DeidentifyTemplate to create.
# See https://cloud.google.com/dlp/docs/concepts-templates to learn more.
"updateTime": "A String", # The last update timestamp of a inspectTemplate, output only field.
"displayName": "A String", # Display name (max 256 chars).
"description": "A String", # Short description (max 256 chars).
"deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////
"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text
# transformation everywhere.
# apply various `PrimitiveTransformation`s to each finding, where the
# transformation is applied to only values that were identified as a specific
# info_type.
"transformations": [ # Transformation for each infoType. Cannot specify more than one
# for a given infoType. [required]
{ # A transformation to apply to text that is identified as a specific
# info_type.
"primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
# fixed character. Masking can start from the beginning or end of the string.
# This can be used on data of any type (numbers, longs, and so on) and when
# de-identifying structured data we'll attempt to preserve the original data's
# type. (This allows you to take a long like 123 and modify it to a string like
# **3.
"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
# For example, if your string is 555-555-5555 and you ask us to skip `-` and
# mask 5 chars with * we would produce ***-*55-5555.
{ # Characters to skip when doing deidentification of a value. These will be left
# alone and skipped.
"commonCharactersToIgnore": "A String",
"charactersToSkip": "A String",
},
],
"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
# masked. Skipped characters do not count towards this tally.
"maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
# alphabetic string such as name, or "0" for a numeric string such as ZIP
# code or credit card number. String must have length 1. If not supplied, we
# will default to "*" for strings, 0 for digits.
"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
# '0', number_to_mask is 14, and `reverse_order` is false, then
# 1234-5678-9012-3456 -> 00000000000000-3456
# If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
# is true, then 12345 -> 12***
},
"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
# output would be 'My phone number is '.
},
"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
# validated against the value used during encryption. If a context was
# provided during encryption, same context must be provided during decryption
# as well.
#
# If the context is not set, plaintext would be used as is for encryption.
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 2. the field is not present when transforming a given value,
#
# plaintext would be used as is for encryption.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: ():
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
# - reverse a surrogate that does not correspond to an actual identifier
# - be unable to parse the surrogate and result in an error
#
# Therefore, choose your custom info type name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
# -, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
#
# If the bound Value type differs from the type of data
# being transformed, we will first attempt converting the type of the data to
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
# then all values less than 10 are replaced with the value “-10”. [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
# [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
},
"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
},
"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
# portion of the value.
"partToExtract": "A String",
},
"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
# Uses SHA-256.
# The key size must be either 32 or 64 bytes.
# Outputs a base64 encoded representation of the hashed output
# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
# Currently, only string and integer values can be hashed.
# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
},
"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
# results in the same shift for the same context and crypto_key.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
# [Required]
"upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
# [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
# If set, must also set method. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
# replacement values are dynamically provided by the user for custom behavior,
# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
# This can be used on
# data of type: number, long, string, timestamp.
# If the bound `Value` type differs from the type of data being transformed, we
# will first attempt converting the type of the data to be transformed to match
# the type of the bound before comparing.
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"buckets": [ # Set of buckets. Ranges must be non-overlapping.
{ # Bucket is represented as a range, along with replacement values.
"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
# the default behavior will be to hyphenate the min-max range.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
# used.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
# encoded as ASCII. For a given crypto key and context, the same identifier
# will be replaced with the same surrogate. Identifiers must be at least two
# characters long. In the case that the identifier is the empty string, it will
# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
# more.
#
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
"commonAlphabet": "A String",
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
# Number of characters must be in the range [2, 62].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
# identifier in two different contexts won't be given the same surrogate. If
# the context is not set, a default tweak will be used.
#
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 1. the field is not present when transforming a given value,
#
# a default tweak will be used.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
# Currently, the referenced field may be of value type integer or string.
#
# The tweak is constructed as a sequence of bytes in big endian byte order
# such that:
#
# - a 64 bit integer is encoded followed by a single byte of value 1
# - a string is encoded in UTF-8 format followed by a single byte of value 2
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom infoType followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: info_type_name(surrogate_character_count):surrogate
#
# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom infoType
# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
# This facilitates reversal of the surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this infoType must
# not occur naturally anywhere in your data; otherwise, inspection may
# find a surrogate that does not correspond to an actual identifier.
# Therefore, choose your custom infoType name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"replaceConfig": { # Replace each input value with a given `Value`.
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
},
"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
# this transformation to apply to all findings that correspond to
# infoTypes that were requested in `InspectConfig`.
{ # Type of information detected by the API.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
],
},
],
},
"recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to
# specific locations within structured datasets, such as transforming
# a column within a table.
# table.
"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that
# match any suppression rule are omitted from the output [optional].
{ # Configuration to suppress records whose suppression conditions evaluate to
# true.
"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
# evaluated to be suppressed from the transformed content.
# a field.
"expressions": { # An expression, consisting or an operator and conditions. # An expression.
"conditions": { # A collection of conditions.
"conditions": [
{ # The field type of `value` and `field` do not need to match to be
# considered equal, but not all comparisons are possible.
# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
# but all other comparisons are invalid with incompatible types.
# A `value` of type:
#
# - `string` can be compared against all other types
# - `boolean` can only be compared against other booleans
# - `integer` can be compared against doubles or a string if the string value
# can be parsed as an integer.
# - `double` can be compared against integers or a string if the string can
# be parsed as a double.
# - `Timestamp` can be compared against strings in RFC 3339 date string
# format.
# - `TimeOfDay` can be compared against timestamps and strings in the format
# of 'HH:mm:ss'.
#
# If we fail to compare do to type mismatch, a warning will be given and
# the condition will evaluate to false.
"operator": "A String", # Operator used to compare the field or infoType to the value. [required]
"field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
"name": "A String", # Name describing the field.
},
"value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
# only supported value is `AND`.
},
},
},
],
"fieldTransformations": [ # Transform the record by applying various field transformations.
{ # The transformation to apply to the field.
"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
# transform content that matches an `InfoType`.
# apply various `PrimitiveTransformation`s to each finding, where the
# transformation is applied to only values that were identified as a specific
# info_type.
"transformations": [ # Transformation for each infoType. Cannot specify more than one
# for a given infoType. [required]
{ # A transformation to apply to text that is identified as a specific
# info_type.
"primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
# fixed character. Masking can start from the beginning or end of the string.
# This can be used on data of any type (numbers, longs, and so on) and when
# de-identifying structured data we'll attempt to preserve the original data's
# type. (This allows you to take a long like 123 and modify it to a string like
# **3.
"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
# For example, if your string is 555-555-5555 and you ask us to skip `-` and
# mask 5 chars with * we would produce ***-*55-5555.
{ # Characters to skip when doing deidentification of a value. These will be left
# alone and skipped.
"commonCharactersToIgnore": "A String",
"charactersToSkip": "A String",
},
],
"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
# masked. Skipped characters do not count towards this tally.
"maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
# alphabetic string such as name, or "0" for a numeric string such as ZIP
# code or credit card number. String must have length 1. If not supplied, we
# will default to "*" for strings, 0 for digits.
"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
# '0', number_to_mask is 14, and `reverse_order` is false, then
# 1234-5678-9012-3456 -> 00000000000000-3456
# If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
# is true, then 12345 -> 12***
},
"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
# output would be 'My phone number is '.
},
"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
# validated against the value used during encryption. If a context was
# provided during encryption, same context must be provided during decryption
# as well.
#
# If the context is not set, plaintext would be used as is for encryption.
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 2. the field is not present when transforming a given value,
#
# plaintext would be used as is for encryption.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: ():
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
# - reverse a surrogate that does not correspond to an actual identifier
# - be unable to parse the surrogate and result in an error
#
# Therefore, choose your custom info type name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
# -, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
#
# If the bound Value type differs from the type of data
# being transformed, we will first attempt converting the type of the data to
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
# then all values less than 10 are replaced with the value “-10”. [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
# [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
},
"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
},
"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
# portion of the value.
"partToExtract": "A String",
},
"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
# Uses SHA-256.
# The key size must be either 32 or 64 bytes.
# Outputs a base64 encoded representation of the hashed output
# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
# Currently, only string and integer values can be hashed.
# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
},
"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
# results in the same shift for the same context and crypto_key.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
# [Required]
"upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
# [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
# If set, must also set method. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
# replacement values are dynamically provided by the user for custom behavior,
# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
# This can be used on
# data of type: number, long, string, timestamp.
# If the bound `Value` type differs from the type of data being transformed, we
# will first attempt converting the type of the data to be transformed to match
# the type of the bound before comparing.
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"buckets": [ # Set of buckets. Ranges must be non-overlapping.
{ # Bucket is represented as a range, along with replacement values.
"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
# the default behavior will be to hyphenate the min-max range.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
# used.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
# encoded as ASCII. For a given crypto key and context, the same identifier
# will be replaced with the same surrogate. Identifiers must be at least two
# characters long. In the case that the identifier is the empty string, it will
# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
# more.
#
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
"commonAlphabet": "A String",
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
# Number of characters must be in the range [2, 62].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
# identifier in two different contexts won't be given the same surrogate. If
# the context is not set, a default tweak will be used.
#
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 1. the field is not present when transforming a given value,
#
# a default tweak will be used.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
# Currently, the referenced field may be of value type integer or string.
#
# The tweak is constructed as a sequence of bytes in big endian byte order
# such that:
#
# - a 64 bit integer is encoded followed by a single byte of value 1
# - a string is encoded in UTF-8 format followed by a single byte of value 2
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom infoType followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: info_type_name(surrogate_character_count):surrogate
#
# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom infoType
# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
# This facilitates reversal of the surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this infoType must
# not occur naturally anywhere in your data; otherwise, inspection may
# find a surrogate that does not correspond to an actual identifier.
# Therefore, choose your custom infoType name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"replaceConfig": { # Replace each input value with a given `Value`.
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
},
"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
# this transformation to apply to all findings that correspond to
# infoTypes that were requested in `InspectConfig`.
{ # Type of information detected by the API.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
],
},
],
},
"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
# fixed character. Masking can start from the beginning or end of the string.
# This can be used on data of any type (numbers, longs, and so on) and when
# de-identifying structured data we'll attempt to preserve the original data's
# type. (This allows you to take a long like 123 and modify it to a string like
# **3.
"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
# For example, if your string is 555-555-5555 and you ask us to skip `-` and
# mask 5 chars with * we would produce ***-*55-5555.
{ # Characters to skip when doing deidentification of a value. These will be left
# alone and skipped.
"commonCharactersToIgnore": "A String",
"charactersToSkip": "A String",
},
],
"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
# masked. Skipped characters do not count towards this tally.
"maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
# alphabetic string such as name, or "0" for a numeric string such as ZIP
# code or credit card number. String must have length 1. If not supplied, we
# will default to "*" for strings, 0 for digits.
"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
# '0', number_to_mask is 14, and `reverse_order` is false, then
# 1234-5678-9012-3456 -> 00000000000000-3456
# If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
# is true, then 12345 -> 12***
},
"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
# output would be 'My phone number is '.
},
"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
# validated against the value used during encryption. If a context was
# provided during encryption, same context must be provided during decryption
# as well.
#
# If the context is not set, plaintext would be used as is for encryption.
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 2. the field is not present when transforming a given value,
#
# plaintext would be used as is for encryption.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: ():
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
# - reverse a surrogate that does not correspond to an actual identifier
# - be unable to parse the surrogate and result in an error
#
# Therefore, choose your custom info type name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
# -, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
#
# If the bound Value type differs from the type of data
# being transformed, we will first attempt converting the type of the data to
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
# then all values less than 10 are replaced with the value “-10”. [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
# [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
},
"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
},
"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
# portion of the value.
"partToExtract": "A String",
},
"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
# Uses SHA-256.
# The key size must be either 32 or 64 bytes.
# Outputs a base64 encoded representation of the hashed output
# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
# Currently, only string and integer values can be hashed.
# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
},
"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
# results in the same shift for the same context and crypto_key.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
# [Required]
"upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
# [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
# If set, must also set method. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
# replacement values are dynamically provided by the user for custom behavior,
# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
# This can be used on
# data of type: number, long, string, timestamp.
# If the bound `Value` type differs from the type of data being transformed, we
# will first attempt converting the type of the data to be transformed to match
# the type of the bound before comparing.
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"buckets": [ # Set of buckets. Ranges must be non-overlapping.
{ # Bucket is represented as a range, along with replacement values.
"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
# the default behavior will be to hyphenate the min-max range.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
# used.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
# encoded as ASCII. For a given crypto key and context, the same identifier
# will be replaced with the same surrogate. Identifiers must be at least two
# characters long. In the case that the identifier is the empty string, it will
# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
# more.
#
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
"commonAlphabet": "A String",
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
# Number of characters must be in the range [2, 62].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
# identifier in two different contexts won't be given the same surrogate. If
# the context is not set, a default tweak will be used.
#
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 1. the field is not present when transforming a given value,
#
# a default tweak will be used.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
# Currently, the referenced field may be of value type integer or string.
#
# The tweak is constructed as a sequence of bytes in big endian byte order
# such that:
#
# - a 64 bit integer is encoded followed by a single byte of value 1
# - a string is encoded in UTF-8 format followed by a single byte of value 2
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom infoType followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: info_type_name(surrogate_character_count):surrogate
#
# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom infoType
# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
# This facilitates reversal of the surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this infoType must
# not occur naturally anywhere in your data; otherwise, inspection may
# find a surrogate that does not correspond to an actual identifier.
# Therefore, choose your custom infoType name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"replaceConfig": { # Replace each input value with a given `Value`.
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
},
"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
# given `RecordCondition`. The conditions are allowed to reference fields
# that are not used in the actual transformation. [optional]
#
# Example Use Cases:
#
# - Apply a different bucket transformation to an age column if the zip code
# column for the same record is within a specific range.
# - Redact a field if the date of birth field is greater than 85.
# a field.
"expressions": { # An expression, consisting or an operator and conditions. # An expression.
"conditions": { # A collection of conditions.
"conditions": [
{ # The field type of `value` and `field` do not need to match to be
# considered equal, but not all comparisons are possible.
# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
# but all other comparisons are invalid with incompatible types.
# A `value` of type:
#
# - `string` can be compared against all other types
# - `boolean` can only be compared against other booleans
# - `integer` can be compared against doubles or a string if the string value
# can be parsed as an integer.
# - `double` can be compared against integers or a string if the string can
# be parsed as a double.
# - `Timestamp` can be compared against strings in RFC 3339 date string
# format.
# - `TimeOfDay` can be compared against timestamps and strings in the format
# of 'HH:mm:ss'.
#
# If we fail to compare do to type mismatch, a warning will be given and
# the condition will evaluate to false.
"operator": "A String", # Operator used to compare the field or infoType to the value. [required]
"field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
"name": "A String", # Name describing the field.
},
"value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
# only supported value is `AND`.
},
},
"fields": [ # Input field(s) to apply the transformation to. [required]
{ # General identifier of a data field in a storage service.
"name": "A String", # Name describing the field.
},
],
},
],
},
},
"createTime": "A String", # The creation timestamp of a inspectTemplate, output only field.
"name": "A String", # The template name. Output only.
#
# The template will have one of the following formats:
# `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR
# `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`
},
"templateId": "A String", # The template id can contain uppercase and lowercase letters,
# numbers, and hyphens; that is, it must match the regular
# expression: `[a-zA-Z\\d-_]+`. The maximum length is 100
# characters. Can be empty to allow the system to generate one.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # The DeidentifyTemplates contains instructions on how to deidentify content.
# See https://cloud.google.com/dlp/docs/concepts-templates to learn more.
"updateTime": "A String", # The last update timestamp of a inspectTemplate, output only field.
"displayName": "A String", # Display name (max 256 chars).
"description": "A String", # Short description (max 256 chars).
"deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////
"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text
# transformation everywhere.
# apply various `PrimitiveTransformation`s to each finding, where the
# transformation is applied to only values that were identified as a specific
# info_type.
"transformations": [ # Transformation for each infoType. Cannot specify more than one
# for a given infoType. [required]
{ # A transformation to apply to text that is identified as a specific
# info_type.
"primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
# fixed character. Masking can start from the beginning or end of the string.
# This can be used on data of any type (numbers, longs, and so on) and when
# de-identifying structured data we'll attempt to preserve the original data's
# type. (This allows you to take a long like 123 and modify it to a string like
# **3.
"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
# For example, if your string is 555-555-5555 and you ask us to skip `-` and
# mask 5 chars with * we would produce ***-*55-5555.
{ # Characters to skip when doing deidentification of a value. These will be left
# alone and skipped.
"commonCharactersToIgnore": "A String",
"charactersToSkip": "A String",
},
],
"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
# masked. Skipped characters do not count towards this tally.
"maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
# alphabetic string such as name, or "0" for a numeric string such as ZIP
# code or credit card number. String must have length 1. If not supplied, we
# will default to "*" for strings, 0 for digits.
"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
# '0', number_to_mask is 14, and `reverse_order` is false, then
# 1234-5678-9012-3456 -> 00000000000000-3456
# If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
# is true, then 12345 -> 12***
},
"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
# output would be 'My phone number is '.
},
"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
# validated against the value used during encryption. If a context was
# provided during encryption, same context must be provided during decryption
# as well.
#
# If the context is not set, plaintext would be used as is for encryption.
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 2. the field is not present when transforming a given value,
#
# plaintext would be used as is for encryption.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: ():
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
# - reverse a surrogate that does not correspond to an actual identifier
# - be unable to parse the surrogate and result in an error
#
# Therefore, choose your custom info type name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
# -, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
#
# If the bound Value type differs from the type of data
# being transformed, we will first attempt converting the type of the data to
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
# then all values less than 10 are replaced with the value “-10”. [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
# [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
},
"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
},
"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
# portion of the value.
"partToExtract": "A String",
},
"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
# Uses SHA-256.
# The key size must be either 32 or 64 bytes.
# Outputs a base64 encoded representation of the hashed output
# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
# Currently, only string and integer values can be hashed.
# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
},
"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
# results in the same shift for the same context and crypto_key.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
# [Required]
"upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
# [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
# If set, must also set method. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
# replacement values are dynamically provided by the user for custom behavior,
# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
# This can be used on
# data of type: number, long, string, timestamp.
# If the bound `Value` type differs from the type of data being transformed, we
# will first attempt converting the type of the data to be transformed to match
# the type of the bound before comparing.
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"buckets": [ # Set of buckets. Ranges must be non-overlapping.
{ # Bucket is represented as a range, along with replacement values.
"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
# the default behavior will be to hyphenate the min-max range.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
# used.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
# encoded as ASCII. For a given crypto key and context, the same identifier
# will be replaced with the same surrogate. Identifiers must be at least two
# characters long. In the case that the identifier is the empty string, it will
# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
# more.
#
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
"commonAlphabet": "A String",
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
# Number of characters must be in the range [2, 62].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
# identifier in two different contexts won't be given the same surrogate. If
# the context is not set, a default tweak will be used.
#
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 1. the field is not present when transforming a given value,
#
# a default tweak will be used.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
# Currently, the referenced field may be of value type integer or string.
#
# The tweak is constructed as a sequence of bytes in big endian byte order
# such that:
#
# - a 64 bit integer is encoded followed by a single byte of value 1
# - a string is encoded in UTF-8 format followed by a single byte of value 2
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom infoType followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: info_type_name(surrogate_character_count):surrogate
#
# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom infoType
# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
# This facilitates reversal of the surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this infoType must
# not occur naturally anywhere in your data; otherwise, inspection may
# find a surrogate that does not correspond to an actual identifier.
# Therefore, choose your custom infoType name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"replaceConfig": { # Replace each input value with a given `Value`.
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
},
"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
# this transformation to apply to all findings that correspond to
# infoTypes that were requested in `InspectConfig`.
{ # Type of information detected by the API.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
],
},
],
},
"recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to
# specific locations within structured datasets, such as transforming
# a column within a table.
# table.
"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that
# match any suppression rule are omitted from the output [optional].
{ # Configuration to suppress records whose suppression conditions evaluate to
# true.
"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
# evaluated to be suppressed from the transformed content.
# a field.
"expressions": { # An expression, consisting or an operator and conditions. # An expression.
"conditions": { # A collection of conditions.
"conditions": [
{ # The field type of `value` and `field` do not need to match to be
# considered equal, but not all comparisons are possible.
# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
# but all other comparisons are invalid with incompatible types.
# A `value` of type:
#
# - `string` can be compared against all other types
# - `boolean` can only be compared against other booleans
# - `integer` can be compared against doubles or a string if the string value
# can be parsed as an integer.
# - `double` can be compared against integers or a string if the string can
# be parsed as a double.
# - `Timestamp` can be compared against strings in RFC 3339 date string
# format.
# - `TimeOfDay` can be compared against timestamps and strings in the format
# of 'HH:mm:ss'.
#
# If we fail to compare do to type mismatch, a warning will be given and
# the condition will evaluate to false.
"operator": "A String", # Operator used to compare the field or infoType to the value. [required]
"field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
"name": "A String", # Name describing the field.
},
"value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
# only supported value is `AND`.
},
},
},
],
"fieldTransformations": [ # Transform the record by applying various field transformations.
{ # The transformation to apply to the field.
"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
# transform content that matches an `InfoType`.
# apply various `PrimitiveTransformation`s to each finding, where the
# transformation is applied to only values that were identified as a specific
# info_type.
"transformations": [ # Transformation for each infoType. Cannot specify more than one
# for a given infoType. [required]
{ # A transformation to apply to text that is identified as a specific
# info_type.
"primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
# fixed character. Masking can start from the beginning or end of the string.
# This can be used on data of any type (numbers, longs, and so on) and when
# de-identifying structured data we'll attempt to preserve the original data's
# type. (This allows you to take a long like 123 and modify it to a string like
# **3.
"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
# For example, if your string is 555-555-5555 and you ask us to skip `-` and
# mask 5 chars with * we would produce ***-*55-5555.
{ # Characters to skip when doing deidentification of a value. These will be left
# alone and skipped.
"commonCharactersToIgnore": "A String",
"charactersToSkip": "A String",
},
],
"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
# masked. Skipped characters do not count towards this tally.
"maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
# alphabetic string such as name, or "0" for a numeric string such as ZIP
# code or credit card number. String must have length 1. If not supplied, we
# will default to "*" for strings, 0 for digits.
"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
# '0', number_to_mask is 14, and `reverse_order` is false, then
# 1234-5678-9012-3456 -> 00000000000000-3456
# If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
# is true, then 12345 -> 12***
},
"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
# output would be 'My phone number is '.
},
"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
# validated against the value used during encryption. If a context was
# provided during encryption, same context must be provided during decryption
# as well.
#
# If the context is not set, plaintext would be used as is for encryption.
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 2. the field is not present when transforming a given value,
#
# plaintext would be used as is for encryption.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: ():
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
# - reverse a surrogate that does not correspond to an actual identifier
# - be unable to parse the surrogate and result in an error
#
# Therefore, choose your custom info type name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
# -, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
#
# If the bound Value type differs from the type of data
# being transformed, we will first attempt converting the type of the data to
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
# then all values less than 10 are replaced with the value “-10”. [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
# [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
},
"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
},
"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
# portion of the value.
"partToExtract": "A String",
},
"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
# Uses SHA-256.
# The key size must be either 32 or 64 bytes.
# Outputs a base64 encoded representation of the hashed output
# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
# Currently, only string and integer values can be hashed.
# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
},
"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
# results in the same shift for the same context and crypto_key.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
# [Required]
"upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
# [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
# If set, must also set method. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
# replacement values are dynamically provided by the user for custom behavior,
# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
# This can be used on
# data of type: number, long, string, timestamp.
# If the bound `Value` type differs from the type of data being transformed, we
# will first attempt converting the type of the data to be transformed to match
# the type of the bound before comparing.
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"buckets": [ # Set of buckets. Ranges must be non-overlapping.
{ # Bucket is represented as a range, along with replacement values.
"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
# the default behavior will be to hyphenate the min-max range.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
# used.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
# encoded as ASCII. For a given crypto key and context, the same identifier
# will be replaced with the same surrogate. Identifiers must be at least two
# characters long. In the case that the identifier is the empty string, it will
# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
# more.
#
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
"commonAlphabet": "A String",
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
# Number of characters must be in the range [2, 62].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
# identifier in two different contexts won't be given the same surrogate. If
# the context is not set, a default tweak will be used.
#
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 1. the field is not present when transforming a given value,
#
# a default tweak will be used.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
# Currently, the referenced field may be of value type integer or string.
#
# The tweak is constructed as a sequence of bytes in big endian byte order
# such that:
#
# - a 64 bit integer is encoded followed by a single byte of value 1
# - a string is encoded in UTF-8 format followed by a single byte of value 2
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom infoType followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: info_type_name(surrogate_character_count):surrogate
#
# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom infoType
# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
# This facilitates reversal of the surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this infoType must
# not occur naturally anywhere in your data; otherwise, inspection may
# find a surrogate that does not correspond to an actual identifier.
# Therefore, choose your custom infoType name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"replaceConfig": { # Replace each input value with a given `Value`.
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
},
"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
# this transformation to apply to all findings that correspond to
# infoTypes that were requested in `InspectConfig`.
{ # Type of information detected by the API.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
],
},
],
},
"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
# fixed character. Masking can start from the beginning or end of the string.
# This can be used on data of any type (numbers, longs, and so on) and when
# de-identifying structured data we'll attempt to preserve the original data's
# type. (This allows you to take a long like 123 and modify it to a string like
# **3.
"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
# For example, if your string is 555-555-5555 and you ask us to skip `-` and
# mask 5 chars with * we would produce ***-*55-5555.
{ # Characters to skip when doing deidentification of a value. These will be left
# alone and skipped.
"commonCharactersToIgnore": "A String",
"charactersToSkip": "A String",
},
],
"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
# masked. Skipped characters do not count towards this tally.
"maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
# alphabetic string such as name, or "0" for a numeric string such as ZIP
# code or credit card number. String must have length 1. If not supplied, we
# will default to "*" for strings, 0 for digits.
"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
# '0', number_to_mask is 14, and `reverse_order` is false, then
# 1234-5678-9012-3456 -> 00000000000000-3456
# If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
# is true, then 12345 -> 12***
},
"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
# output would be 'My phone number is '.
},
"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
# validated against the value used during encryption. If a context was
# provided during encryption, same context must be provided during decryption
# as well.
#
# If the context is not set, plaintext would be used as is for encryption.
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 2. the field is not present when transforming a given value,
#
# plaintext would be used as is for encryption.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: ():
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
# - reverse a surrogate that does not correspond to an actual identifier
# - be unable to parse the surrogate and result in an error
#
# Therefore, choose your custom info type name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
# -, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
#
# If the bound Value type differs from the type of data
# being transformed, we will first attempt converting the type of the data to
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
# then all values less than 10 are replaced with the value “-10”. [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
# [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
},
"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
},
"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
# portion of the value.
"partToExtract": "A String",
},
"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
# Uses SHA-256.
# The key size must be either 32 or 64 bytes.
# Outputs a base64 encoded representation of the hashed output
# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
# Currently, only string and integer values can be hashed.
# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
},
"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
# results in the same shift for the same context and crypto_key.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
# [Required]
"upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
# [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
# If set, must also set method. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
# replacement values are dynamically provided by the user for custom behavior,
# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
# This can be used on
# data of type: number, long, string, timestamp.
# If the bound `Value` type differs from the type of data being transformed, we
# will first attempt converting the type of the data to be transformed to match
# the type of the bound before comparing.
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"buckets": [ # Set of buckets. Ranges must be non-overlapping.
{ # Bucket is represented as a range, along with replacement values.
"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
# the default behavior will be to hyphenate the min-max range.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
# used.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
# encoded as ASCII. For a given crypto key and context, the same identifier
# will be replaced with the same surrogate. Identifiers must be at least two
# characters long. In the case that the identifier is the empty string, it will
# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
# more.
#
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
"commonAlphabet": "A String",
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
# Number of characters must be in the range [2, 62].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
# identifier in two different contexts won't be given the same surrogate. If
# the context is not set, a default tweak will be used.
#
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 1. the field is not present when transforming a given value,
#
# a default tweak will be used.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
# Currently, the referenced field may be of value type integer or string.
#
# The tweak is constructed as a sequence of bytes in big endian byte order
# such that:
#
# - a 64 bit integer is encoded followed by a single byte of value 1
# - a string is encoded in UTF-8 format followed by a single byte of value 2
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom infoType followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: info_type_name(surrogate_character_count):surrogate
#
# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom infoType
# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
# This facilitates reversal of the surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this infoType must
# not occur naturally anywhere in your data; otherwise, inspection may
# find a surrogate that does not correspond to an actual identifier.
# Therefore, choose your custom infoType name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"replaceConfig": { # Replace each input value with a given `Value`.
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
},
"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
# given `RecordCondition`. The conditions are allowed to reference fields
# that are not used in the actual transformation. [optional]
#
# Example Use Cases:
#
# - Apply a different bucket transformation to an age column if the zip code
# column for the same record is within a specific range.
# - Redact a field if the date of birth field is greater than 85.
# a field.
"expressions": { # An expression, consisting or an operator and conditions. # An expression.
"conditions": { # A collection of conditions.
"conditions": [
{ # The field type of `value` and `field` do not need to match to be
# considered equal, but not all comparisons are possible.
# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
# but all other comparisons are invalid with incompatible types.
# A `value` of type:
#
# - `string` can be compared against all other types
# - `boolean` can only be compared against other booleans
# - `integer` can be compared against doubles or a string if the string value
# can be parsed as an integer.
# - `double` can be compared against integers or a string if the string can
# be parsed as a double.
# - `Timestamp` can be compared against strings in RFC 3339 date string
# format.
# - `TimeOfDay` can be compared against timestamps and strings in the format
# of 'HH:mm:ss'.
#
# If we fail to compare do to type mismatch, a warning will be given and
# the condition will evaluate to false.
"operator": "A String", # Operator used to compare the field or infoType to the value. [required]
"field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
"name": "A String", # Name describing the field.
},
"value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
# only supported value is `AND`.
},
},
"fields": [ # Input field(s) to apply the transformation to. [required]
{ # General identifier of a data field in a storage service.
"name": "A String", # Name describing the field.
},
],
},
],
},
},
"createTime": "A String", # The creation timestamp of a inspectTemplate, output only field.
"name": "A String", # The template name. Output only.
#
# The template will have one of the following formats:
# `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR
# `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`
}
delete(name, x__xgafv=None)
Deletes a DeidentifyTemplate.
See https://cloud.google.com/dlp/docs/creating-templates-deid to learn
more.
Args:
name: string, Resource name of the organization and deidentify template to be deleted,
for example `organizations/433245324/deidentifyTemplates/432452342` or
projects/project-id/deidentifyTemplates/432452342. (required)
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # A generic empty message that you can re-use to avoid defining duplicated
# empty messages in your APIs. A typical example is to use it as the request
# or the response type of an API method. For instance:
#
# service Foo {
# rpc Bar(google.protobuf.Empty) returns (google.protobuf.Empty);
# }
#
# The JSON representation for `Empty` is empty JSON object `{}`.
}
get(name, x__xgafv=None)
Gets a DeidentifyTemplate.
See https://cloud.google.com/dlp/docs/creating-templates-deid to learn
more.
Args:
name: string, Resource name of the organization and deidentify template to be read, for
example `organizations/433245324/deidentifyTemplates/432452342` or
projects/project-id/deidentifyTemplates/432452342. (required)
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # The DeidentifyTemplates contains instructions on how to deidentify content.
# See https://cloud.google.com/dlp/docs/concepts-templates to learn more.
"updateTime": "A String", # The last update timestamp of a inspectTemplate, output only field.
"displayName": "A String", # Display name (max 256 chars).
"description": "A String", # Short description (max 256 chars).
"deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////
"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text
# transformation everywhere.
# apply various `PrimitiveTransformation`s to each finding, where the
# transformation is applied to only values that were identified as a specific
# info_type.
"transformations": [ # Transformation for each infoType. Cannot specify more than one
# for a given infoType. [required]
{ # A transformation to apply to text that is identified as a specific
# info_type.
"primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
# fixed character. Masking can start from the beginning or end of the string.
# This can be used on data of any type (numbers, longs, and so on) and when
# de-identifying structured data we'll attempt to preserve the original data's
# type. (This allows you to take a long like 123 and modify it to a string like
# **3.
"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
# For example, if your string is 555-555-5555 and you ask us to skip `-` and
# mask 5 chars with * we would produce ***-*55-5555.
{ # Characters to skip when doing deidentification of a value. These will be left
# alone and skipped.
"commonCharactersToIgnore": "A String",
"charactersToSkip": "A String",
},
],
"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
# masked. Skipped characters do not count towards this tally.
"maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
# alphabetic string such as name, or "0" for a numeric string such as ZIP
# code or credit card number. String must have length 1. If not supplied, we
# will default to "*" for strings, 0 for digits.
"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
# '0', number_to_mask is 14, and `reverse_order` is false, then
# 1234-5678-9012-3456 -> 00000000000000-3456
# If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
# is true, then 12345 -> 12***
},
"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
# output would be 'My phone number is '.
},
"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
# validated against the value used during encryption. If a context was
# provided during encryption, same context must be provided during decryption
# as well.
#
# If the context is not set, plaintext would be used as is for encryption.
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 2. the field is not present when transforming a given value,
#
# plaintext would be used as is for encryption.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: ():
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
# - reverse a surrogate that does not correspond to an actual identifier
# - be unable to parse the surrogate and result in an error
#
# Therefore, choose your custom info type name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
# -, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
#
# If the bound Value type differs from the type of data
# being transformed, we will first attempt converting the type of the data to
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
# then all values less than 10 are replaced with the value “-10”. [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
# [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
},
"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
},
"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
# portion of the value.
"partToExtract": "A String",
},
"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
# Uses SHA-256.
# The key size must be either 32 or 64 bytes.
# Outputs a base64 encoded representation of the hashed output
# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
# Currently, only string and integer values can be hashed.
# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
},
"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
# results in the same shift for the same context and crypto_key.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
# [Required]
"upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
# [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
# If set, must also set method. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
# replacement values are dynamically provided by the user for custom behavior,
# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
# This can be used on
# data of type: number, long, string, timestamp.
# If the bound `Value` type differs from the type of data being transformed, we
# will first attempt converting the type of the data to be transformed to match
# the type of the bound before comparing.
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"buckets": [ # Set of buckets. Ranges must be non-overlapping.
{ # Bucket is represented as a range, along with replacement values.
"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
# the default behavior will be to hyphenate the min-max range.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
# used.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
# encoded as ASCII. For a given crypto key and context, the same identifier
# will be replaced with the same surrogate. Identifiers must be at least two
# characters long. In the case that the identifier is the empty string, it will
# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
# more.
#
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
"commonAlphabet": "A String",
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
# Number of characters must be in the range [2, 62].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
# identifier in two different contexts won't be given the same surrogate. If
# the context is not set, a default tweak will be used.
#
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 1. the field is not present when transforming a given value,
#
# a default tweak will be used.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
# Currently, the referenced field may be of value type integer or string.
#
# The tweak is constructed as a sequence of bytes in big endian byte order
# such that:
#
# - a 64 bit integer is encoded followed by a single byte of value 1
# - a string is encoded in UTF-8 format followed by a single byte of value 2
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom infoType followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: info_type_name(surrogate_character_count):surrogate
#
# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom infoType
# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
# This facilitates reversal of the surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this infoType must
# not occur naturally anywhere in your data; otherwise, inspection may
# find a surrogate that does not correspond to an actual identifier.
# Therefore, choose your custom infoType name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"replaceConfig": { # Replace each input value with a given `Value`.
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
},
"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
# this transformation to apply to all findings that correspond to
# infoTypes that were requested in `InspectConfig`.
{ # Type of information detected by the API.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
],
},
],
},
"recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to
# specific locations within structured datasets, such as transforming
# a column within a table.
# table.
"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that
# match any suppression rule are omitted from the output [optional].
{ # Configuration to suppress records whose suppression conditions evaluate to
# true.
"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
# evaluated to be suppressed from the transformed content.
# a field.
"expressions": { # An expression, consisting or an operator and conditions. # An expression.
"conditions": { # A collection of conditions.
"conditions": [
{ # The field type of `value` and `field` do not need to match to be
# considered equal, but not all comparisons are possible.
# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
# but all other comparisons are invalid with incompatible types.
# A `value` of type:
#
# - `string` can be compared against all other types
# - `boolean` can only be compared against other booleans
# - `integer` can be compared against doubles or a string if the string value
# can be parsed as an integer.
# - `double` can be compared against integers or a string if the string can
# be parsed as a double.
# - `Timestamp` can be compared against strings in RFC 3339 date string
# format.
# - `TimeOfDay` can be compared against timestamps and strings in the format
# of 'HH:mm:ss'.
#
# If we fail to compare do to type mismatch, a warning will be given and
# the condition will evaluate to false.
"operator": "A String", # Operator used to compare the field or infoType to the value. [required]
"field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
"name": "A String", # Name describing the field.
},
"value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
# only supported value is `AND`.
},
},
},
],
"fieldTransformations": [ # Transform the record by applying various field transformations.
{ # The transformation to apply to the field.
"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
# transform content that matches an `InfoType`.
# apply various `PrimitiveTransformation`s to each finding, where the
# transformation is applied to only values that were identified as a specific
# info_type.
"transformations": [ # Transformation for each infoType. Cannot specify more than one
# for a given infoType. [required]
{ # A transformation to apply to text that is identified as a specific
# info_type.
"primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
# fixed character. Masking can start from the beginning or end of the string.
# This can be used on data of any type (numbers, longs, and so on) and when
# de-identifying structured data we'll attempt to preserve the original data's
# type. (This allows you to take a long like 123 and modify it to a string like
# **3.
"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
# For example, if your string is 555-555-5555 and you ask us to skip `-` and
# mask 5 chars with * we would produce ***-*55-5555.
{ # Characters to skip when doing deidentification of a value. These will be left
# alone and skipped.
"commonCharactersToIgnore": "A String",
"charactersToSkip": "A String",
},
],
"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
# masked. Skipped characters do not count towards this tally.
"maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
# alphabetic string such as name, or "0" for a numeric string such as ZIP
# code or credit card number. String must have length 1. If not supplied, we
# will default to "*" for strings, 0 for digits.
"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
# '0', number_to_mask is 14, and `reverse_order` is false, then
# 1234-5678-9012-3456 -> 00000000000000-3456
# If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
# is true, then 12345 -> 12***
},
"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
# output would be 'My phone number is '.
},
"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
# validated against the value used during encryption. If a context was
# provided during encryption, same context must be provided during decryption
# as well.
#
# If the context is not set, plaintext would be used as is for encryption.
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 2. the field is not present when transforming a given value,
#
# plaintext would be used as is for encryption.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: ():
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
# - reverse a surrogate that does not correspond to an actual identifier
# - be unable to parse the surrogate and result in an error
#
# Therefore, choose your custom info type name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
# -, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
#
# If the bound Value type differs from the type of data
# being transformed, we will first attempt converting the type of the data to
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
# then all values less than 10 are replaced with the value “-10”. [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
# [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
},
"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
},
"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
# portion of the value.
"partToExtract": "A String",
},
"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
# Uses SHA-256.
# The key size must be either 32 or 64 bytes.
# Outputs a base64 encoded representation of the hashed output
# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
# Currently, only string and integer values can be hashed.
# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
},
"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
# results in the same shift for the same context and crypto_key.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
# [Required]
"upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
# [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
# If set, must also set method. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
# replacement values are dynamically provided by the user for custom behavior,
# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
# This can be used on
# data of type: number, long, string, timestamp.
# If the bound `Value` type differs from the type of data being transformed, we
# will first attempt converting the type of the data to be transformed to match
# the type of the bound before comparing.
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"buckets": [ # Set of buckets. Ranges must be non-overlapping.
{ # Bucket is represented as a range, along with replacement values.
"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
# the default behavior will be to hyphenate the min-max range.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
# used.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
# encoded as ASCII. For a given crypto key and context, the same identifier
# will be replaced with the same surrogate. Identifiers must be at least two
# characters long. In the case that the identifier is the empty string, it will
# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
# more.
#
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
"commonAlphabet": "A String",
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
# Number of characters must be in the range [2, 62].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
# identifier in two different contexts won't be given the same surrogate. If
# the context is not set, a default tweak will be used.
#
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 1. the field is not present when transforming a given value,
#
# a default tweak will be used.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
# Currently, the referenced field may be of value type integer or string.
#
# The tweak is constructed as a sequence of bytes in big endian byte order
# such that:
#
# - a 64 bit integer is encoded followed by a single byte of value 1
# - a string is encoded in UTF-8 format followed by a single byte of value 2
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom infoType followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: info_type_name(surrogate_character_count):surrogate
#
# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom infoType
# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
# This facilitates reversal of the surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this infoType must
# not occur naturally anywhere in your data; otherwise, inspection may
# find a surrogate that does not correspond to an actual identifier.
# Therefore, choose your custom infoType name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"replaceConfig": { # Replace each input value with a given `Value`.
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
},
"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
# this transformation to apply to all findings that correspond to
# infoTypes that were requested in `InspectConfig`.
{ # Type of information detected by the API.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
],
},
],
},
"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
# fixed character. Masking can start from the beginning or end of the string.
# This can be used on data of any type (numbers, longs, and so on) and when
# de-identifying structured data we'll attempt to preserve the original data's
# type. (This allows you to take a long like 123 and modify it to a string like
# **3.
"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
# For example, if your string is 555-555-5555 and you ask us to skip `-` and
# mask 5 chars with * we would produce ***-*55-5555.
{ # Characters to skip when doing deidentification of a value. These will be left
# alone and skipped.
"commonCharactersToIgnore": "A String",
"charactersToSkip": "A String",
},
],
"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
# masked. Skipped characters do not count towards this tally.
"maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
# alphabetic string such as name, or "0" for a numeric string such as ZIP
# code or credit card number. String must have length 1. If not supplied, we
# will default to "*" for strings, 0 for digits.
"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
# '0', number_to_mask is 14, and `reverse_order` is false, then
# 1234-5678-9012-3456 -> 00000000000000-3456
# If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
# is true, then 12345 -> 12***
},
"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
# output would be 'My phone number is '.
},
"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
# validated against the value used during encryption. If a context was
# provided during encryption, same context must be provided during decryption
# as well.
#
# If the context is not set, plaintext would be used as is for encryption.
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 2. the field is not present when transforming a given value,
#
# plaintext would be used as is for encryption.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: ():
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
# - reverse a surrogate that does not correspond to an actual identifier
# - be unable to parse the surrogate and result in an error
#
# Therefore, choose your custom info type name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
# -, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
#
# If the bound Value type differs from the type of data
# being transformed, we will first attempt converting the type of the data to
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
# then all values less than 10 are replaced with the value “-10”. [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
# [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
},
"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
},
"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
# portion of the value.
"partToExtract": "A String",
},
"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
# Uses SHA-256.
# The key size must be either 32 or 64 bytes.
# Outputs a base64 encoded representation of the hashed output
# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
# Currently, only string and integer values can be hashed.
# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
},
"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
# results in the same shift for the same context and crypto_key.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
# [Required]
"upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
# [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
# If set, must also set method. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
# replacement values are dynamically provided by the user for custom behavior,
# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
# This can be used on
# data of type: number, long, string, timestamp.
# If the bound `Value` type differs from the type of data being transformed, we
# will first attempt converting the type of the data to be transformed to match
# the type of the bound before comparing.
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"buckets": [ # Set of buckets. Ranges must be non-overlapping.
{ # Bucket is represented as a range, along with replacement values.
"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
# the default behavior will be to hyphenate the min-max range.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
# used.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
# encoded as ASCII. For a given crypto key and context, the same identifier
# will be replaced with the same surrogate. Identifiers must be at least two
# characters long. In the case that the identifier is the empty string, it will
# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
# more.
#
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
"commonAlphabet": "A String",
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
# Number of characters must be in the range [2, 62].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
# identifier in two different contexts won't be given the same surrogate. If
# the context is not set, a default tweak will be used.
#
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 1. the field is not present when transforming a given value,
#
# a default tweak will be used.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
# Currently, the referenced field may be of value type integer or string.
#
# The tweak is constructed as a sequence of bytes in big endian byte order
# such that:
#
# - a 64 bit integer is encoded followed by a single byte of value 1
# - a string is encoded in UTF-8 format followed by a single byte of value 2
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom infoType followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: info_type_name(surrogate_character_count):surrogate
#
# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom infoType
# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
# This facilitates reversal of the surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this infoType must
# not occur naturally anywhere in your data; otherwise, inspection may
# find a surrogate that does not correspond to an actual identifier.
# Therefore, choose your custom infoType name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"replaceConfig": { # Replace each input value with a given `Value`.
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
},
"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
# given `RecordCondition`. The conditions are allowed to reference fields
# that are not used in the actual transformation. [optional]
#
# Example Use Cases:
#
# - Apply a different bucket transformation to an age column if the zip code
# column for the same record is within a specific range.
# - Redact a field if the date of birth field is greater than 85.
# a field.
"expressions": { # An expression, consisting or an operator and conditions. # An expression.
"conditions": { # A collection of conditions.
"conditions": [
{ # The field type of `value` and `field` do not need to match to be
# considered equal, but not all comparisons are possible.
# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
# but all other comparisons are invalid with incompatible types.
# A `value` of type:
#
# - `string` can be compared against all other types
# - `boolean` can only be compared against other booleans
# - `integer` can be compared against doubles or a string if the string value
# can be parsed as an integer.
# - `double` can be compared against integers or a string if the string can
# be parsed as a double.
# - `Timestamp` can be compared against strings in RFC 3339 date string
# format.
# - `TimeOfDay` can be compared against timestamps and strings in the format
# of 'HH:mm:ss'.
#
# If we fail to compare do to type mismatch, a warning will be given and
# the condition will evaluate to false.
"operator": "A String", # Operator used to compare the field or infoType to the value. [required]
"field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
"name": "A String", # Name describing the field.
},
"value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
# only supported value is `AND`.
},
},
"fields": [ # Input field(s) to apply the transformation to. [required]
{ # General identifier of a data field in a storage service.
"name": "A String", # Name describing the field.
},
],
},
],
},
},
"createTime": "A String", # The creation timestamp of a inspectTemplate, output only field.
"name": "A String", # The template name. Output only.
#
# The template will have one of the following formats:
# `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR
# `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`
}
list(parent, orderBy=None, pageToken=None, x__xgafv=None, pageSize=None)
Lists DeidentifyTemplates.
See https://cloud.google.com/dlp/docs/creating-templates-deid to learn
more.
Args:
parent: string, The parent resource name, for example projects/my-project-id or
organizations/my-org-id. (required)
orderBy: string, Optional comma separated list of fields to order by,
followed by `asc` or `desc` postfix. This list is case-insensitive,
default sorting order is ascending, redundant space characters are
insignificant.
Example: `name asc,update_time, create_time desc`
Supported fields are:
- `create_time`: corresponds to time the template was created.
- `update_time`: corresponds to time the template was last updated.
- `name`: corresponds to template's name.
- `display_name`: corresponds to template's display name.
pageToken: string, Optional page token to continue retrieval. Comes from previous call
to `ListDeidentifyTemplates`.
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
pageSize: integer, Optional size of the page, can be limited by server. If zero server returns
a page of max size 100.
Returns:
An object of the form:
{ # Response message for ListDeidentifyTemplates.
"nextPageToken": "A String", # If the next page is available then the next page token to be used
# in following ListDeidentifyTemplates request.
"deidentifyTemplates": [ # List of deidentify templates, up to page_size in
# ListDeidentifyTemplatesRequest.
{ # The DeidentifyTemplates contains instructions on how to deidentify content.
# See https://cloud.google.com/dlp/docs/concepts-templates to learn more.
"updateTime": "A String", # The last update timestamp of a inspectTemplate, output only field.
"displayName": "A String", # Display name (max 256 chars).
"description": "A String", # Short description (max 256 chars).
"deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////
"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text
# transformation everywhere.
# apply various `PrimitiveTransformation`s to each finding, where the
# transformation is applied to only values that were identified as a specific
# info_type.
"transformations": [ # Transformation for each infoType. Cannot specify more than one
# for a given infoType. [required]
{ # A transformation to apply to text that is identified as a specific
# info_type.
"primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
# fixed character. Masking can start from the beginning or end of the string.
# This can be used on data of any type (numbers, longs, and so on) and when
# de-identifying structured data we'll attempt to preserve the original data's
# type. (This allows you to take a long like 123 and modify it to a string like
# **3.
"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
# For example, if your string is 555-555-5555 and you ask us to skip `-` and
# mask 5 chars with * we would produce ***-*55-5555.
{ # Characters to skip when doing deidentification of a value. These will be left
# alone and skipped.
"commonCharactersToIgnore": "A String",
"charactersToSkip": "A String",
},
],
"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
# masked. Skipped characters do not count towards this tally.
"maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
# alphabetic string such as name, or "0" for a numeric string such as ZIP
# code or credit card number. String must have length 1. If not supplied, we
# will default to "*" for strings, 0 for digits.
"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
# '0', number_to_mask is 14, and `reverse_order` is false, then
# 1234-5678-9012-3456 -> 00000000000000-3456
# If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
# is true, then 12345 -> 12***
},
"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
# output would be 'My phone number is '.
},
"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
# validated against the value used during encryption. If a context was
# provided during encryption, same context must be provided during decryption
# as well.
#
# If the context is not set, plaintext would be used as is for encryption.
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 2. the field is not present when transforming a given value,
#
# plaintext would be used as is for encryption.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: ():
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
# - reverse a surrogate that does not correspond to an actual identifier
# - be unable to parse the surrogate and result in an error
#
# Therefore, choose your custom info type name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
# -, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
#
# If the bound Value type differs from the type of data
# being transformed, we will first attempt converting the type of the data to
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
# then all values less than 10 are replaced with the value “-10”. [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
# [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
},
"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
},
"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
# portion of the value.
"partToExtract": "A String",
},
"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
# Uses SHA-256.
# The key size must be either 32 or 64 bytes.
# Outputs a base64 encoded representation of the hashed output
# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
# Currently, only string and integer values can be hashed.
# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
},
"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
# results in the same shift for the same context and crypto_key.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
# [Required]
"upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
# [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
# If set, must also set method. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
# replacement values are dynamically provided by the user for custom behavior,
# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
# This can be used on
# data of type: number, long, string, timestamp.
# If the bound `Value` type differs from the type of data being transformed, we
# will first attempt converting the type of the data to be transformed to match
# the type of the bound before comparing.
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"buckets": [ # Set of buckets. Ranges must be non-overlapping.
{ # Bucket is represented as a range, along with replacement values.
"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
# the default behavior will be to hyphenate the min-max range.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
# used.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
# encoded as ASCII. For a given crypto key and context, the same identifier
# will be replaced with the same surrogate. Identifiers must be at least two
# characters long. In the case that the identifier is the empty string, it will
# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
# more.
#
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
"commonAlphabet": "A String",
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
# Number of characters must be in the range [2, 62].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
# identifier in two different contexts won't be given the same surrogate. If
# the context is not set, a default tweak will be used.
#
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 1. the field is not present when transforming a given value,
#
# a default tweak will be used.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
# Currently, the referenced field may be of value type integer or string.
#
# The tweak is constructed as a sequence of bytes in big endian byte order
# such that:
#
# - a 64 bit integer is encoded followed by a single byte of value 1
# - a string is encoded in UTF-8 format followed by a single byte of value 2
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom infoType followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: info_type_name(surrogate_character_count):surrogate
#
# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom infoType
# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
# This facilitates reversal of the surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this infoType must
# not occur naturally anywhere in your data; otherwise, inspection may
# find a surrogate that does not correspond to an actual identifier.
# Therefore, choose your custom infoType name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"replaceConfig": { # Replace each input value with a given `Value`.
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
},
"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
# this transformation to apply to all findings that correspond to
# infoTypes that were requested in `InspectConfig`.
{ # Type of information detected by the API.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
],
},
],
},
"recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to
# specific locations within structured datasets, such as transforming
# a column within a table.
# table.
"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that
# match any suppression rule are omitted from the output [optional].
{ # Configuration to suppress records whose suppression conditions evaluate to
# true.
"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
# evaluated to be suppressed from the transformed content.
# a field.
"expressions": { # An expression, consisting or an operator and conditions. # An expression.
"conditions": { # A collection of conditions.
"conditions": [
{ # The field type of `value` and `field` do not need to match to be
# considered equal, but not all comparisons are possible.
# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
# but all other comparisons are invalid with incompatible types.
# A `value` of type:
#
# - `string` can be compared against all other types
# - `boolean` can only be compared against other booleans
# - `integer` can be compared against doubles or a string if the string value
# can be parsed as an integer.
# - `double` can be compared against integers or a string if the string can
# be parsed as a double.
# - `Timestamp` can be compared against strings in RFC 3339 date string
# format.
# - `TimeOfDay` can be compared against timestamps and strings in the format
# of 'HH:mm:ss'.
#
# If we fail to compare do to type mismatch, a warning will be given and
# the condition will evaluate to false.
"operator": "A String", # Operator used to compare the field or infoType to the value. [required]
"field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
"name": "A String", # Name describing the field.
},
"value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
# only supported value is `AND`.
},
},
},
],
"fieldTransformations": [ # Transform the record by applying various field transformations.
{ # The transformation to apply to the field.
"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
# transform content that matches an `InfoType`.
# apply various `PrimitiveTransformation`s to each finding, where the
# transformation is applied to only values that were identified as a specific
# info_type.
"transformations": [ # Transformation for each infoType. Cannot specify more than one
# for a given infoType. [required]
{ # A transformation to apply to text that is identified as a specific
# info_type.
"primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
# fixed character. Masking can start from the beginning or end of the string.
# This can be used on data of any type (numbers, longs, and so on) and when
# de-identifying structured data we'll attempt to preserve the original data's
# type. (This allows you to take a long like 123 and modify it to a string like
# **3.
"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
# For example, if your string is 555-555-5555 and you ask us to skip `-` and
# mask 5 chars with * we would produce ***-*55-5555.
{ # Characters to skip when doing deidentification of a value. These will be left
# alone and skipped.
"commonCharactersToIgnore": "A String",
"charactersToSkip": "A String",
},
],
"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
# masked. Skipped characters do not count towards this tally.
"maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
# alphabetic string such as name, or "0" for a numeric string such as ZIP
# code or credit card number. String must have length 1. If not supplied, we
# will default to "*" for strings, 0 for digits.
"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
# '0', number_to_mask is 14, and `reverse_order` is false, then
# 1234-5678-9012-3456 -> 00000000000000-3456
# If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
# is true, then 12345 -> 12***
},
"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
# output would be 'My phone number is '.
},
"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
# validated against the value used during encryption. If a context was
# provided during encryption, same context must be provided during decryption
# as well.
#
# If the context is not set, plaintext would be used as is for encryption.
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 2. the field is not present when transforming a given value,
#
# plaintext would be used as is for encryption.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: ():
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
# - reverse a surrogate that does not correspond to an actual identifier
# - be unable to parse the surrogate and result in an error
#
# Therefore, choose your custom info type name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
# -, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
#
# If the bound Value type differs from the type of data
# being transformed, we will first attempt converting the type of the data to
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
# then all values less than 10 are replaced with the value “-10”. [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
# [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
},
"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
},
"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
# portion of the value.
"partToExtract": "A String",
},
"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
# Uses SHA-256.
# The key size must be either 32 or 64 bytes.
# Outputs a base64 encoded representation of the hashed output
# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
# Currently, only string and integer values can be hashed.
# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
},
"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
# results in the same shift for the same context and crypto_key.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
# [Required]
"upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
# [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
# If set, must also set method. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
# replacement values are dynamically provided by the user for custom behavior,
# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
# This can be used on
# data of type: number, long, string, timestamp.
# If the bound `Value` type differs from the type of data being transformed, we
# will first attempt converting the type of the data to be transformed to match
# the type of the bound before comparing.
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"buckets": [ # Set of buckets. Ranges must be non-overlapping.
{ # Bucket is represented as a range, along with replacement values.
"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
# the default behavior will be to hyphenate the min-max range.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
# used.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
# encoded as ASCII. For a given crypto key and context, the same identifier
# will be replaced with the same surrogate. Identifiers must be at least two
# characters long. In the case that the identifier is the empty string, it will
# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
# more.
#
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
"commonAlphabet": "A String",
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
# Number of characters must be in the range [2, 62].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
# identifier in two different contexts won't be given the same surrogate. If
# the context is not set, a default tweak will be used.
#
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 1. the field is not present when transforming a given value,
#
# a default tweak will be used.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
# Currently, the referenced field may be of value type integer or string.
#
# The tweak is constructed as a sequence of bytes in big endian byte order
# such that:
#
# - a 64 bit integer is encoded followed by a single byte of value 1
# - a string is encoded in UTF-8 format followed by a single byte of value 2
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom infoType followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: info_type_name(surrogate_character_count):surrogate
#
# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom infoType
# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
# This facilitates reversal of the surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this infoType must
# not occur naturally anywhere in your data; otherwise, inspection may
# find a surrogate that does not correspond to an actual identifier.
# Therefore, choose your custom infoType name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"replaceConfig": { # Replace each input value with a given `Value`.
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
},
"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
# this transformation to apply to all findings that correspond to
# infoTypes that were requested in `InspectConfig`.
{ # Type of information detected by the API.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
],
},
],
},
"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
# fixed character. Masking can start from the beginning or end of the string.
# This can be used on data of any type (numbers, longs, and so on) and when
# de-identifying structured data we'll attempt to preserve the original data's
# type. (This allows you to take a long like 123 and modify it to a string like
# **3.
"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
# For example, if your string is 555-555-5555 and you ask us to skip `-` and
# mask 5 chars with * we would produce ***-*55-5555.
{ # Characters to skip when doing deidentification of a value. These will be left
# alone and skipped.
"commonCharactersToIgnore": "A String",
"charactersToSkip": "A String",
},
],
"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
# masked. Skipped characters do not count towards this tally.
"maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
# alphabetic string such as name, or "0" for a numeric string such as ZIP
# code or credit card number. String must have length 1. If not supplied, we
# will default to "*" for strings, 0 for digits.
"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
# '0', number_to_mask is 14, and `reverse_order` is false, then
# 1234-5678-9012-3456 -> 00000000000000-3456
# If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
# is true, then 12345 -> 12***
},
"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
# output would be 'My phone number is '.
},
"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
# validated against the value used during encryption. If a context was
# provided during encryption, same context must be provided during decryption
# as well.
#
# If the context is not set, plaintext would be used as is for encryption.
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 2. the field is not present when transforming a given value,
#
# plaintext would be used as is for encryption.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: ():
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
# - reverse a surrogate that does not correspond to an actual identifier
# - be unable to parse the surrogate and result in an error
#
# Therefore, choose your custom info type name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
# -, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
#
# If the bound Value type differs from the type of data
# being transformed, we will first attempt converting the type of the data to
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
# then all values less than 10 are replaced with the value “-10”. [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
# [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
},
"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
},
"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
# portion of the value.
"partToExtract": "A String",
},
"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
# Uses SHA-256.
# The key size must be either 32 or 64 bytes.
# Outputs a base64 encoded representation of the hashed output
# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
# Currently, only string and integer values can be hashed.
# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
},
"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
# results in the same shift for the same context and crypto_key.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
# [Required]
"upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
# [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
# If set, must also set method. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
# replacement values are dynamically provided by the user for custom behavior,
# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
# This can be used on
# data of type: number, long, string, timestamp.
# If the bound `Value` type differs from the type of data being transformed, we
# will first attempt converting the type of the data to be transformed to match
# the type of the bound before comparing.
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"buckets": [ # Set of buckets. Ranges must be non-overlapping.
{ # Bucket is represented as a range, along with replacement values.
"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
# the default behavior will be to hyphenate the min-max range.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
# used.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
# encoded as ASCII. For a given crypto key and context, the same identifier
# will be replaced with the same surrogate. Identifiers must be at least two
# characters long. In the case that the identifier is the empty string, it will
# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
# more.
#
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
"commonAlphabet": "A String",
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
# Number of characters must be in the range [2, 62].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
# identifier in two different contexts won't be given the same surrogate. If
# the context is not set, a default tweak will be used.
#
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 1. the field is not present when transforming a given value,
#
# a default tweak will be used.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
# Currently, the referenced field may be of value type integer or string.
#
# The tweak is constructed as a sequence of bytes in big endian byte order
# such that:
#
# - a 64 bit integer is encoded followed by a single byte of value 1
# - a string is encoded in UTF-8 format followed by a single byte of value 2
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom infoType followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: info_type_name(surrogate_character_count):surrogate
#
# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom infoType
# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
# This facilitates reversal of the surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this infoType must
# not occur naturally anywhere in your data; otherwise, inspection may
# find a surrogate that does not correspond to an actual identifier.
# Therefore, choose your custom infoType name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"replaceConfig": { # Replace each input value with a given `Value`.
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
},
"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
# given `RecordCondition`. The conditions are allowed to reference fields
# that are not used in the actual transformation. [optional]
#
# Example Use Cases:
#
# - Apply a different bucket transformation to an age column if the zip code
# column for the same record is within a specific range.
# - Redact a field if the date of birth field is greater than 85.
# a field.
"expressions": { # An expression, consisting or an operator and conditions. # An expression.
"conditions": { # A collection of conditions.
"conditions": [
{ # The field type of `value` and `field` do not need to match to be
# considered equal, but not all comparisons are possible.
# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
# but all other comparisons are invalid with incompatible types.
# A `value` of type:
#
# - `string` can be compared against all other types
# - `boolean` can only be compared against other booleans
# - `integer` can be compared against doubles or a string if the string value
# can be parsed as an integer.
# - `double` can be compared against integers or a string if the string can
# be parsed as a double.
# - `Timestamp` can be compared against strings in RFC 3339 date string
# format.
# - `TimeOfDay` can be compared against timestamps and strings in the format
# of 'HH:mm:ss'.
#
# If we fail to compare do to type mismatch, a warning will be given and
# the condition will evaluate to false.
"operator": "A String", # Operator used to compare the field or infoType to the value. [required]
"field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
"name": "A String", # Name describing the field.
},
"value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
# only supported value is `AND`.
},
},
"fields": [ # Input field(s) to apply the transformation to. [required]
{ # General identifier of a data field in a storage service.
"name": "A String", # Name describing the field.
},
],
},
],
},
},
"createTime": "A String", # The creation timestamp of a inspectTemplate, output only field.
"name": "A String", # The template name. Output only.
#
# The template will have one of the following formats:
# `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR
# `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`
},
],
}
list_next(previous_request, previous_response)
Retrieves the next page of results.
Args:
previous_request: The request for the previous page. (required)
previous_response: The response from the request for the previous page. (required)
Returns:
A request object that you can call 'execute()' on to request the next
page. Returns None if there are no more items in the collection.
patch(name, body, x__xgafv=None)
Updates the DeidentifyTemplate.
See https://cloud.google.com/dlp/docs/creating-templates-deid to learn
more.
Args:
name: string, Resource name of organization and deidentify template to be updated, for
example `organizations/433245324/deidentifyTemplates/432452342` or
projects/project-id/deidentifyTemplates/432452342. (required)
body: object, The request body. (required)
The object takes the form of:
{ # Request message for UpdateDeidentifyTemplate.
"deidentifyTemplate": { # The DeidentifyTemplates contains instructions on how to deidentify content. # New DeidentifyTemplate value.
# See https://cloud.google.com/dlp/docs/concepts-templates to learn more.
"updateTime": "A String", # The last update timestamp of a inspectTemplate, output only field.
"displayName": "A String", # Display name (max 256 chars).
"description": "A String", # Short description (max 256 chars).
"deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////
"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text
# transformation everywhere.
# apply various `PrimitiveTransformation`s to each finding, where the
# transformation is applied to only values that were identified as a specific
# info_type.
"transformations": [ # Transformation for each infoType. Cannot specify more than one
# for a given infoType. [required]
{ # A transformation to apply to text that is identified as a specific
# info_type.
"primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
# fixed character. Masking can start from the beginning or end of the string.
# This can be used on data of any type (numbers, longs, and so on) and when
# de-identifying structured data we'll attempt to preserve the original data's
# type. (This allows you to take a long like 123 and modify it to a string like
# **3.
"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
# For example, if your string is 555-555-5555 and you ask us to skip `-` and
# mask 5 chars with * we would produce ***-*55-5555.
{ # Characters to skip when doing deidentification of a value. These will be left
# alone and skipped.
"commonCharactersToIgnore": "A String",
"charactersToSkip": "A String",
},
],
"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
# masked. Skipped characters do not count towards this tally.
"maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
# alphabetic string such as name, or "0" for a numeric string such as ZIP
# code or credit card number. String must have length 1. If not supplied, we
# will default to "*" for strings, 0 for digits.
"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
# '0', number_to_mask is 14, and `reverse_order` is false, then
# 1234-5678-9012-3456 -> 00000000000000-3456
# If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
# is true, then 12345 -> 12***
},
"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
# output would be 'My phone number is '.
},
"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
# validated against the value used during encryption. If a context was
# provided during encryption, same context must be provided during decryption
# as well.
#
# If the context is not set, plaintext would be used as is for encryption.
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 2. the field is not present when transforming a given value,
#
# plaintext would be used as is for encryption.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: ():
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
# - reverse a surrogate that does not correspond to an actual identifier
# - be unable to parse the surrogate and result in an error
#
# Therefore, choose your custom info type name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
# -, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
#
# If the bound Value type differs from the type of data
# being transformed, we will first attempt converting the type of the data to
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
# then all values less than 10 are replaced with the value “-10”. [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
# [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
},
"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
},
"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
# portion of the value.
"partToExtract": "A String",
},
"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
# Uses SHA-256.
# The key size must be either 32 or 64 bytes.
# Outputs a base64 encoded representation of the hashed output
# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
# Currently, only string and integer values can be hashed.
# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
},
"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
# results in the same shift for the same context and crypto_key.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
# [Required]
"upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
# [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
# If set, must also set method. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
# replacement values are dynamically provided by the user for custom behavior,
# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
# This can be used on
# data of type: number, long, string, timestamp.
# If the bound `Value` type differs from the type of data being transformed, we
# will first attempt converting the type of the data to be transformed to match
# the type of the bound before comparing.
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"buckets": [ # Set of buckets. Ranges must be non-overlapping.
{ # Bucket is represented as a range, along with replacement values.
"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
# the default behavior will be to hyphenate the min-max range.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
# used.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
# encoded as ASCII. For a given crypto key and context, the same identifier
# will be replaced with the same surrogate. Identifiers must be at least two
# characters long. In the case that the identifier is the empty string, it will
# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
# more.
#
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
"commonAlphabet": "A String",
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
# Number of characters must be in the range [2, 62].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
# identifier in two different contexts won't be given the same surrogate. If
# the context is not set, a default tweak will be used.
#
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 1. the field is not present when transforming a given value,
#
# a default tweak will be used.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
# Currently, the referenced field may be of value type integer or string.
#
# The tweak is constructed as a sequence of bytes in big endian byte order
# such that:
#
# - a 64 bit integer is encoded followed by a single byte of value 1
# - a string is encoded in UTF-8 format followed by a single byte of value 2
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom infoType followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: info_type_name(surrogate_character_count):surrogate
#
# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom infoType
# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
# This facilitates reversal of the surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this infoType must
# not occur naturally anywhere in your data; otherwise, inspection may
# find a surrogate that does not correspond to an actual identifier.
# Therefore, choose your custom infoType name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"replaceConfig": { # Replace each input value with a given `Value`.
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
},
"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
# this transformation to apply to all findings that correspond to
# infoTypes that were requested in `InspectConfig`.
{ # Type of information detected by the API.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
],
},
],
},
"recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to
# specific locations within structured datasets, such as transforming
# a column within a table.
# table.
"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that
# match any suppression rule are omitted from the output [optional].
{ # Configuration to suppress records whose suppression conditions evaluate to
# true.
"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
# evaluated to be suppressed from the transformed content.
# a field.
"expressions": { # An expression, consisting or an operator and conditions. # An expression.
"conditions": { # A collection of conditions.
"conditions": [
{ # The field type of `value` and `field` do not need to match to be
# considered equal, but not all comparisons are possible.
# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
# but all other comparisons are invalid with incompatible types.
# A `value` of type:
#
# - `string` can be compared against all other types
# - `boolean` can only be compared against other booleans
# - `integer` can be compared against doubles or a string if the string value
# can be parsed as an integer.
# - `double` can be compared against integers or a string if the string can
# be parsed as a double.
# - `Timestamp` can be compared against strings in RFC 3339 date string
# format.
# - `TimeOfDay` can be compared against timestamps and strings in the format
# of 'HH:mm:ss'.
#
# If we fail to compare do to type mismatch, a warning will be given and
# the condition will evaluate to false.
"operator": "A String", # Operator used to compare the field or infoType to the value. [required]
"field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
"name": "A String", # Name describing the field.
},
"value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
# only supported value is `AND`.
},
},
},
],
"fieldTransformations": [ # Transform the record by applying various field transformations.
{ # The transformation to apply to the field.
"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
# transform content that matches an `InfoType`.
# apply various `PrimitiveTransformation`s to each finding, where the
# transformation is applied to only values that were identified as a specific
# info_type.
"transformations": [ # Transformation for each infoType. Cannot specify more than one
# for a given infoType. [required]
{ # A transformation to apply to text that is identified as a specific
# info_type.
"primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
# fixed character. Masking can start from the beginning or end of the string.
# This can be used on data of any type (numbers, longs, and so on) and when
# de-identifying structured data we'll attempt to preserve the original data's
# type. (This allows you to take a long like 123 and modify it to a string like
# **3.
"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
# For example, if your string is 555-555-5555 and you ask us to skip `-` and
# mask 5 chars with * we would produce ***-*55-5555.
{ # Characters to skip when doing deidentification of a value. These will be left
# alone and skipped.
"commonCharactersToIgnore": "A String",
"charactersToSkip": "A String",
},
],
"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
# masked. Skipped characters do not count towards this tally.
"maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
# alphabetic string such as name, or "0" for a numeric string such as ZIP
# code or credit card number. String must have length 1. If not supplied, we
# will default to "*" for strings, 0 for digits.
"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
# '0', number_to_mask is 14, and `reverse_order` is false, then
# 1234-5678-9012-3456 -> 00000000000000-3456
# If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
# is true, then 12345 -> 12***
},
"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
# output would be 'My phone number is '.
},
"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
# validated against the value used during encryption. If a context was
# provided during encryption, same context must be provided during decryption
# as well.
#
# If the context is not set, plaintext would be used as is for encryption.
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 2. the field is not present when transforming a given value,
#
# plaintext would be used as is for encryption.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: ():
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
# - reverse a surrogate that does not correspond to an actual identifier
# - be unable to parse the surrogate and result in an error
#
# Therefore, choose your custom info type name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
# -, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
#
# If the bound Value type differs from the type of data
# being transformed, we will first attempt converting the type of the data to
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
# then all values less than 10 are replaced with the value “-10”. [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
# [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
},
"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
},
"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
# portion of the value.
"partToExtract": "A String",
},
"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
# Uses SHA-256.
# The key size must be either 32 or 64 bytes.
# Outputs a base64 encoded representation of the hashed output
# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
# Currently, only string and integer values can be hashed.
# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
},
"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
# results in the same shift for the same context and crypto_key.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
# [Required]
"upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
# [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
# If set, must also set method. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
# replacement values are dynamically provided by the user for custom behavior,
# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
# This can be used on
# data of type: number, long, string, timestamp.
# If the bound `Value` type differs from the type of data being transformed, we
# will first attempt converting the type of the data to be transformed to match
# the type of the bound before comparing.
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"buckets": [ # Set of buckets. Ranges must be non-overlapping.
{ # Bucket is represented as a range, along with replacement values.
"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
# the default behavior will be to hyphenate the min-max range.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
# used.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
# encoded as ASCII. For a given crypto key and context, the same identifier
# will be replaced with the same surrogate. Identifiers must be at least two
# characters long. In the case that the identifier is the empty string, it will
# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
# more.
#
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
"commonAlphabet": "A String",
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
# Number of characters must be in the range [2, 62].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
# identifier in two different contexts won't be given the same surrogate. If
# the context is not set, a default tweak will be used.
#
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 1. the field is not present when transforming a given value,
#
# a default tweak will be used.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
# Currently, the referenced field may be of value type integer or string.
#
# The tweak is constructed as a sequence of bytes in big endian byte order
# such that:
#
# - a 64 bit integer is encoded followed by a single byte of value 1
# - a string is encoded in UTF-8 format followed by a single byte of value 2
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom infoType followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: info_type_name(surrogate_character_count):surrogate
#
# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom infoType
# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
# This facilitates reversal of the surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this infoType must
# not occur naturally anywhere in your data; otherwise, inspection may
# find a surrogate that does not correspond to an actual identifier.
# Therefore, choose your custom infoType name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"replaceConfig": { # Replace each input value with a given `Value`.
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
},
"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
# this transformation to apply to all findings that correspond to
# infoTypes that were requested in `InspectConfig`.
{ # Type of information detected by the API.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
],
},
],
},
"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
# fixed character. Masking can start from the beginning or end of the string.
# This can be used on data of any type (numbers, longs, and so on) and when
# de-identifying structured data we'll attempt to preserve the original data's
# type. (This allows you to take a long like 123 and modify it to a string like
# **3.
"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
# For example, if your string is 555-555-5555 and you ask us to skip `-` and
# mask 5 chars with * we would produce ***-*55-5555.
{ # Characters to skip when doing deidentification of a value. These will be left
# alone and skipped.
"commonCharactersToIgnore": "A String",
"charactersToSkip": "A String",
},
],
"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
# masked. Skipped characters do not count towards this tally.
"maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
# alphabetic string such as name, or "0" for a numeric string such as ZIP
# code or credit card number. String must have length 1. If not supplied, we
# will default to "*" for strings, 0 for digits.
"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
# '0', number_to_mask is 14, and `reverse_order` is false, then
# 1234-5678-9012-3456 -> 00000000000000-3456
# If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
# is true, then 12345 -> 12***
},
"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
# output would be 'My phone number is '.
},
"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
# validated against the value used during encryption. If a context was
# provided during encryption, same context must be provided during decryption
# as well.
#
# If the context is not set, plaintext would be used as is for encryption.
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 2. the field is not present when transforming a given value,
#
# plaintext would be used as is for encryption.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: ():
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
# - reverse a surrogate that does not correspond to an actual identifier
# - be unable to parse the surrogate and result in an error
#
# Therefore, choose your custom info type name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
# -, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
#
# If the bound Value type differs from the type of data
# being transformed, we will first attempt converting the type of the data to
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
# then all values less than 10 are replaced with the value “-10”. [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
# [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
},
"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
},
"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
# portion of the value.
"partToExtract": "A String",
},
"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
# Uses SHA-256.
# The key size must be either 32 or 64 bytes.
# Outputs a base64 encoded representation of the hashed output
# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
# Currently, only string and integer values can be hashed.
# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
},
"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
# results in the same shift for the same context and crypto_key.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
# [Required]
"upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
# [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
# If set, must also set method. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
# replacement values are dynamically provided by the user for custom behavior,
# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
# This can be used on
# data of type: number, long, string, timestamp.
# If the bound `Value` type differs from the type of data being transformed, we
# will first attempt converting the type of the data to be transformed to match
# the type of the bound before comparing.
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"buckets": [ # Set of buckets. Ranges must be non-overlapping.
{ # Bucket is represented as a range, along with replacement values.
"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
# the default behavior will be to hyphenate the min-max range.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
# used.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
# encoded as ASCII. For a given crypto key and context, the same identifier
# will be replaced with the same surrogate. Identifiers must be at least two
# characters long. In the case that the identifier is the empty string, it will
# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
# more.
#
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
"commonAlphabet": "A String",
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
# Number of characters must be in the range [2, 62].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
# identifier in two different contexts won't be given the same surrogate. If
# the context is not set, a default tweak will be used.
#
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 1. the field is not present when transforming a given value,
#
# a default tweak will be used.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
# Currently, the referenced field may be of value type integer or string.
#
# The tweak is constructed as a sequence of bytes in big endian byte order
# such that:
#
# - a 64 bit integer is encoded followed by a single byte of value 1
# - a string is encoded in UTF-8 format followed by a single byte of value 2
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom infoType followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: info_type_name(surrogate_character_count):surrogate
#
# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom infoType
# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
# This facilitates reversal of the surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this infoType must
# not occur naturally anywhere in your data; otherwise, inspection may
# find a surrogate that does not correspond to an actual identifier.
# Therefore, choose your custom infoType name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"replaceConfig": { # Replace each input value with a given `Value`.
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
},
"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
# given `RecordCondition`. The conditions are allowed to reference fields
# that are not used in the actual transformation. [optional]
#
# Example Use Cases:
#
# - Apply a different bucket transformation to an age column if the zip code
# column for the same record is within a specific range.
# - Redact a field if the date of birth field is greater than 85.
# a field.
"expressions": { # An expression, consisting or an operator and conditions. # An expression.
"conditions": { # A collection of conditions.
"conditions": [
{ # The field type of `value` and `field` do not need to match to be
# considered equal, but not all comparisons are possible.
# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
# but all other comparisons are invalid with incompatible types.
# A `value` of type:
#
# - `string` can be compared against all other types
# - `boolean` can only be compared against other booleans
# - `integer` can be compared against doubles or a string if the string value
# can be parsed as an integer.
# - `double` can be compared against integers or a string if the string can
# be parsed as a double.
# - `Timestamp` can be compared against strings in RFC 3339 date string
# format.
# - `TimeOfDay` can be compared against timestamps and strings in the format
# of 'HH:mm:ss'.
#
# If we fail to compare do to type mismatch, a warning will be given and
# the condition will evaluate to false.
"operator": "A String", # Operator used to compare the field or infoType to the value. [required]
"field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
"name": "A String", # Name describing the field.
},
"value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
# only supported value is `AND`.
},
},
"fields": [ # Input field(s) to apply the transformation to. [required]
{ # General identifier of a data field in a storage service.
"name": "A String", # Name describing the field.
},
],
},
],
},
},
"createTime": "A String", # The creation timestamp of a inspectTemplate, output only field.
"name": "A String", # The template name. Output only.
#
# The template will have one of the following formats:
# `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR
# `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`
},
"updateMask": "A String", # Mask to control which fields get updated.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # The DeidentifyTemplates contains instructions on how to deidentify content.
# See https://cloud.google.com/dlp/docs/concepts-templates to learn more.
"updateTime": "A String", # The last update timestamp of a inspectTemplate, output only field.
"displayName": "A String", # Display name (max 256 chars).
"description": "A String", # Short description (max 256 chars).
"deidentifyConfig": { # The configuration that controls how the data will change. # ///////////// // The core content of the template // ///////////////
"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text
# transformation everywhere.
# apply various `PrimitiveTransformation`s to each finding, where the
# transformation is applied to only values that were identified as a specific
# info_type.
"transformations": [ # Transformation for each infoType. Cannot specify more than one
# for a given infoType. [required]
{ # A transformation to apply to text that is identified as a specific
# info_type.
"primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
# fixed character. Masking can start from the beginning or end of the string.
# This can be used on data of any type (numbers, longs, and so on) and when
# de-identifying structured data we'll attempt to preserve the original data's
# type. (This allows you to take a long like 123 and modify it to a string like
# **3.
"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
# For example, if your string is 555-555-5555 and you ask us to skip `-` and
# mask 5 chars with * we would produce ***-*55-5555.
{ # Characters to skip when doing deidentification of a value. These will be left
# alone and skipped.
"commonCharactersToIgnore": "A String",
"charactersToSkip": "A String",
},
],
"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
# masked. Skipped characters do not count towards this tally.
"maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
# alphabetic string such as name, or "0" for a numeric string such as ZIP
# code or credit card number. String must have length 1. If not supplied, we
# will default to "*" for strings, 0 for digits.
"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
# '0', number_to_mask is 14, and `reverse_order` is false, then
# 1234-5678-9012-3456 -> 00000000000000-3456
# If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
# is true, then 12345 -> 12***
},
"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
# output would be 'My phone number is '.
},
"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
# validated against the value used during encryption. If a context was
# provided during encryption, same context must be provided during decryption
# as well.
#
# If the context is not set, plaintext would be used as is for encryption.
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 2. the field is not present when transforming a given value,
#
# plaintext would be used as is for encryption.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: ():
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
# - reverse a surrogate that does not correspond to an actual identifier
# - be unable to parse the surrogate and result in an error
#
# Therefore, choose your custom info type name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
# -, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
#
# If the bound Value type differs from the type of data
# being transformed, we will first attempt converting the type of the data to
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
# then all values less than 10 are replaced with the value “-10”. [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
# [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
},
"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
},
"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
# portion of the value.
"partToExtract": "A String",
},
"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
# Uses SHA-256.
# The key size must be either 32 or 64 bytes.
# Outputs a base64 encoded representation of the hashed output
# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
# Currently, only string and integer values can be hashed.
# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
},
"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
# results in the same shift for the same context and crypto_key.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
# [Required]
"upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
# [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
# If set, must also set method. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
# replacement values are dynamically provided by the user for custom behavior,
# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
# This can be used on
# data of type: number, long, string, timestamp.
# If the bound `Value` type differs from the type of data being transformed, we
# will first attempt converting the type of the data to be transformed to match
# the type of the bound before comparing.
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"buckets": [ # Set of buckets. Ranges must be non-overlapping.
{ # Bucket is represented as a range, along with replacement values.
"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
# the default behavior will be to hyphenate the min-max range.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
# used.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
# encoded as ASCII. For a given crypto key and context, the same identifier
# will be replaced with the same surrogate. Identifiers must be at least two
# characters long. In the case that the identifier is the empty string, it will
# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
# more.
#
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
"commonAlphabet": "A String",
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
# Number of characters must be in the range [2, 62].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
# identifier in two different contexts won't be given the same surrogate. If
# the context is not set, a default tweak will be used.
#
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 1. the field is not present when transforming a given value,
#
# a default tweak will be used.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
# Currently, the referenced field may be of value type integer or string.
#
# The tweak is constructed as a sequence of bytes in big endian byte order
# such that:
#
# - a 64 bit integer is encoded followed by a single byte of value 1
# - a string is encoded in UTF-8 format followed by a single byte of value 2
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom infoType followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: info_type_name(surrogate_character_count):surrogate
#
# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom infoType
# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
# This facilitates reversal of the surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this infoType must
# not occur naturally anywhere in your data; otherwise, inspection may
# find a surrogate that does not correspond to an actual identifier.
# Therefore, choose your custom infoType name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"replaceConfig": { # Replace each input value with a given `Value`.
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
},
"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
# this transformation to apply to all findings that correspond to
# infoTypes that were requested in `InspectConfig`.
{ # Type of information detected by the API.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
],
},
],
},
"recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to
# specific locations within structured datasets, such as transforming
# a column within a table.
# table.
"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that
# match any suppression rule are omitted from the output [optional].
{ # Configuration to suppress records whose suppression conditions evaluate to
# true.
"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
# evaluated to be suppressed from the transformed content.
# a field.
"expressions": { # An expression, consisting or an operator and conditions. # An expression.
"conditions": { # A collection of conditions.
"conditions": [
{ # The field type of `value` and `field` do not need to match to be
# considered equal, but not all comparisons are possible.
# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
# but all other comparisons are invalid with incompatible types.
# A `value` of type:
#
# - `string` can be compared against all other types
# - `boolean` can only be compared against other booleans
# - `integer` can be compared against doubles or a string if the string value
# can be parsed as an integer.
# - `double` can be compared against integers or a string if the string can
# be parsed as a double.
# - `Timestamp` can be compared against strings in RFC 3339 date string
# format.
# - `TimeOfDay` can be compared against timestamps and strings in the format
# of 'HH:mm:ss'.
#
# If we fail to compare do to type mismatch, a warning will be given and
# the condition will evaluate to false.
"operator": "A String", # Operator used to compare the field or infoType to the value. [required]
"field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
"name": "A String", # Name describing the field.
},
"value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
# only supported value is `AND`.
},
},
},
],
"fieldTransformations": [ # Transform the record by applying various field transformations.
{ # The transformation to apply to the field.
"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
# transform content that matches an `InfoType`.
# apply various `PrimitiveTransformation`s to each finding, where the
# transformation is applied to only values that were identified as a specific
# info_type.
"transformations": [ # Transformation for each infoType. Cannot specify more than one
# for a given infoType. [required]
{ # A transformation to apply to text that is identified as a specific
# info_type.
"primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
# fixed character. Masking can start from the beginning or end of the string.
# This can be used on data of any type (numbers, longs, and so on) and when
# de-identifying structured data we'll attempt to preserve the original data's
# type. (This allows you to take a long like 123 and modify it to a string like
# **3.
"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
# For example, if your string is 555-555-5555 and you ask us to skip `-` and
# mask 5 chars with * we would produce ***-*55-5555.
{ # Characters to skip when doing deidentification of a value. These will be left
# alone and skipped.
"commonCharactersToIgnore": "A String",
"charactersToSkip": "A String",
},
],
"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
# masked. Skipped characters do not count towards this tally.
"maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
# alphabetic string such as name, or "0" for a numeric string such as ZIP
# code or credit card number. String must have length 1. If not supplied, we
# will default to "*" for strings, 0 for digits.
"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
# '0', number_to_mask is 14, and `reverse_order` is false, then
# 1234-5678-9012-3456 -> 00000000000000-3456
# If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
# is true, then 12345 -> 12***
},
"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
# output would be 'My phone number is '.
},
"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
# validated against the value used during encryption. If a context was
# provided during encryption, same context must be provided during decryption
# as well.
#
# If the context is not set, plaintext would be used as is for encryption.
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 2. the field is not present when transforming a given value,
#
# plaintext would be used as is for encryption.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: ():
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
# - reverse a surrogate that does not correspond to an actual identifier
# - be unable to parse the surrogate and result in an error
#
# Therefore, choose your custom info type name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
# -, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
#
# If the bound Value type differs from the type of data
# being transformed, we will first attempt converting the type of the data to
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
# then all values less than 10 are replaced with the value “-10”. [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
# [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
},
"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
},
"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
# portion of the value.
"partToExtract": "A String",
},
"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
# Uses SHA-256.
# The key size must be either 32 or 64 bytes.
# Outputs a base64 encoded representation of the hashed output
# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
# Currently, only string and integer values can be hashed.
# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
},
"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
# results in the same shift for the same context and crypto_key.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
# [Required]
"upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
# [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
# If set, must also set method. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
# replacement values are dynamically provided by the user for custom behavior,
# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
# This can be used on
# data of type: number, long, string, timestamp.
# If the bound `Value` type differs from the type of data being transformed, we
# will first attempt converting the type of the data to be transformed to match
# the type of the bound before comparing.
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"buckets": [ # Set of buckets. Ranges must be non-overlapping.
{ # Bucket is represented as a range, along with replacement values.
"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
# the default behavior will be to hyphenate the min-max range.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
# used.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
# encoded as ASCII. For a given crypto key and context, the same identifier
# will be replaced with the same surrogate. Identifiers must be at least two
# characters long. In the case that the identifier is the empty string, it will
# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
# more.
#
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
"commonAlphabet": "A String",
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
# Number of characters must be in the range [2, 62].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
# identifier in two different contexts won't be given the same surrogate. If
# the context is not set, a default tweak will be used.
#
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 1. the field is not present when transforming a given value,
#
# a default tweak will be used.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
# Currently, the referenced field may be of value type integer or string.
#
# The tweak is constructed as a sequence of bytes in big endian byte order
# such that:
#
# - a 64 bit integer is encoded followed by a single byte of value 1
# - a string is encoded in UTF-8 format followed by a single byte of value 2
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom infoType followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: info_type_name(surrogate_character_count):surrogate
#
# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom infoType
# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
# This facilitates reversal of the surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this infoType must
# not occur naturally anywhere in your data; otherwise, inspection may
# find a surrogate that does not correspond to an actual identifier.
# Therefore, choose your custom infoType name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"replaceConfig": { # Replace each input value with a given `Value`.
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
},
"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
# this transformation to apply to all findings that correspond to
# infoTypes that were requested in `InspectConfig`.
{ # Type of information detected by the API.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
],
},
],
},
"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
# fixed character. Masking can start from the beginning or end of the string.
# This can be used on data of any type (numbers, longs, and so on) and when
# de-identifying structured data we'll attempt to preserve the original data's
# type. (This allows you to take a long like 123 and modify it to a string like
# **3.
"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
# For example, if your string is 555-555-5555 and you ask us to skip `-` and
# mask 5 chars with * we would produce ***-*55-5555.
{ # Characters to skip when doing deidentification of a value. These will be left
# alone and skipped.
"commonCharactersToIgnore": "A String",
"charactersToSkip": "A String",
},
],
"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
# masked. Skipped characters do not count towards this tally.
"maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
# alphabetic string such as name, or "0" for a numeric string such as ZIP
# code or credit card number. String must have length 1. If not supplied, we
# will default to "*" for strings, 0 for digits.
"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
# '0', number_to_mask is 14, and `reverse_order` is false, then
# 1234-5678-9012-3456 -> 00000000000000-3456
# If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
# is true, then 12345 -> 12***
},
"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
# output would be 'My phone number is '.
},
"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
# validated against the value used during encryption. If a context was
# provided during encryption, same context must be provided during decryption
# as well.
#
# If the context is not set, plaintext would be used as is for encryption.
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 2. the field is not present when transforming a given value,
#
# plaintext would be used as is for encryption.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: ():
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
# - reverse a surrogate that does not correspond to an actual identifier
# - be unable to parse the surrogate and result in an error
#
# Therefore, choose your custom info type name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
# -, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
#
# If the bound Value type differs from the type of data
# being transformed, we will first attempt converting the type of the data to
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
# then all values less than 10 are replaced with the value “-10”. [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
# [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
},
"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
},
"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
# portion of the value.
"partToExtract": "A String",
},
"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
# Uses SHA-256.
# The key size must be either 32 or 64 bytes.
# Outputs a base64 encoded representation of the hashed output
# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
# Currently, only string and integer values can be hashed.
# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
},
"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
# results in the same shift for the same context and crypto_key.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
# [Required]
"upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
# [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
# If set, must also set method. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
# replacement values are dynamically provided by the user for custom behavior,
# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
# This can be used on
# data of type: number, long, string, timestamp.
# If the bound `Value` type differs from the type of data being transformed, we
# will first attempt converting the type of the data to be transformed to match
# the type of the bound before comparing.
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"buckets": [ # Set of buckets. Ranges must be non-overlapping.
{ # Bucket is represented as a range, along with replacement values.
"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
# the default behavior will be to hyphenate the min-max range.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
# used.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
# encoded as ASCII. For a given crypto key and context, the same identifier
# will be replaced with the same surrogate. Identifiers must be at least two
# characters long. In the case that the identifier is the empty string, it will
# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
# more.
#
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
"commonAlphabet": "A String",
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
# Number of characters must be in the range [2, 62].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
# identifier in two different contexts won't be given the same surrogate. If
# the context is not set, a default tweak will be used.
#
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 1. the field is not present when transforming a given value,
#
# a default tweak will be used.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
# Currently, the referenced field may be of value type integer or string.
#
# The tweak is constructed as a sequence of bytes in big endian byte order
# such that:
#
# - a 64 bit integer is encoded followed by a single byte of value 1
# - a string is encoded in UTF-8 format followed by a single byte of value 2
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom infoType followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: info_type_name(surrogate_character_count):surrogate
#
# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom infoType
# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
# This facilitates reversal of the surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this infoType must
# not occur naturally anywhere in your data; otherwise, inspection may
# find a surrogate that does not correspond to an actual identifier.
# Therefore, choose your custom infoType name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"replaceConfig": { # Replace each input value with a given `Value`.
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
},
"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
# given `RecordCondition`. The conditions are allowed to reference fields
# that are not used in the actual transformation. [optional]
#
# Example Use Cases:
#
# - Apply a different bucket transformation to an age column if the zip code
# column for the same record is within a specific range.
# - Redact a field if the date of birth field is greater than 85.
# a field.
"expressions": { # An expression, consisting or an operator and conditions. # An expression.
"conditions": { # A collection of conditions.
"conditions": [
{ # The field type of `value` and `field` do not need to match to be
# considered equal, but not all comparisons are possible.
# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
# but all other comparisons are invalid with incompatible types.
# A `value` of type:
#
# - `string` can be compared against all other types
# - `boolean` can only be compared against other booleans
# - `integer` can be compared against doubles or a string if the string value
# can be parsed as an integer.
# - `double` can be compared against integers or a string if the string can
# be parsed as a double.
# - `Timestamp` can be compared against strings in RFC 3339 date string
# format.
# - `TimeOfDay` can be compared against timestamps and strings in the format
# of 'HH:mm:ss'.
#
# If we fail to compare do to type mismatch, a warning will be given and
# the condition will evaluate to false.
"operator": "A String", # Operator used to compare the field or infoType to the value. [required]
"field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
"name": "A String", # Name describing the field.
},
"value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
# only supported value is `AND`.
},
},
"fields": [ # Input field(s) to apply the transformation to. [required]
{ # General identifier of a data field in a storage service.
"name": "A String", # Name describing the field.
},
],
},
],
},
},
"createTime": "A String", # The creation timestamp of a inspectTemplate, output only field.
"name": "A String", # The template name. Output only.
#
# The template will have one of the following formats:
# `projects/PROJECT_ID/deidentifyTemplates/TEMPLATE_ID` OR
# `organizations/ORGANIZATION_ID/deidentifyTemplates/TEMPLATE_ID`
}