deidentify(parent, body, x__xgafv=None)
De-identifies potentially sensitive info from a ContentItem.
inspect(parent, body, x__xgafv=None)
Finds potentially sensitive info in content.
reidentify(parent, body, x__xgafv=None)
Re-identifies content that has been de-identified.
deidentify(parent, body, x__xgafv=None)
De-identifies potentially sensitive info from a ContentItem.
This method has limits on input size and output size.
See https://cloud.google.com/dlp/docs/deidentify-sensitive-data to
learn more.
When no InfoTypes or CustomInfoTypes are specified in this request, the
system will automatically choose what detectors to run. By default this may
be all types, but may change over time as detectors are updated.
Args:
parent: string, The parent resource name, for example projects/my-project-id. (required)
body: object, The request body. (required)
The object takes the form of:
{ # Request to de-identify a list of items.
"deidentifyTemplateName": "A String", # Optional template to use. Any configuration directly specified in
# deidentify_config will override those set in the template. Singular fields
# that are set in this request will replace their corresponding fields in the
# template. Repeated fields are appended. Singular sub-messages and groups
# are recursively merged.
"inspectTemplateName": "A String", # Optional template to use. Any configuration directly specified in
# inspect_config will override those set in the template. Singular fields
# that are set in this request will replace their corresponding fields in the
# template. Repeated fields are appended. Singular sub-messages and groups
# are recursively merged.
"deidentifyConfig": { # The configuration that controls how the data will change. # Configuration for the de-identification of the content item.
# Items specified here will override the template referenced by the
# deidentify_template_name argument.
"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text
# transformation everywhere.
# apply various `PrimitiveTransformation`s to each finding, where the
# transformation is applied to only values that were identified as a specific
# info_type.
"transformations": [ # Transformation for each infoType. Cannot specify more than one
# for a given infoType. [required]
{ # A transformation to apply to text that is identified as a specific
# info_type.
"primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
# fixed character. Masking can start from the beginning or end of the string.
# This can be used on data of any type (numbers, longs, and so on) and when
# de-identifying structured data we'll attempt to preserve the original data's
# type. (This allows you to take a long like 123 and modify it to a string like
# **3.
"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
# For example, if your string is 555-555-5555 and you ask us to skip `-` and
# mask 5 chars with * we would produce ***-*55-5555.
{ # Characters to skip when doing deidentification of a value. These will be left
# alone and skipped.
"commonCharactersToIgnore": "A String",
"charactersToSkip": "A String",
},
],
"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
# masked. Skipped characters do not count towards this tally.
"maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
# alphabetic string such as name, or "0" for a numeric string such as ZIP
# code or credit card number. String must have length 1. If not supplied, we
# will default to "*" for strings, 0 for digits.
"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
# '0', number_to_mask is 14, and `reverse_order` is false, then
# 1234-5678-9012-3456 -> 00000000000000-3456
# If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
# is true, then 12345 -> 12***
},
"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
# output would be 'My phone number is '.
},
"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
# validated against the value used during encryption. If a context was
# provided during encryption, same context must be provided during decryption
# as well.
#
# If the context is not set, plaintext would be used as is for encryption.
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 2. the field is not present when transforming a given value,
#
# plaintext would be used as is for encryption.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: ():
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
# - reverse a surrogate that does not correspond to an actual identifier
# - be unable to parse the surrogate and result in an error
#
# Therefore, choose your custom info type name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
# -, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
#
# If the bound Value type differs from the type of data
# being transformed, we will first attempt converting the type of the data to
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
# then all values less than 10 are replaced with the value “-10”. [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
# [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
},
"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
},
"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
# portion of the value.
"partToExtract": "A String",
},
"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
# Uses SHA-256.
# The key size must be either 32 or 64 bytes.
# Outputs a base64 encoded representation of the hashed output
# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
# Currently, only string and integer values can be hashed.
# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
},
"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
# results in the same shift for the same context and crypto_key.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
# [Required]
"upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
# [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
# If set, must also set method. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
# replacement values are dynamically provided by the user for custom behavior,
# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
# This can be used on
# data of type: number, long, string, timestamp.
# If the bound `Value` type differs from the type of data being transformed, we
# will first attempt converting the type of the data to be transformed to match
# the type of the bound before comparing.
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"buckets": [ # Set of buckets. Ranges must be non-overlapping.
{ # Bucket is represented as a range, along with replacement values.
"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
# the default behavior will be to hyphenate the min-max range.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
# used.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
# encoded as ASCII. For a given crypto key and context, the same identifier
# will be replaced with the same surrogate. Identifiers must be at least two
# characters long. In the case that the identifier is the empty string, it will
# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
# more.
#
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
"commonAlphabet": "A String",
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
# Number of characters must be in the range [2, 62].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
# identifier in two different contexts won't be given the same surrogate. If
# the context is not set, a default tweak will be used.
#
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 1. the field is not present when transforming a given value,
#
# a default tweak will be used.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
# Currently, the referenced field may be of value type integer or string.
#
# The tweak is constructed as a sequence of bytes in big endian byte order
# such that:
#
# - a 64 bit integer is encoded followed by a single byte of value 1
# - a string is encoded in UTF-8 format followed by a single byte of value 2
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom infoType followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: info_type_name(surrogate_character_count):surrogate
#
# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom infoType
# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
# This facilitates reversal of the surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this infoType must
# not occur naturally anywhere in your data; otherwise, inspection may
# find a surrogate that does not correspond to an actual identifier.
# Therefore, choose your custom infoType name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"replaceConfig": { # Replace each input value with a given `Value`.
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
},
"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
# this transformation to apply to all findings that correspond to
# infoTypes that were requested in `InspectConfig`.
{ # Type of information detected by the API.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
],
},
],
},
"recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to
# specific locations within structured datasets, such as transforming
# a column within a table.
# table.
"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that
# match any suppression rule are omitted from the output [optional].
{ # Configuration to suppress records whose suppression conditions evaluate to
# true.
"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
# evaluated to be suppressed from the transformed content.
# a field.
"expressions": { # An expression, consisting or an operator and conditions. # An expression.
"conditions": { # A collection of conditions.
"conditions": [
{ # The field type of `value` and `field` do not need to match to be
# considered equal, but not all comparisons are possible.
# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
# but all other comparisons are invalid with incompatible types.
# A `value` of type:
#
# - `string` can be compared against all other types
# - `boolean` can only be compared against other booleans
# - `integer` can be compared against doubles or a string if the string value
# can be parsed as an integer.
# - `double` can be compared against integers or a string if the string can
# be parsed as a double.
# - `Timestamp` can be compared against strings in RFC 3339 date string
# format.
# - `TimeOfDay` can be compared against timestamps and strings in the format
# of 'HH:mm:ss'.
#
# If we fail to compare do to type mismatch, a warning will be given and
# the condition will evaluate to false.
"operator": "A String", # Operator used to compare the field or infoType to the value. [required]
"field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
"name": "A String", # Name describing the field.
},
"value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
# only supported value is `AND`.
},
},
},
],
"fieldTransformations": [ # Transform the record by applying various field transformations.
{ # The transformation to apply to the field.
"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
# transform content that matches an `InfoType`.
# apply various `PrimitiveTransformation`s to each finding, where the
# transformation is applied to only values that were identified as a specific
# info_type.
"transformations": [ # Transformation for each infoType. Cannot specify more than one
# for a given infoType. [required]
{ # A transformation to apply to text that is identified as a specific
# info_type.
"primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
# fixed character. Masking can start from the beginning or end of the string.
# This can be used on data of any type (numbers, longs, and so on) and when
# de-identifying structured data we'll attempt to preserve the original data's
# type. (This allows you to take a long like 123 and modify it to a string like
# **3.
"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
# For example, if your string is 555-555-5555 and you ask us to skip `-` and
# mask 5 chars with * we would produce ***-*55-5555.
{ # Characters to skip when doing deidentification of a value. These will be left
# alone and skipped.
"commonCharactersToIgnore": "A String",
"charactersToSkip": "A String",
},
],
"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
# masked. Skipped characters do not count towards this tally.
"maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
# alphabetic string such as name, or "0" for a numeric string such as ZIP
# code or credit card number. String must have length 1. If not supplied, we
# will default to "*" for strings, 0 for digits.
"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
# '0', number_to_mask is 14, and `reverse_order` is false, then
# 1234-5678-9012-3456 -> 00000000000000-3456
# If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
# is true, then 12345 -> 12***
},
"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
# output would be 'My phone number is '.
},
"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
# validated against the value used during encryption. If a context was
# provided during encryption, same context must be provided during decryption
# as well.
#
# If the context is not set, plaintext would be used as is for encryption.
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 2. the field is not present when transforming a given value,
#
# plaintext would be used as is for encryption.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: ():
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
# - reverse a surrogate that does not correspond to an actual identifier
# - be unable to parse the surrogate and result in an error
#
# Therefore, choose your custom info type name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
# -, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
#
# If the bound Value type differs from the type of data
# being transformed, we will first attempt converting the type of the data to
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
# then all values less than 10 are replaced with the value “-10”. [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
# [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
},
"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
},
"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
# portion of the value.
"partToExtract": "A String",
},
"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
# Uses SHA-256.
# The key size must be either 32 or 64 bytes.
# Outputs a base64 encoded representation of the hashed output
# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
# Currently, only string and integer values can be hashed.
# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
},
"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
# results in the same shift for the same context and crypto_key.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
# [Required]
"upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
# [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
# If set, must also set method. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
# replacement values are dynamically provided by the user for custom behavior,
# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
# This can be used on
# data of type: number, long, string, timestamp.
# If the bound `Value` type differs from the type of data being transformed, we
# will first attempt converting the type of the data to be transformed to match
# the type of the bound before comparing.
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"buckets": [ # Set of buckets. Ranges must be non-overlapping.
{ # Bucket is represented as a range, along with replacement values.
"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
# the default behavior will be to hyphenate the min-max range.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
# used.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
# encoded as ASCII. For a given crypto key and context, the same identifier
# will be replaced with the same surrogate. Identifiers must be at least two
# characters long. In the case that the identifier is the empty string, it will
# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
# more.
#
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
"commonAlphabet": "A String",
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
# Number of characters must be in the range [2, 62].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
# identifier in two different contexts won't be given the same surrogate. If
# the context is not set, a default tweak will be used.
#
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 1. the field is not present when transforming a given value,
#
# a default tweak will be used.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
# Currently, the referenced field may be of value type integer or string.
#
# The tweak is constructed as a sequence of bytes in big endian byte order
# such that:
#
# - a 64 bit integer is encoded followed by a single byte of value 1
# - a string is encoded in UTF-8 format followed by a single byte of value 2
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom infoType followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: info_type_name(surrogate_character_count):surrogate
#
# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom infoType
# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
# This facilitates reversal of the surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this infoType must
# not occur naturally anywhere in your data; otherwise, inspection may
# find a surrogate that does not correspond to an actual identifier.
# Therefore, choose your custom infoType name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"replaceConfig": { # Replace each input value with a given `Value`.
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
},
"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
# this transformation to apply to all findings that correspond to
# infoTypes that were requested in `InspectConfig`.
{ # Type of information detected by the API.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
],
},
],
},
"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
# fixed character. Masking can start from the beginning or end of the string.
# This can be used on data of any type (numbers, longs, and so on) and when
# de-identifying structured data we'll attempt to preserve the original data's
# type. (This allows you to take a long like 123 and modify it to a string like
# **3.
"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
# For example, if your string is 555-555-5555 and you ask us to skip `-` and
# mask 5 chars with * we would produce ***-*55-5555.
{ # Characters to skip when doing deidentification of a value. These will be left
# alone and skipped.
"commonCharactersToIgnore": "A String",
"charactersToSkip": "A String",
},
],
"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
# masked. Skipped characters do not count towards this tally.
"maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
# alphabetic string such as name, or "0" for a numeric string such as ZIP
# code or credit card number. String must have length 1. If not supplied, we
# will default to "*" for strings, 0 for digits.
"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
# '0', number_to_mask is 14, and `reverse_order` is false, then
# 1234-5678-9012-3456 -> 00000000000000-3456
# If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
# is true, then 12345 -> 12***
},
"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
# output would be 'My phone number is '.
},
"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
# validated against the value used during encryption. If a context was
# provided during encryption, same context must be provided during decryption
# as well.
#
# If the context is not set, plaintext would be used as is for encryption.
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 2. the field is not present when transforming a given value,
#
# plaintext would be used as is for encryption.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: ():
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
# - reverse a surrogate that does not correspond to an actual identifier
# - be unable to parse the surrogate and result in an error
#
# Therefore, choose your custom info type name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
# -, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
#
# If the bound Value type differs from the type of data
# being transformed, we will first attempt converting the type of the data to
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
# then all values less than 10 are replaced with the value “-10”. [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
# [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
},
"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
},
"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
# portion of the value.
"partToExtract": "A String",
},
"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
# Uses SHA-256.
# The key size must be either 32 or 64 bytes.
# Outputs a base64 encoded representation of the hashed output
# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
# Currently, only string and integer values can be hashed.
# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
},
"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
# results in the same shift for the same context and crypto_key.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
# [Required]
"upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
# [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
# If set, must also set method. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
# replacement values are dynamically provided by the user for custom behavior,
# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
# This can be used on
# data of type: number, long, string, timestamp.
# If the bound `Value` type differs from the type of data being transformed, we
# will first attempt converting the type of the data to be transformed to match
# the type of the bound before comparing.
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"buckets": [ # Set of buckets. Ranges must be non-overlapping.
{ # Bucket is represented as a range, along with replacement values.
"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
# the default behavior will be to hyphenate the min-max range.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
# used.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
# encoded as ASCII. For a given crypto key and context, the same identifier
# will be replaced with the same surrogate. Identifiers must be at least two
# characters long. In the case that the identifier is the empty string, it will
# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
# more.
#
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
"commonAlphabet": "A String",
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
# Number of characters must be in the range [2, 62].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
# identifier in two different contexts won't be given the same surrogate. If
# the context is not set, a default tweak will be used.
#
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 1. the field is not present when transforming a given value,
#
# a default tweak will be used.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
# Currently, the referenced field may be of value type integer or string.
#
# The tweak is constructed as a sequence of bytes in big endian byte order
# such that:
#
# - a 64 bit integer is encoded followed by a single byte of value 1
# - a string is encoded in UTF-8 format followed by a single byte of value 2
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom infoType followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: info_type_name(surrogate_character_count):surrogate
#
# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom infoType
# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
# This facilitates reversal of the surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this infoType must
# not occur naturally anywhere in your data; otherwise, inspection may
# find a surrogate that does not correspond to an actual identifier.
# Therefore, choose your custom infoType name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"replaceConfig": { # Replace each input value with a given `Value`.
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
},
"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
# given `RecordCondition`. The conditions are allowed to reference fields
# that are not used in the actual transformation. [optional]
#
# Example Use Cases:
#
# - Apply a different bucket transformation to an age column if the zip code
# column for the same record is within a specific range.
# - Redact a field if the date of birth field is greater than 85.
# a field.
"expressions": { # An expression, consisting or an operator and conditions. # An expression.
"conditions": { # A collection of conditions.
"conditions": [
{ # The field type of `value` and `field` do not need to match to be
# considered equal, but not all comparisons are possible.
# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
# but all other comparisons are invalid with incompatible types.
# A `value` of type:
#
# - `string` can be compared against all other types
# - `boolean` can only be compared against other booleans
# - `integer` can be compared against doubles or a string if the string value
# can be parsed as an integer.
# - `double` can be compared against integers or a string if the string can
# be parsed as a double.
# - `Timestamp` can be compared against strings in RFC 3339 date string
# format.
# - `TimeOfDay` can be compared against timestamps and strings in the format
# of 'HH:mm:ss'.
#
# If we fail to compare do to type mismatch, a warning will be given and
# the condition will evaluate to false.
"operator": "A String", # Operator used to compare the field or infoType to the value. [required]
"field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
"name": "A String", # Name describing the field.
},
"value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
# only supported value is `AND`.
},
},
"fields": [ # Input field(s) to apply the transformation to. [required]
{ # General identifier of a data field in a storage service.
"name": "A String", # Name describing the field.
},
],
},
],
},
},
"inspectConfig": { # Configuration description of the scanning process. # Configuration for the inspector.
# Items specified here will override the template referenced by the
# inspect_template_name argument.
# When used with redactContent only info_types and min_likelihood are currently
# used.
"excludeInfoTypes": True or False, # When true, excludes type information of the findings.
"limits": {
"maxFindingsPerRequest": 42, # Max number of findings that will be returned per request/job.
# When set within `InspectContentRequest`, the maximum returned is 2000
# regardless if this is set higher.
"maxFindingsPerInfoType": [ # Configuration of findings limit given for specified infoTypes.
{ # Max findings configuration per infoType, per content item or long
# running DlpJob.
"infoType": { # Type of information detected by the API. # Type of information the findings limit applies to. Only one limit per
# info_type should be provided. If InfoTypeLimit does not have an
# info_type, the DLP API applies the limit against all info_types that
# are found but not specified in another InfoTypeLimit.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
"maxFindings": 42, # Max findings limit for the given infoType.
},
],
"maxFindingsPerItem": 42, # Max number of findings that will be returned for each item scanned.
# When set within `InspectDataSourceRequest`,
# the maximum returned is 2000 regardless if this is set higher.
# When set within `InspectContentRequest`, this field is ignored.
},
"minLikelihood": "A String", # Only returns findings equal or above this threshold. The default is
# POSSIBLE.
# See https://cloud.google.com/dlp/docs/likelihood to learn more.
"customInfoTypes": [ # CustomInfoTypes provided by the user. See
# https://cloud.google.com/dlp/docs/creating-custom-infotypes to learn more.
{ # Custom information type provided by the user. Used to find domain-specific
# sensitive information configurable to the data in question.
"regex": { # Message defining a custom regular expression. # Regular expression based CustomInfoType.
"pattern": "A String", # Pattern defining the regular expression. Its syntax
# (https://github.com/google/re2/wiki/Syntax) can be found under the
# google/re2 repository on GitHub.
"groupIndexes": [ # The index of the submatch to extract as findings. When not
# specified, the entire match is returned. No more than 3 may be included.
42,
],
},
"surrogateType": { # Message for detecting output from deidentification transformations # Message for detecting output from deidentification transformations that
# support reversing.
# such as
# [`CryptoReplaceFfxFpeConfig`](/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#cryptoreplaceffxfpeconfig).
# These types of transformations are
# those that perform pseudonymization, thereby producing a "surrogate" as
# output. This should be used in conjunction with a field on the
# transformation such as `surrogate_info_type`. This CustomInfoType does
# not support the use of `detection_rules`.
},
"infoType": { # Type of information detected by the API. # CustomInfoType can either be a new infoType, or an extension of built-in
# infoType, when the name matches one of existing infoTypes and that infoType
# is specified in `InspectContent.info_types` field. Specifying the latter
# adds findings to the one detected by the system. If built-in info type is
# not specified in `InspectContent.info_types` list then the name is treated
# as a custom info type.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
"dictionary": { # Custom information type based on a dictionary of words or phrases. This can # A list of phrases to detect as a CustomInfoType.
# be used to match sensitive information specific to the data, such as a list
# of employee IDs or job titles.
#
# Dictionary words are case-insensitive and all characters other than letters
# and digits in the unicode [Basic Multilingual
# Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane)
# will be replaced with whitespace when scanning for matches, so the
# dictionary phrase "Sam Johnson" will match all three phrases "sam johnson",
# "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters
# surrounding any match must be of a different type than the adjacent
# characters within the word, so letters must be next to non-letters and
# digits next to non-digits. For example, the dictionary word "jen" will
# match the first three letters of the text "jen123" but will return no
# matches for "jennifer".
#
# Dictionary words containing a large number of characters that are not
# letters or digits may result in unexpected findings because such characters
# are treated as whitespace. The
# [limits](https://cloud.google.com/dlp/limits) page contains details about
# the size limits of dictionaries. For dictionaries that do not fit within
# these constraints, consider using `LargeCustomDictionaryConfig` in the
# `StoredInfoType` API.
"wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.
"words": [ # Words or phrases defining the dictionary. The dictionary must contain
# at least one phrase and every phrase must contain at least 2 characters
# that are letters or digits. [required]
"A String",
],
},
"cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file
# is accepted.
"path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage.
# Example: gs://[BUCKET_NAME]/dictionary.txt
},
},
"storedType": { # A reference to a StoredInfoType to use with scanning. # Load an existing `StoredInfoType` resource for use in
# `InspectDataSource`. Not currently supported in `InspectContent`.
"name": "A String", # Resource name of the requested `StoredInfoType`, for example
# `organizations/433245324/storedInfoTypes/432452342` or
# `projects/project-id/storedInfoTypes/432452342`.
"createTime": "A String", # Timestamp indicating when the version of the `StoredInfoType` used for
# inspection was created. Output-only field, populated by the system.
},
"detectionRules": [ # Set of detection rules to apply to all findings of this CustomInfoType.
# Rules are applied in order that they are specified. Not supported for the
# `surrogate_type` CustomInfoType.
{ # Deprecated; use `InspectionRuleSet` instead. Rule for modifying a
# `CustomInfoType` to alter behavior under certain circumstances, depending
# on the specific details of the rule. Not supported for the `surrogate_type`
# custom infoType.
"hotwordRule": { # The rule that adjusts the likelihood of findings within a certain # Hotword-based detection rule.
# proximity of hotwords.
"proximity": { # Message for specifying a window around a finding to apply a detection # Proximity of the finding within which the entire hotword must reside.
# The total length of the window cannot exceed 1000 characters. Note that
# the finding itself will be included in the window, so that hotwords may
# be used to match substrings of the finding itself. For example, the
# certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be
# adjusted upwards if the area code is known to be the local area code of
# a company office using the hotword regex "\(xxx\)", where "xxx"
# is the area code in question.
# rule.
"windowAfter": 42, # Number of characters after the finding to consider.
"windowBefore": 42, # Number of characters before the finding to consider.
},
"hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.
"pattern": "A String", # Pattern defining the regular expression. Its syntax
# (https://github.com/google/re2/wiki/Syntax) can be found under the
# google/re2 repository on GitHub.
"groupIndexes": [ # The index of the submatch to extract as findings. When not
# specified, the entire match is returned. No more than 3 may be included.
42,
],
},
"likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as # Likelihood adjustment to apply to all matching findings.
# part of a detection rule.
"relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of
# levels. For example, if a finding would be `POSSIBLE` without the
# detection rule and `relative_likelihood` is 1, then it is upgraded to
# `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`.
# Likelihood may never drop below `VERY_UNLIKELY` or exceed
# `VERY_LIKELY`, so applying an adjustment of 1 followed by an
# adjustment of -1 when base likelihood is `VERY_LIKELY` will result in
# a final likelihood of `LIKELY`.
"fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.
},
},
},
],
"exclusionType": "A String", # If set to EXCLUSION_TYPE_EXCLUDE this infoType will not cause a finding
# to be returned. It still can be used for rules matching.
"likelihood": "A String", # Likelihood to return for this CustomInfoType. This base value can be
# altered by a detection rule if the finding meets the criteria specified by
# the rule. Defaults to `VERY_LIKELY` if not specified.
},
],
"includeQuote": True or False, # When true, a contextual quote from the data that triggered a finding is
# included in the response; see Finding.quote.
"ruleSet": [ # Set of rules to apply to the findings for this InspectConfig.
# Exclusion rules, contained in the set are executed in the end, other
# rules are executed in the order they are specified for each info type.
{ # Rule set for modifying a set of infoTypes to alter behavior under certain
# circumstances, depending on the specific details of the rules within the set.
"rules": [ # Set of rules to be applied to infoTypes. The rules are applied in order.
{ # A single inspection rule to be applied to infoTypes, specified in
# `InspectionRuleSet`.
"hotwordRule": { # The rule that adjusts the likelihood of findings within a certain # Hotword-based detection rule.
# proximity of hotwords.
"proximity": { # Message for specifying a window around a finding to apply a detection # Proximity of the finding within which the entire hotword must reside.
# The total length of the window cannot exceed 1000 characters. Note that
# the finding itself will be included in the window, so that hotwords may
# be used to match substrings of the finding itself. For example, the
# certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be
# adjusted upwards if the area code is known to be the local area code of
# a company office using the hotword regex "\(xxx\)", where "xxx"
# is the area code in question.
# rule.
"windowAfter": 42, # Number of characters after the finding to consider.
"windowBefore": 42, # Number of characters before the finding to consider.
},
"hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.
"pattern": "A String", # Pattern defining the regular expression. Its syntax
# (https://github.com/google/re2/wiki/Syntax) can be found under the
# google/re2 repository on GitHub.
"groupIndexes": [ # The index of the submatch to extract as findings. When not
# specified, the entire match is returned. No more than 3 may be included.
42,
],
},
"likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as # Likelihood adjustment to apply to all matching findings.
# part of a detection rule.
"relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of
# levels. For example, if a finding would be `POSSIBLE` without the
# detection rule and `relative_likelihood` is 1, then it is upgraded to
# `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`.
# Likelihood may never drop below `VERY_UNLIKELY` or exceed
# `VERY_LIKELY`, so applying an adjustment of 1 followed by an
# adjustment of -1 when base likelihood is `VERY_LIKELY` will result in
# a final likelihood of `LIKELY`.
"fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.
},
},
"exclusionRule": { # The rule that specifies conditions when findings of infoTypes specified in # Exclusion rule.
# `InspectionRuleSet` are removed from results.
"regex": { # Message defining a custom regular expression. # Regular expression which defines the rule.
"pattern": "A String", # Pattern defining the regular expression. Its syntax
# (https://github.com/google/re2/wiki/Syntax) can be found under the
# google/re2 repository on GitHub.
"groupIndexes": [ # The index of the submatch to extract as findings. When not
# specified, the entire match is returned. No more than 3 may be included.
42,
],
},
"excludeInfoTypes": { # List of exclude infoTypes. # Set of infoTypes for which findings would affect this rule.
"infoTypes": [ # InfoType list in ExclusionRule rule drops a finding when it overlaps or
# contained within with a finding of an infoType from this list. For
# example, for `InspectionRuleSet.info_types` containing "PHONE_NUMBER"` and
# `exclusion_rule` containing `exclude_info_types.info_types` with
# "EMAIL_ADDRESS" the phone number findings are dropped if they overlap
# with EMAIL_ADDRESS finding.
# That leads to "555-222-2222@example.org" to generate only a single
# finding, namely email address.
{ # Type of information detected by the API.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
],
},
"dictionary": { # Custom information type based on a dictionary of words or phrases. This can # Dictionary which defines the rule.
# be used to match sensitive information specific to the data, such as a list
# of employee IDs or job titles.
#
# Dictionary words are case-insensitive and all characters other than letters
# and digits in the unicode [Basic Multilingual
# Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane)
# will be replaced with whitespace when scanning for matches, so the
# dictionary phrase "Sam Johnson" will match all three phrases "sam johnson",
# "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters
# surrounding any match must be of a different type than the adjacent
# characters within the word, so letters must be next to non-letters and
# digits next to non-digits. For example, the dictionary word "jen" will
# match the first three letters of the text "jen123" but will return no
# matches for "jennifer".
#
# Dictionary words containing a large number of characters that are not
# letters or digits may result in unexpected findings because such characters
# are treated as whitespace. The
# [limits](https://cloud.google.com/dlp/limits) page contains details about
# the size limits of dictionaries. For dictionaries that do not fit within
# these constraints, consider using `LargeCustomDictionaryConfig` in the
# `StoredInfoType` API.
"wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.
"words": [ # Words or phrases defining the dictionary. The dictionary must contain
# at least one phrase and every phrase must contain at least 2 characters
# that are letters or digits. [required]
"A String",
],
},
"cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file
# is accepted.
"path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage.
# Example: gs://[BUCKET_NAME]/dictionary.txt
},
},
"matchingType": "A String", # How the rule is applied, see MatchingType documentation for details.
},
},
],
"infoTypes": [ # List of infoTypes this rule set is applied to.
{ # Type of information detected by the API.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
],
},
],
"contentOptions": [ # List of options defining data content to scan.
# If empty, text, images, and other content will be included.
"A String",
],
"infoTypes": [ # Restricts what info_types to look for. The values must correspond to
# InfoType values returned by ListInfoTypes or listed at
# https://cloud.google.com/dlp/docs/infotypes-reference.
#
# When no InfoTypes or CustomInfoTypes are specified in a request, the
# system may automatically choose what detectors to run. By default this may
# be all types, but may change over time as detectors are updated.
#
# The special InfoType name "ALL_BASIC" can be used to trigger all detectors,
# but may change over time as new InfoTypes are added. If you need precise
# control and predictability as to what detectors are run you should specify
# specific InfoTypes listed in the reference.
{ # Type of information detected by the API.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
],
},
"item": { # Container structure for the content to inspect. # The item to de-identify. Will be treated as text.
"table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. # Structured content for inspection. See
# https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to
# learn more.
# See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to
# learn more.
"headers": [
{ # General identifier of a data field in a storage service.
"name": "A String", # Name describing the field.
},
],
"rows": [
{
"values": [
{ # Set of primitive values supported by the system.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
],
},
],
},
"byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.
"type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.
"data": "A String", # Content data to inspect or redact.
},
"value": "A String", # String data to inspect or redact.
},
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Results of de-identifying a ContentItem.
"overview": { # Overview of the modifications that occurred. # An overview of the changes that were made on the `item`.
"transformationSummaries": [ # Transformations applied to the dataset.
{ # Summary of a single transformation.
# Only one of 'transformation', 'field_transformation', or 'record_suppress'
# will be set.
"infoType": { # Type of information detected by the API. # Set if the transformation was limited to a specific InfoType.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
"recordSuppress": { # Configuration to suppress records whose suppression conditions evaluate to # The specific suppression option these stats apply to.
# true.
"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
# evaluated to be suppressed from the transformed content.
# a field.
"expressions": { # An expression, consisting or an operator and conditions. # An expression.
"conditions": { # A collection of conditions.
"conditions": [
{ # The field type of `value` and `field` do not need to match to be
# considered equal, but not all comparisons are possible.
# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
# but all other comparisons are invalid with incompatible types.
# A `value` of type:
#
# - `string` can be compared against all other types
# - `boolean` can only be compared against other booleans
# - `integer` can be compared against doubles or a string if the string value
# can be parsed as an integer.
# - `double` can be compared against integers or a string if the string can
# be parsed as a double.
# - `Timestamp` can be compared against strings in RFC 3339 date string
# format.
# - `TimeOfDay` can be compared against timestamps and strings in the format
# of 'HH:mm:ss'.
#
# If we fail to compare do to type mismatch, a warning will be given and
# the condition will evaluate to false.
"operator": "A String", # Operator used to compare the field or infoType to the value. [required]
"field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
"name": "A String", # Name describing the field.
},
"value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
# only supported value is `AND`.
},
},
},
"results": [
{ # A collection that informs the user the number of times a particular
# `TransformationResultCode` and error details occurred.
"count": "A String",
"code": "A String",
"details": "A String", # A place for warnings or errors to show up if a transformation didn't
# work as expected.
},
],
"field": { # General identifier of a data field in a storage service. # Set if the transformation was limited to a specific FieldId.
"name": "A String", # Name describing the field.
},
"fieldTransformations": [ # The field transformation that was applied.
# If multiple field transformations are requested for a single field,
# this list will contain all of them; otherwise, only one is supplied.
{ # The transformation to apply to the field.
"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
# transform content that matches an `InfoType`.
# apply various `PrimitiveTransformation`s to each finding, where the
# transformation is applied to only values that were identified as a specific
# info_type.
"transformations": [ # Transformation for each infoType. Cannot specify more than one
# for a given infoType. [required]
{ # A transformation to apply to text that is identified as a specific
# info_type.
"primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
# fixed character. Masking can start from the beginning or end of the string.
# This can be used on data of any type (numbers, longs, and so on) and when
# de-identifying structured data we'll attempt to preserve the original data's
# type. (This allows you to take a long like 123 and modify it to a string like
# **3.
"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
# For example, if your string is 555-555-5555 and you ask us to skip `-` and
# mask 5 chars with * we would produce ***-*55-5555.
{ # Characters to skip when doing deidentification of a value. These will be left
# alone and skipped.
"commonCharactersToIgnore": "A String",
"charactersToSkip": "A String",
},
],
"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
# masked. Skipped characters do not count towards this tally.
"maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
# alphabetic string such as name, or "0" for a numeric string such as ZIP
# code or credit card number. String must have length 1. If not supplied, we
# will default to "*" for strings, 0 for digits.
"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
# '0', number_to_mask is 14, and `reverse_order` is false, then
# 1234-5678-9012-3456 -> 00000000000000-3456
# If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
# is true, then 12345 -> 12***
},
"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
# output would be 'My phone number is '.
},
"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
# validated against the value used during encryption. If a context was
# provided during encryption, same context must be provided during decryption
# as well.
#
# If the context is not set, plaintext would be used as is for encryption.
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 2. the field is not present when transforming a given value,
#
# plaintext would be used as is for encryption.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: ():
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
# - reverse a surrogate that does not correspond to an actual identifier
# - be unable to parse the surrogate and result in an error
#
# Therefore, choose your custom info type name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
# -, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
#
# If the bound Value type differs from the type of data
# being transformed, we will first attempt converting the type of the data to
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
# then all values less than 10 are replaced with the value “-10”. [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
# [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
},
"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
},
"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
# portion of the value.
"partToExtract": "A String",
},
"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
# Uses SHA-256.
# The key size must be either 32 or 64 bytes.
# Outputs a base64 encoded representation of the hashed output
# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
# Currently, only string and integer values can be hashed.
# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
},
"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
# results in the same shift for the same context and crypto_key.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
# [Required]
"upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
# [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
# If set, must also set method. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
# replacement values are dynamically provided by the user for custom behavior,
# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
# This can be used on
# data of type: number, long, string, timestamp.
# If the bound `Value` type differs from the type of data being transformed, we
# will first attempt converting the type of the data to be transformed to match
# the type of the bound before comparing.
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"buckets": [ # Set of buckets. Ranges must be non-overlapping.
{ # Bucket is represented as a range, along with replacement values.
"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
# the default behavior will be to hyphenate the min-max range.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
# used.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
# encoded as ASCII. For a given crypto key and context, the same identifier
# will be replaced with the same surrogate. Identifiers must be at least two
# characters long. In the case that the identifier is the empty string, it will
# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
# more.
#
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
"commonAlphabet": "A String",
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
# Number of characters must be in the range [2, 62].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
# identifier in two different contexts won't be given the same surrogate. If
# the context is not set, a default tweak will be used.
#
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 1. the field is not present when transforming a given value,
#
# a default tweak will be used.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
# Currently, the referenced field may be of value type integer or string.
#
# The tweak is constructed as a sequence of bytes in big endian byte order
# such that:
#
# - a 64 bit integer is encoded followed by a single byte of value 1
# - a string is encoded in UTF-8 format followed by a single byte of value 2
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom infoType followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: info_type_name(surrogate_character_count):surrogate
#
# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom infoType
# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
# This facilitates reversal of the surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this infoType must
# not occur naturally anywhere in your data; otherwise, inspection may
# find a surrogate that does not correspond to an actual identifier.
# Therefore, choose your custom infoType name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"replaceConfig": { # Replace each input value with a given `Value`.
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
},
"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
# this transformation to apply to all findings that correspond to
# infoTypes that were requested in `InspectConfig`.
{ # Type of information detected by the API.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
],
},
],
},
"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
# fixed character. Masking can start from the beginning or end of the string.
# This can be used on data of any type (numbers, longs, and so on) and when
# de-identifying structured data we'll attempt to preserve the original data's
# type. (This allows you to take a long like 123 and modify it to a string like
# **3.
"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
# For example, if your string is 555-555-5555 and you ask us to skip `-` and
# mask 5 chars with * we would produce ***-*55-5555.
{ # Characters to skip when doing deidentification of a value. These will be left
# alone and skipped.
"commonCharactersToIgnore": "A String",
"charactersToSkip": "A String",
},
],
"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
# masked. Skipped characters do not count towards this tally.
"maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
# alphabetic string such as name, or "0" for a numeric string such as ZIP
# code or credit card number. String must have length 1. If not supplied, we
# will default to "*" for strings, 0 for digits.
"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
# '0', number_to_mask is 14, and `reverse_order` is false, then
# 1234-5678-9012-3456 -> 00000000000000-3456
# If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
# is true, then 12345 -> 12***
},
"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
# output would be 'My phone number is '.
},
"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
# validated against the value used during encryption. If a context was
# provided during encryption, same context must be provided during decryption
# as well.
#
# If the context is not set, plaintext would be used as is for encryption.
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 2. the field is not present when transforming a given value,
#
# plaintext would be used as is for encryption.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: ():
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
# - reverse a surrogate that does not correspond to an actual identifier
# - be unable to parse the surrogate and result in an error
#
# Therefore, choose your custom info type name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
# -, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
#
# If the bound Value type differs from the type of data
# being transformed, we will first attempt converting the type of the data to
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
# then all values less than 10 are replaced with the value “-10”. [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
# [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
},
"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
},
"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
# portion of the value.
"partToExtract": "A String",
},
"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
# Uses SHA-256.
# The key size must be either 32 or 64 bytes.
# Outputs a base64 encoded representation of the hashed output
# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
# Currently, only string and integer values can be hashed.
# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
},
"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
# results in the same shift for the same context and crypto_key.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
# [Required]
"upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
# [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
# If set, must also set method. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
# replacement values are dynamically provided by the user for custom behavior,
# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
# This can be used on
# data of type: number, long, string, timestamp.
# If the bound `Value` type differs from the type of data being transformed, we
# will first attempt converting the type of the data to be transformed to match
# the type of the bound before comparing.
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"buckets": [ # Set of buckets. Ranges must be non-overlapping.
{ # Bucket is represented as a range, along with replacement values.
"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
# the default behavior will be to hyphenate the min-max range.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
# used.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
# encoded as ASCII. For a given crypto key and context, the same identifier
# will be replaced with the same surrogate. Identifiers must be at least two
# characters long. In the case that the identifier is the empty string, it will
# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
# more.
#
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
"commonAlphabet": "A String",
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
# Number of characters must be in the range [2, 62].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
# identifier in two different contexts won't be given the same surrogate. If
# the context is not set, a default tweak will be used.
#
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 1. the field is not present when transforming a given value,
#
# a default tweak will be used.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
# Currently, the referenced field may be of value type integer or string.
#
# The tweak is constructed as a sequence of bytes in big endian byte order
# such that:
#
# - a 64 bit integer is encoded followed by a single byte of value 1
# - a string is encoded in UTF-8 format followed by a single byte of value 2
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom infoType followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: info_type_name(surrogate_character_count):surrogate
#
# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom infoType
# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
# This facilitates reversal of the surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this infoType must
# not occur naturally anywhere in your data; otherwise, inspection may
# find a surrogate that does not correspond to an actual identifier.
# Therefore, choose your custom infoType name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"replaceConfig": { # Replace each input value with a given `Value`.
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
},
"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
# given `RecordCondition`. The conditions are allowed to reference fields
# that are not used in the actual transformation. [optional]
#
# Example Use Cases:
#
# - Apply a different bucket transformation to an age column if the zip code
# column for the same record is within a specific range.
# - Redact a field if the date of birth field is greater than 85.
# a field.
"expressions": { # An expression, consisting or an operator and conditions. # An expression.
"conditions": { # A collection of conditions.
"conditions": [
{ # The field type of `value` and `field` do not need to match to be
# considered equal, but not all comparisons are possible.
# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
# but all other comparisons are invalid with incompatible types.
# A `value` of type:
#
# - `string` can be compared against all other types
# - `boolean` can only be compared against other booleans
# - `integer` can be compared against doubles or a string if the string value
# can be parsed as an integer.
# - `double` can be compared against integers or a string if the string can
# be parsed as a double.
# - `Timestamp` can be compared against strings in RFC 3339 date string
# format.
# - `TimeOfDay` can be compared against timestamps and strings in the format
# of 'HH:mm:ss'.
#
# If we fail to compare do to type mismatch, a warning will be given and
# the condition will evaluate to false.
"operator": "A String", # Operator used to compare the field or infoType to the value. [required]
"field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
"name": "A String", # Name describing the field.
},
"value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
# only supported value is `AND`.
},
},
"fields": [ # Input field(s) to apply the transformation to. [required]
{ # General identifier of a data field in a storage service.
"name": "A String", # Name describing the field.
},
],
},
],
"transformedBytes": "A String", # Total size in bytes that were transformed in some way.
"transformation": { # A rule for transforming a value. # The specific transformation these stats apply to.
"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
# fixed character. Masking can start from the beginning or end of the string.
# This can be used on data of any type (numbers, longs, and so on) and when
# de-identifying structured data we'll attempt to preserve the original data's
# type. (This allows you to take a long like 123 and modify it to a string like
# **3.
"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
# For example, if your string is 555-555-5555 and you ask us to skip `-` and
# mask 5 chars with * we would produce ***-*55-5555.
{ # Characters to skip when doing deidentification of a value. These will be left
# alone and skipped.
"commonCharactersToIgnore": "A String",
"charactersToSkip": "A String",
},
],
"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
# masked. Skipped characters do not count towards this tally.
"maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
# alphabetic string such as name, or "0" for a numeric string such as ZIP
# code or credit card number. String must have length 1. If not supplied, we
# will default to "*" for strings, 0 for digits.
"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
# '0', number_to_mask is 14, and `reverse_order` is false, then
# 1234-5678-9012-3456 -> 00000000000000-3456
# If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
# is true, then 12345 -> 12***
},
"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
# output would be 'My phone number is '.
},
"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
# validated against the value used during encryption. If a context was
# provided during encryption, same context must be provided during decryption
# as well.
#
# If the context is not set, plaintext would be used as is for encryption.
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 2. the field is not present when transforming a given value,
#
# plaintext would be used as is for encryption.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: ():
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
# - reverse a surrogate that does not correspond to an actual identifier
# - be unable to parse the surrogate and result in an error
#
# Therefore, choose your custom info type name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
# -, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
#
# If the bound Value type differs from the type of data
# being transformed, we will first attempt converting the type of the data to
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
# then all values less than 10 are replaced with the value “-10”. [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
# [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
},
"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
},
"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
# portion of the value.
"partToExtract": "A String",
},
"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
# Uses SHA-256.
# The key size must be either 32 or 64 bytes.
# Outputs a base64 encoded representation of the hashed output
# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
# Currently, only string and integer values can be hashed.
# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
},
"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
# results in the same shift for the same context and crypto_key.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
# [Required]
"upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
# [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
# If set, must also set method. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
# replacement values are dynamically provided by the user for custom behavior,
# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
# This can be used on
# data of type: number, long, string, timestamp.
# If the bound `Value` type differs from the type of data being transformed, we
# will first attempt converting the type of the data to be transformed to match
# the type of the bound before comparing.
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"buckets": [ # Set of buckets. Ranges must be non-overlapping.
{ # Bucket is represented as a range, along with replacement values.
"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
# the default behavior will be to hyphenate the min-max range.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
# used.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
# encoded as ASCII. For a given crypto key and context, the same identifier
# will be replaced with the same surrogate. Identifiers must be at least two
# characters long. In the case that the identifier is the empty string, it will
# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
# more.
#
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
"commonAlphabet": "A String",
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
# Number of characters must be in the range [2, 62].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
# identifier in two different contexts won't be given the same surrogate. If
# the context is not set, a default tweak will be used.
#
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 1. the field is not present when transforming a given value,
#
# a default tweak will be used.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
# Currently, the referenced field may be of value type integer or string.
#
# The tweak is constructed as a sequence of bytes in big endian byte order
# such that:
#
# - a 64 bit integer is encoded followed by a single byte of value 1
# - a string is encoded in UTF-8 format followed by a single byte of value 2
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom infoType followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: info_type_name(surrogate_character_count):surrogate
#
# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom infoType
# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
# This facilitates reversal of the surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this infoType must
# not occur naturally anywhere in your data; otherwise, inspection may
# find a surrogate that does not correspond to an actual identifier.
# Therefore, choose your custom infoType name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"replaceConfig": { # Replace each input value with a given `Value`.
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
},
},
],
"transformedBytes": "A String", # Total size in bytes that were transformed in some way.
},
"item": { # Container structure for the content to inspect. # The de-identified item.
"table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. # Structured content for inspection. See
# https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to
# learn more.
# See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to
# learn more.
"headers": [
{ # General identifier of a data field in a storage service.
"name": "A String", # Name describing the field.
},
],
"rows": [
{
"values": [
{ # Set of primitive values supported by the system.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
],
},
],
},
"byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.
"type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.
"data": "A String", # Content data to inspect or redact.
},
"value": "A String", # String data to inspect or redact.
},
}
inspect(parent, body, x__xgafv=None)
Finds potentially sensitive info in content.
This method has limits on input size, processing time, and output size.
When no InfoTypes or CustomInfoTypes are specified in this request, the
system will automatically choose what detectors to run. By default this may
be all types, but may change over time as detectors are updated.
For how to guides, see https://cloud.google.com/dlp/docs/inspecting-images
and https://cloud.google.com/dlp/docs/inspecting-text,
Args:
parent: string, The parent resource name, for example projects/my-project-id. (required)
body: object, The request body. (required)
The object takes the form of:
{ # Request to search for potentially sensitive info in a ContentItem.
"item": { # Container structure for the content to inspect. # The item to inspect.
"table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. # Structured content for inspection. See
# https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to
# learn more.
# See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to
# learn more.
"headers": [
{ # General identifier of a data field in a storage service.
"name": "A String", # Name describing the field.
},
],
"rows": [
{
"values": [
{ # Set of primitive values supported by the system.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
],
},
],
},
"byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.
"type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.
"data": "A String", # Content data to inspect or redact.
},
"value": "A String", # String data to inspect or redact.
},
"inspectConfig": { # Configuration description of the scanning process. # Configuration for the inspector. What specified here will override
# the template referenced by the inspect_template_name argument.
# When used with redactContent only info_types and min_likelihood are currently
# used.
"excludeInfoTypes": True or False, # When true, excludes type information of the findings.
"limits": {
"maxFindingsPerRequest": 42, # Max number of findings that will be returned per request/job.
# When set within `InspectContentRequest`, the maximum returned is 2000
# regardless if this is set higher.
"maxFindingsPerInfoType": [ # Configuration of findings limit given for specified infoTypes.
{ # Max findings configuration per infoType, per content item or long
# running DlpJob.
"infoType": { # Type of information detected by the API. # Type of information the findings limit applies to. Only one limit per
# info_type should be provided. If InfoTypeLimit does not have an
# info_type, the DLP API applies the limit against all info_types that
# are found but not specified in another InfoTypeLimit.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
"maxFindings": 42, # Max findings limit for the given infoType.
},
],
"maxFindingsPerItem": 42, # Max number of findings that will be returned for each item scanned.
# When set within `InspectDataSourceRequest`,
# the maximum returned is 2000 regardless if this is set higher.
# When set within `InspectContentRequest`, this field is ignored.
},
"minLikelihood": "A String", # Only returns findings equal or above this threshold. The default is
# POSSIBLE.
# See https://cloud.google.com/dlp/docs/likelihood to learn more.
"customInfoTypes": [ # CustomInfoTypes provided by the user. See
# https://cloud.google.com/dlp/docs/creating-custom-infotypes to learn more.
{ # Custom information type provided by the user. Used to find domain-specific
# sensitive information configurable to the data in question.
"regex": { # Message defining a custom regular expression. # Regular expression based CustomInfoType.
"pattern": "A String", # Pattern defining the regular expression. Its syntax
# (https://github.com/google/re2/wiki/Syntax) can be found under the
# google/re2 repository on GitHub.
"groupIndexes": [ # The index of the submatch to extract as findings. When not
# specified, the entire match is returned. No more than 3 may be included.
42,
],
},
"surrogateType": { # Message for detecting output from deidentification transformations # Message for detecting output from deidentification transformations that
# support reversing.
# such as
# [`CryptoReplaceFfxFpeConfig`](/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#cryptoreplaceffxfpeconfig).
# These types of transformations are
# those that perform pseudonymization, thereby producing a "surrogate" as
# output. This should be used in conjunction with a field on the
# transformation such as `surrogate_info_type`. This CustomInfoType does
# not support the use of `detection_rules`.
},
"infoType": { # Type of information detected by the API. # CustomInfoType can either be a new infoType, or an extension of built-in
# infoType, when the name matches one of existing infoTypes and that infoType
# is specified in `InspectContent.info_types` field. Specifying the latter
# adds findings to the one detected by the system. If built-in info type is
# not specified in `InspectContent.info_types` list then the name is treated
# as a custom info type.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
"dictionary": { # Custom information type based on a dictionary of words or phrases. This can # A list of phrases to detect as a CustomInfoType.
# be used to match sensitive information specific to the data, such as a list
# of employee IDs or job titles.
#
# Dictionary words are case-insensitive and all characters other than letters
# and digits in the unicode [Basic Multilingual
# Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane)
# will be replaced with whitespace when scanning for matches, so the
# dictionary phrase "Sam Johnson" will match all three phrases "sam johnson",
# "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters
# surrounding any match must be of a different type than the adjacent
# characters within the word, so letters must be next to non-letters and
# digits next to non-digits. For example, the dictionary word "jen" will
# match the first three letters of the text "jen123" but will return no
# matches for "jennifer".
#
# Dictionary words containing a large number of characters that are not
# letters or digits may result in unexpected findings because such characters
# are treated as whitespace. The
# [limits](https://cloud.google.com/dlp/limits) page contains details about
# the size limits of dictionaries. For dictionaries that do not fit within
# these constraints, consider using `LargeCustomDictionaryConfig` in the
# `StoredInfoType` API.
"wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.
"words": [ # Words or phrases defining the dictionary. The dictionary must contain
# at least one phrase and every phrase must contain at least 2 characters
# that are letters or digits. [required]
"A String",
],
},
"cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file
# is accepted.
"path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage.
# Example: gs://[BUCKET_NAME]/dictionary.txt
},
},
"storedType": { # A reference to a StoredInfoType to use with scanning. # Load an existing `StoredInfoType` resource for use in
# `InspectDataSource`. Not currently supported in `InspectContent`.
"name": "A String", # Resource name of the requested `StoredInfoType`, for example
# `organizations/433245324/storedInfoTypes/432452342` or
# `projects/project-id/storedInfoTypes/432452342`.
"createTime": "A String", # Timestamp indicating when the version of the `StoredInfoType` used for
# inspection was created. Output-only field, populated by the system.
},
"detectionRules": [ # Set of detection rules to apply to all findings of this CustomInfoType.
# Rules are applied in order that they are specified. Not supported for the
# `surrogate_type` CustomInfoType.
{ # Deprecated; use `InspectionRuleSet` instead. Rule for modifying a
# `CustomInfoType` to alter behavior under certain circumstances, depending
# on the specific details of the rule. Not supported for the `surrogate_type`
# custom infoType.
"hotwordRule": { # The rule that adjusts the likelihood of findings within a certain # Hotword-based detection rule.
# proximity of hotwords.
"proximity": { # Message for specifying a window around a finding to apply a detection # Proximity of the finding within which the entire hotword must reside.
# The total length of the window cannot exceed 1000 characters. Note that
# the finding itself will be included in the window, so that hotwords may
# be used to match substrings of the finding itself. For example, the
# certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be
# adjusted upwards if the area code is known to be the local area code of
# a company office using the hotword regex "\(xxx\)", where "xxx"
# is the area code in question.
# rule.
"windowAfter": 42, # Number of characters after the finding to consider.
"windowBefore": 42, # Number of characters before the finding to consider.
},
"hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.
"pattern": "A String", # Pattern defining the regular expression. Its syntax
# (https://github.com/google/re2/wiki/Syntax) can be found under the
# google/re2 repository on GitHub.
"groupIndexes": [ # The index of the submatch to extract as findings. When not
# specified, the entire match is returned. No more than 3 may be included.
42,
],
},
"likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as # Likelihood adjustment to apply to all matching findings.
# part of a detection rule.
"relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of
# levels. For example, if a finding would be `POSSIBLE` without the
# detection rule and `relative_likelihood` is 1, then it is upgraded to
# `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`.
# Likelihood may never drop below `VERY_UNLIKELY` or exceed
# `VERY_LIKELY`, so applying an adjustment of 1 followed by an
# adjustment of -1 when base likelihood is `VERY_LIKELY` will result in
# a final likelihood of `LIKELY`.
"fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.
},
},
},
],
"exclusionType": "A String", # If set to EXCLUSION_TYPE_EXCLUDE this infoType will not cause a finding
# to be returned. It still can be used for rules matching.
"likelihood": "A String", # Likelihood to return for this CustomInfoType. This base value can be
# altered by a detection rule if the finding meets the criteria specified by
# the rule. Defaults to `VERY_LIKELY` if not specified.
},
],
"includeQuote": True or False, # When true, a contextual quote from the data that triggered a finding is
# included in the response; see Finding.quote.
"ruleSet": [ # Set of rules to apply to the findings for this InspectConfig.
# Exclusion rules, contained in the set are executed in the end, other
# rules are executed in the order they are specified for each info type.
{ # Rule set for modifying a set of infoTypes to alter behavior under certain
# circumstances, depending on the specific details of the rules within the set.
"rules": [ # Set of rules to be applied to infoTypes. The rules are applied in order.
{ # A single inspection rule to be applied to infoTypes, specified in
# `InspectionRuleSet`.
"hotwordRule": { # The rule that adjusts the likelihood of findings within a certain # Hotword-based detection rule.
# proximity of hotwords.
"proximity": { # Message for specifying a window around a finding to apply a detection # Proximity of the finding within which the entire hotword must reside.
# The total length of the window cannot exceed 1000 characters. Note that
# the finding itself will be included in the window, so that hotwords may
# be used to match substrings of the finding itself. For example, the
# certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be
# adjusted upwards if the area code is known to be the local area code of
# a company office using the hotword regex "\(xxx\)", where "xxx"
# is the area code in question.
# rule.
"windowAfter": 42, # Number of characters after the finding to consider.
"windowBefore": 42, # Number of characters before the finding to consider.
},
"hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.
"pattern": "A String", # Pattern defining the regular expression. Its syntax
# (https://github.com/google/re2/wiki/Syntax) can be found under the
# google/re2 repository on GitHub.
"groupIndexes": [ # The index of the submatch to extract as findings. When not
# specified, the entire match is returned. No more than 3 may be included.
42,
],
},
"likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as # Likelihood adjustment to apply to all matching findings.
# part of a detection rule.
"relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of
# levels. For example, if a finding would be `POSSIBLE` without the
# detection rule and `relative_likelihood` is 1, then it is upgraded to
# `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`.
# Likelihood may never drop below `VERY_UNLIKELY` or exceed
# `VERY_LIKELY`, so applying an adjustment of 1 followed by an
# adjustment of -1 when base likelihood is `VERY_LIKELY` will result in
# a final likelihood of `LIKELY`.
"fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.
},
},
"exclusionRule": { # The rule that specifies conditions when findings of infoTypes specified in # Exclusion rule.
# `InspectionRuleSet` are removed from results.
"regex": { # Message defining a custom regular expression. # Regular expression which defines the rule.
"pattern": "A String", # Pattern defining the regular expression. Its syntax
# (https://github.com/google/re2/wiki/Syntax) can be found under the
# google/re2 repository on GitHub.
"groupIndexes": [ # The index of the submatch to extract as findings. When not
# specified, the entire match is returned. No more than 3 may be included.
42,
],
},
"excludeInfoTypes": { # List of exclude infoTypes. # Set of infoTypes for which findings would affect this rule.
"infoTypes": [ # InfoType list in ExclusionRule rule drops a finding when it overlaps or
# contained within with a finding of an infoType from this list. For
# example, for `InspectionRuleSet.info_types` containing "PHONE_NUMBER"` and
# `exclusion_rule` containing `exclude_info_types.info_types` with
# "EMAIL_ADDRESS" the phone number findings are dropped if they overlap
# with EMAIL_ADDRESS finding.
# That leads to "555-222-2222@example.org" to generate only a single
# finding, namely email address.
{ # Type of information detected by the API.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
],
},
"dictionary": { # Custom information type based on a dictionary of words or phrases. This can # Dictionary which defines the rule.
# be used to match sensitive information specific to the data, such as a list
# of employee IDs or job titles.
#
# Dictionary words are case-insensitive and all characters other than letters
# and digits in the unicode [Basic Multilingual
# Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane)
# will be replaced with whitespace when scanning for matches, so the
# dictionary phrase "Sam Johnson" will match all three phrases "sam johnson",
# "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters
# surrounding any match must be of a different type than the adjacent
# characters within the word, so letters must be next to non-letters and
# digits next to non-digits. For example, the dictionary word "jen" will
# match the first three letters of the text "jen123" but will return no
# matches for "jennifer".
#
# Dictionary words containing a large number of characters that are not
# letters or digits may result in unexpected findings because such characters
# are treated as whitespace. The
# [limits](https://cloud.google.com/dlp/limits) page contains details about
# the size limits of dictionaries. For dictionaries that do not fit within
# these constraints, consider using `LargeCustomDictionaryConfig` in the
# `StoredInfoType` API.
"wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.
"words": [ # Words or phrases defining the dictionary. The dictionary must contain
# at least one phrase and every phrase must contain at least 2 characters
# that are letters or digits. [required]
"A String",
],
},
"cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file
# is accepted.
"path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage.
# Example: gs://[BUCKET_NAME]/dictionary.txt
},
},
"matchingType": "A String", # How the rule is applied, see MatchingType documentation for details.
},
},
],
"infoTypes": [ # List of infoTypes this rule set is applied to.
{ # Type of information detected by the API.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
],
},
],
"contentOptions": [ # List of options defining data content to scan.
# If empty, text, images, and other content will be included.
"A String",
],
"infoTypes": [ # Restricts what info_types to look for. The values must correspond to
# InfoType values returned by ListInfoTypes or listed at
# https://cloud.google.com/dlp/docs/infotypes-reference.
#
# When no InfoTypes or CustomInfoTypes are specified in a request, the
# system may automatically choose what detectors to run. By default this may
# be all types, but may change over time as detectors are updated.
#
# The special InfoType name "ALL_BASIC" can be used to trigger all detectors,
# but may change over time as new InfoTypes are added. If you need precise
# control and predictability as to what detectors are run you should specify
# specific InfoTypes listed in the reference.
{ # Type of information detected by the API.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
],
},
"inspectTemplateName": "A String", # Optional template to use. Any configuration directly specified in
# inspect_config will override those set in the template. Singular fields
# that are set in this request will replace their corresponding fields in the
# template. Repeated fields are appended. Singular sub-messages and groups
# are recursively merged.
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Results of inspecting an item.
"result": { # All the findings for a single scanned item. # The findings.
"findingsTruncated": True or False, # If true, then this item might have more findings than were returned,
# and the findings returned are an arbitrary subset of all findings.
# The findings list might be truncated because the input items were too
# large, or because the server reached the maximum amount of resources
# allowed for a single API call. For best results, divide the input into
# smaller batches.
"findings": [ # List of findings for an item.
{ # Represents a piece of potentially sensitive content.
"infoType": { # Type of information detected by the API. # The type of content that might have been found.
# Provided if `excluded_types` is false.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
"quote": "A String", # The content that was found. Even if the content is not textual, it
# may be converted to a textual representation here.
# Provided if `include_quote` is true and the finding is
# less than or equal to 4096 bytes long. If the finding exceeds 4096 bytes
# in length, the quote may be omitted.
"quoteInfo": { # Message for infoType-dependent details parsed from quote. # Contains data parsed from quotes. Only populated if include_quote was set
# to true and a supported infoType was requested. Currently supported
# infoTypes: DATE, DATE_OF_BIRTH and TIME.
"dateTime": { # Message for a date time object. # The date time indicated by the quote.
# e.g. 2018-01-01, 5th August.
"dayOfWeek": "A String",
"timeZone": {
"offsetMinutes": 42, # Set only if the offset can be determined. Positive for time ahead of UTC.
# E.g. For "UTC-9", this value is -540.
},
"date": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day # One or more of the following must be set. All fields are optional, but
# when set must be valid date or time values.
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"time": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
},
},
"location": { # Specifies the location of the finding. # Where the content was found.
"byteRange": { # Generic half-open interval [start, end) # Zero-based byte offsets delimiting the finding.
# These are relative to the finding's containing element.
# Note that when the content is not textual, this references
# the UTF-8 encoded textual representation of the content.
# Omitted if content is an image.
"start": "A String", # Index of the first character of the range (inclusive).
"end": "A String", # Index of the last character of the range (exclusive).
},
"codepointRange": { # Generic half-open interval [start, end) # Unicode character offsets delimiting the finding.
# These are relative to the finding's containing element.
# Provided when the content is text.
"start": "A String", # Index of the first character of the range (inclusive).
"end": "A String", # Index of the last character of the range (exclusive).
},
"contentLocations": [ # List of nested objects pointing to the precise location of the finding
# within the file or record.
{ # Findings container location data.
"containerName": "A String", # Name of the container where the finding is located.
# The top level name is the source file name or table name. Names of some
# common storage containers are formatted as follows:
#
# * BigQuery tables: `:.`
# * Cloud Storage files: `gs:///`
# * Datastore namespace:
#
# Nested names could be absent if the embedded object has no string
# identifier (for an example an image contained within a document).
"containerVersion": "A String", # Findings container version, if available
# ("generation" for Google Cloud Storage).
"containerTimestamp": "A String", # Findings container modification timestamp, if applicable.
# For Google Cloud Storage contains last file modification timestamp.
# For BigQuery table contains last_modified_time property.
# For Datastore - not populated.
"documentLocation": { # Location of a finding within a document. # Location data for document files.
"fileOffset": "A String", # Offset of the line, from the beginning of the file, where the finding
# is located.
},
"imageLocation": { # Location of the finding within an image. # Location within an image's pixels.
"boundingBoxes": [ # Bounding boxes locating the pixels within the image containing the finding.
{ # Bounding box encompassing detected text within an image.
"width": 42, # Width of the bounding box in pixels.
"top": 42, # Top coordinate of the bounding box. (0,0) is upper left.
"left": 42, # Left coordinate of the bounding box. (0,0) is upper left.
"height": 42, # Height of the bounding box in pixels.
},
],
},
"recordLocation": { # Location of a finding within a row or record. # Location within a row or record of a database table.
"fieldId": { # General identifier of a data field in a storage service. # Field id of the field containing the finding.
"name": "A String", # Name describing the field.
},
"tableLocation": { # Location of a finding within a table. # Location within a `ContentItem.Table`.
"rowIndex": "A String", # The zero-based index of the row where the finding is located.
},
"recordKey": { # Message for a unique key indicating a record that contains a finding. # Key of the finding.
"bigQueryKey": { # Row key for identifying a record in BigQuery table.
"tableReference": { # Message defining the location of a BigQuery table. A table is uniquely # Complete BigQuery table reference.
# identified by its project_id, dataset_id, and table_name. Within a query
# a table is often referenced with a string in the format of:
# `:.` or
# `..`.
"projectId": "A String", # The Google Cloud Platform project ID of the project containing the table.
# If omitted, project ID is inferred from the API call.
"tableId": "A String", # Name of the table.
"datasetId": "A String", # Dataset ID of the table.
},
"rowNumber": "A String", # Absolute number of the row from the beginning of the table at the time
# of scanning.
},
"idValues": [ # Values of identifying columns in the given row. Order of values matches
# the order of field identifiers specified in the scanning request.
"A String",
],
"datastoreKey": { # Record key for a finding in Cloud Datastore.
"entityKey": { # A unique identifier for a Datastore entity. # Datastore entity key.
# If a key's partition ID or any of its path kinds or names are
# reserved/read-only, the key is reserved/read-only.
# A reserved/read-only key is forbidden in certain documented contexts.
"path": [ # The entity path.
# An entity path consists of one or more elements composed of a kind and a
# string or numerical identifier, which identify entities. The first
# element identifies a _root entity_, the second element identifies
# a _child_ of the root entity, the third element identifies a child of the
# second entity, and so forth. The entities identified by all prefixes of
# the path are called the element's _ancestors_.
#
# A path can never be empty, and a path can have at most 100 elements.
{ # A (kind, ID/name) pair used to construct a key path.
#
# If either name or ID is set, the element is complete.
# If neither is set, the element is incomplete.
"kind": "A String", # The kind of the entity.
# A kind matching regex `__.*__` is reserved/read-only.
# A kind must not contain more than 1500 bytes when UTF-8 encoded.
# Cannot be `""`.
"name": "A String", # The name of the entity.
# A name matching regex `__.*__` is reserved/read-only.
# A name must not be more than 1500 bytes when UTF-8 encoded.
# Cannot be `""`.
"id": "A String", # The auto-allocated ID of the entity.
# Never equal to zero. Values less than zero are discouraged and may not
# be supported in the future.
},
],
"partitionId": { # Datastore partition ID. # Entities are partitioned into subsets, currently identified by a project
# ID and namespace ID.
# Queries are scoped to a single partition.
# A partition ID identifies a grouping of entities. The grouping is always
# by project and namespace, however the namespace ID may be empty.
#
# A partition ID contains several dimensions:
# project ID and namespace ID.
"projectId": "A String", # The ID of the project to which the entities belong.
"namespaceId": "A String", # If not empty, the ID of the namespace to which the entities belong.
},
},
},
},
},
},
],
},
"likelihood": "A String", # Confidence of how likely it is that the `info_type` is correct.
"createTime": "A String", # Timestamp when finding was detected.
},
],
},
}
reidentify(parent, body, x__xgafv=None)
Re-identifies content that has been de-identified.
See
https://cloud.google.com/dlp/docs/pseudonymization#re-identification_in_free_text_code_example
to learn more.
Args:
parent: string, The parent resource name. (required)
body: object, The request body. (required)
The object takes the form of:
{ # Request to re-identify an item.
"reidentifyConfig": { # The configuration that controls how the data will change. # Configuration for the re-identification of the content item.
# This field shares the same proto message type that is used for
# de-identification, however its usage here is for the reversal of the
# previous de-identification. Re-identification is performed by examining
# the transformations used to de-identify the items and executing the
# reverse. This requires that only reversible transformations
# be provided here. The reversible transformations are:
#
# - `CryptoReplaceFfxFpeConfig`
"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the dataset as free-form text and apply the same free text
# transformation everywhere.
# apply various `PrimitiveTransformation`s to each finding, where the
# transformation is applied to only values that were identified as a specific
# info_type.
"transformations": [ # Transformation for each infoType. Cannot specify more than one
# for a given infoType. [required]
{ # A transformation to apply to text that is identified as a specific
# info_type.
"primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
# fixed character. Masking can start from the beginning or end of the string.
# This can be used on data of any type (numbers, longs, and so on) and when
# de-identifying structured data we'll attempt to preserve the original data's
# type. (This allows you to take a long like 123 and modify it to a string like
# **3.
"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
# For example, if your string is 555-555-5555 and you ask us to skip `-` and
# mask 5 chars with * we would produce ***-*55-5555.
{ # Characters to skip when doing deidentification of a value. These will be left
# alone and skipped.
"commonCharactersToIgnore": "A String",
"charactersToSkip": "A String",
},
],
"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
# masked. Skipped characters do not count towards this tally.
"maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
# alphabetic string such as name, or "0" for a numeric string such as ZIP
# code or credit card number. String must have length 1. If not supplied, we
# will default to "*" for strings, 0 for digits.
"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
# '0', number_to_mask is 14, and `reverse_order` is false, then
# 1234-5678-9012-3456 -> 00000000000000-3456
# If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
# is true, then 12345 -> 12***
},
"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
# output would be 'My phone number is '.
},
"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
# validated against the value used during encryption. If a context was
# provided during encryption, same context must be provided during decryption
# as well.
#
# If the context is not set, plaintext would be used as is for encryption.
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 2. the field is not present when transforming a given value,
#
# plaintext would be used as is for encryption.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: ():
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
# - reverse a surrogate that does not correspond to an actual identifier
# - be unable to parse the surrogate and result in an error
#
# Therefore, choose your custom info type name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
# -, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
#
# If the bound Value type differs from the type of data
# being transformed, we will first attempt converting the type of the data to
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
# then all values less than 10 are replaced with the value “-10”. [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
# [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
},
"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
},
"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
# portion of the value.
"partToExtract": "A String",
},
"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
# Uses SHA-256.
# The key size must be either 32 or 64 bytes.
# Outputs a base64 encoded representation of the hashed output
# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
# Currently, only string and integer values can be hashed.
# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
},
"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
# results in the same shift for the same context and crypto_key.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
# [Required]
"upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
# [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
# If set, must also set method. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
# replacement values are dynamically provided by the user for custom behavior,
# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
# This can be used on
# data of type: number, long, string, timestamp.
# If the bound `Value` type differs from the type of data being transformed, we
# will first attempt converting the type of the data to be transformed to match
# the type of the bound before comparing.
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"buckets": [ # Set of buckets. Ranges must be non-overlapping.
{ # Bucket is represented as a range, along with replacement values.
"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
# the default behavior will be to hyphenate the min-max range.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
# used.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
# encoded as ASCII. For a given crypto key and context, the same identifier
# will be replaced with the same surrogate. Identifiers must be at least two
# characters long. In the case that the identifier is the empty string, it will
# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
# more.
#
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
"commonAlphabet": "A String",
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
# Number of characters must be in the range [2, 62].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
# identifier in two different contexts won't be given the same surrogate. If
# the context is not set, a default tweak will be used.
#
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 1. the field is not present when transforming a given value,
#
# a default tweak will be used.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
# Currently, the referenced field may be of value type integer or string.
#
# The tweak is constructed as a sequence of bytes in big endian byte order
# such that:
#
# - a 64 bit integer is encoded followed by a single byte of value 1
# - a string is encoded in UTF-8 format followed by a single byte of value 2
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom infoType followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: info_type_name(surrogate_character_count):surrogate
#
# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom infoType
# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
# This facilitates reversal of the surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this infoType must
# not occur naturally anywhere in your data; otherwise, inspection may
# find a surrogate that does not correspond to an actual identifier.
# Therefore, choose your custom infoType name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"replaceConfig": { # Replace each input value with a given `Value`.
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
},
"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
# this transformation to apply to all findings that correspond to
# infoTypes that were requested in `InspectConfig`.
{ # Type of information detected by the API.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
],
},
],
},
"recordTransformations": { # A type of transformation that is applied over structured data such as a # Treat the dataset as structured. Transformations can be applied to
# specific locations within structured datasets, such as transforming
# a column within a table.
# table.
"recordSuppressions": [ # Configuration defining which records get suppressed entirely. Records that
# match any suppression rule are omitted from the output [optional].
{ # Configuration to suppress records whose suppression conditions evaluate to
# true.
"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
# evaluated to be suppressed from the transformed content.
# a field.
"expressions": { # An expression, consisting or an operator and conditions. # An expression.
"conditions": { # A collection of conditions.
"conditions": [
{ # The field type of `value` and `field` do not need to match to be
# considered equal, but not all comparisons are possible.
# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
# but all other comparisons are invalid with incompatible types.
# A `value` of type:
#
# - `string` can be compared against all other types
# - `boolean` can only be compared against other booleans
# - `integer` can be compared against doubles or a string if the string value
# can be parsed as an integer.
# - `double` can be compared against integers or a string if the string can
# be parsed as a double.
# - `Timestamp` can be compared against strings in RFC 3339 date string
# format.
# - `TimeOfDay` can be compared against timestamps and strings in the format
# of 'HH:mm:ss'.
#
# If we fail to compare do to type mismatch, a warning will be given and
# the condition will evaluate to false.
"operator": "A String", # Operator used to compare the field or infoType to the value. [required]
"field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
"name": "A String", # Name describing the field.
},
"value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
# only supported value is `AND`.
},
},
},
],
"fieldTransformations": [ # Transform the record by applying various field transformations.
{ # The transformation to apply to the field.
"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
# transform content that matches an `InfoType`.
# apply various `PrimitiveTransformation`s to each finding, where the
# transformation is applied to only values that were identified as a specific
# info_type.
"transformations": [ # Transformation for each infoType. Cannot specify more than one
# for a given infoType. [required]
{ # A transformation to apply to text that is identified as a specific
# info_type.
"primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
# fixed character. Masking can start from the beginning or end of the string.
# This can be used on data of any type (numbers, longs, and so on) and when
# de-identifying structured data we'll attempt to preserve the original data's
# type. (This allows you to take a long like 123 and modify it to a string like
# **3.
"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
# For example, if your string is 555-555-5555 and you ask us to skip `-` and
# mask 5 chars with * we would produce ***-*55-5555.
{ # Characters to skip when doing deidentification of a value. These will be left
# alone and skipped.
"commonCharactersToIgnore": "A String",
"charactersToSkip": "A String",
},
],
"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
# masked. Skipped characters do not count towards this tally.
"maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
# alphabetic string such as name, or "0" for a numeric string such as ZIP
# code or credit card number. String must have length 1. If not supplied, we
# will default to "*" for strings, 0 for digits.
"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
# '0', number_to_mask is 14, and `reverse_order` is false, then
# 1234-5678-9012-3456 -> 00000000000000-3456
# If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
# is true, then 12345 -> 12***
},
"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
# output would be 'My phone number is '.
},
"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
# validated against the value used during encryption. If a context was
# provided during encryption, same context must be provided during decryption
# as well.
#
# If the context is not set, plaintext would be used as is for encryption.
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 2. the field is not present when transforming a given value,
#
# plaintext would be used as is for encryption.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: ():
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
# - reverse a surrogate that does not correspond to an actual identifier
# - be unable to parse the surrogate and result in an error
#
# Therefore, choose your custom info type name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
# -, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
#
# If the bound Value type differs from the type of data
# being transformed, we will first attempt converting the type of the data to
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
# then all values less than 10 are replaced with the value “-10”. [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
# [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
},
"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
},
"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
# portion of the value.
"partToExtract": "A String",
},
"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
# Uses SHA-256.
# The key size must be either 32 or 64 bytes.
# Outputs a base64 encoded representation of the hashed output
# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
# Currently, only string and integer values can be hashed.
# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
},
"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
# results in the same shift for the same context and crypto_key.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
# [Required]
"upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
# [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
# If set, must also set method. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
# replacement values are dynamically provided by the user for custom behavior,
# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
# This can be used on
# data of type: number, long, string, timestamp.
# If the bound `Value` type differs from the type of data being transformed, we
# will first attempt converting the type of the data to be transformed to match
# the type of the bound before comparing.
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"buckets": [ # Set of buckets. Ranges must be non-overlapping.
{ # Bucket is represented as a range, along with replacement values.
"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
# the default behavior will be to hyphenate the min-max range.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
# used.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
# encoded as ASCII. For a given crypto key and context, the same identifier
# will be replaced with the same surrogate. Identifiers must be at least two
# characters long. In the case that the identifier is the empty string, it will
# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
# more.
#
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
"commonAlphabet": "A String",
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
# Number of characters must be in the range [2, 62].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
# identifier in two different contexts won't be given the same surrogate. If
# the context is not set, a default tweak will be used.
#
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 1. the field is not present when transforming a given value,
#
# a default tweak will be used.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
# Currently, the referenced field may be of value type integer or string.
#
# The tweak is constructed as a sequence of bytes in big endian byte order
# such that:
#
# - a 64 bit integer is encoded followed by a single byte of value 1
# - a string is encoded in UTF-8 format followed by a single byte of value 2
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom infoType followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: info_type_name(surrogate_character_count):surrogate
#
# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom infoType
# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
# This facilitates reversal of the surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this infoType must
# not occur naturally anywhere in your data; otherwise, inspection may
# find a surrogate that does not correspond to an actual identifier.
# Therefore, choose your custom infoType name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"replaceConfig": { # Replace each input value with a given `Value`.
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
},
"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
# this transformation to apply to all findings that correspond to
# infoTypes that were requested in `InspectConfig`.
{ # Type of information detected by the API.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
],
},
],
},
"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
# fixed character. Masking can start from the beginning or end of the string.
# This can be used on data of any type (numbers, longs, and so on) and when
# de-identifying structured data we'll attempt to preserve the original data's
# type. (This allows you to take a long like 123 and modify it to a string like
# **3.
"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
# For example, if your string is 555-555-5555 and you ask us to skip `-` and
# mask 5 chars with * we would produce ***-*55-5555.
{ # Characters to skip when doing deidentification of a value. These will be left
# alone and skipped.
"commonCharactersToIgnore": "A String",
"charactersToSkip": "A String",
},
],
"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
# masked. Skipped characters do not count towards this tally.
"maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
# alphabetic string such as name, or "0" for a numeric string such as ZIP
# code or credit card number. String must have length 1. If not supplied, we
# will default to "*" for strings, 0 for digits.
"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
# '0', number_to_mask is 14, and `reverse_order` is false, then
# 1234-5678-9012-3456 -> 00000000000000-3456
# If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
# is true, then 12345 -> 12***
},
"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
# output would be 'My phone number is '.
},
"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
# validated against the value used during encryption. If a context was
# provided during encryption, same context must be provided during decryption
# as well.
#
# If the context is not set, plaintext would be used as is for encryption.
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 2. the field is not present when transforming a given value,
#
# plaintext would be used as is for encryption.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: ():
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
# - reverse a surrogate that does not correspond to an actual identifier
# - be unable to parse the surrogate and result in an error
#
# Therefore, choose your custom info type name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
# -, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
#
# If the bound Value type differs from the type of data
# being transformed, we will first attempt converting the type of the data to
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
# then all values less than 10 are replaced with the value “-10”. [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
# [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
},
"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
},
"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
# portion of the value.
"partToExtract": "A String",
},
"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
# Uses SHA-256.
# The key size must be either 32 or 64 bytes.
# Outputs a base64 encoded representation of the hashed output
# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
# Currently, only string and integer values can be hashed.
# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
},
"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
# results in the same shift for the same context and crypto_key.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
# [Required]
"upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
# [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
# If set, must also set method. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
# replacement values are dynamically provided by the user for custom behavior,
# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
# This can be used on
# data of type: number, long, string, timestamp.
# If the bound `Value` type differs from the type of data being transformed, we
# will first attempt converting the type of the data to be transformed to match
# the type of the bound before comparing.
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"buckets": [ # Set of buckets. Ranges must be non-overlapping.
{ # Bucket is represented as a range, along with replacement values.
"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
# the default behavior will be to hyphenate the min-max range.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
# used.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
# encoded as ASCII. For a given crypto key and context, the same identifier
# will be replaced with the same surrogate. Identifiers must be at least two
# characters long. In the case that the identifier is the empty string, it will
# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
# more.
#
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
"commonAlphabet": "A String",
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
# Number of characters must be in the range [2, 62].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
# identifier in two different contexts won't be given the same surrogate. If
# the context is not set, a default tweak will be used.
#
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 1. the field is not present when transforming a given value,
#
# a default tweak will be used.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
# Currently, the referenced field may be of value type integer or string.
#
# The tweak is constructed as a sequence of bytes in big endian byte order
# such that:
#
# - a 64 bit integer is encoded followed by a single byte of value 1
# - a string is encoded in UTF-8 format followed by a single byte of value 2
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom infoType followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: info_type_name(surrogate_character_count):surrogate
#
# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom infoType
# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
# This facilitates reversal of the surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this infoType must
# not occur naturally anywhere in your data; otherwise, inspection may
# find a surrogate that does not correspond to an actual identifier.
# Therefore, choose your custom infoType name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"replaceConfig": { # Replace each input value with a given `Value`.
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
},
"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
# given `RecordCondition`. The conditions are allowed to reference fields
# that are not used in the actual transformation. [optional]
#
# Example Use Cases:
#
# - Apply a different bucket transformation to an age column if the zip code
# column for the same record is within a specific range.
# - Redact a field if the date of birth field is greater than 85.
# a field.
"expressions": { # An expression, consisting or an operator and conditions. # An expression.
"conditions": { # A collection of conditions.
"conditions": [
{ # The field type of `value` and `field` do not need to match to be
# considered equal, but not all comparisons are possible.
# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
# but all other comparisons are invalid with incompatible types.
# A `value` of type:
#
# - `string` can be compared against all other types
# - `boolean` can only be compared against other booleans
# - `integer` can be compared against doubles or a string if the string value
# can be parsed as an integer.
# - `double` can be compared against integers or a string if the string can
# be parsed as a double.
# - `Timestamp` can be compared against strings in RFC 3339 date string
# format.
# - `TimeOfDay` can be compared against timestamps and strings in the format
# of 'HH:mm:ss'.
#
# If we fail to compare do to type mismatch, a warning will be given and
# the condition will evaluate to false.
"operator": "A String", # Operator used to compare the field or infoType to the value. [required]
"field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
"name": "A String", # Name describing the field.
},
"value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
# only supported value is `AND`.
},
},
"fields": [ # Input field(s) to apply the transformation to. [required]
{ # General identifier of a data field in a storage service.
"name": "A String", # Name describing the field.
},
],
},
],
},
},
"reidentifyTemplateName": "A String", # Optional template to use. References an instance of `DeidentifyTemplate`.
# Any configuration directly specified in `reidentify_config` or
# `inspect_config` will override those set in the template. Singular fields
# that are set in this request will replace their corresponding fields in the
# template. Repeated fields are appended. Singular sub-messages and groups
# are recursively merged.
"inspectConfig": { # Configuration description of the scanning process. # Configuration for the inspector.
# When used with redactContent only info_types and min_likelihood are currently
# used.
"excludeInfoTypes": True or False, # When true, excludes type information of the findings.
"limits": {
"maxFindingsPerRequest": 42, # Max number of findings that will be returned per request/job.
# When set within `InspectContentRequest`, the maximum returned is 2000
# regardless if this is set higher.
"maxFindingsPerInfoType": [ # Configuration of findings limit given for specified infoTypes.
{ # Max findings configuration per infoType, per content item or long
# running DlpJob.
"infoType": { # Type of information detected by the API. # Type of information the findings limit applies to. Only one limit per
# info_type should be provided. If InfoTypeLimit does not have an
# info_type, the DLP API applies the limit against all info_types that
# are found but not specified in another InfoTypeLimit.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
"maxFindings": 42, # Max findings limit for the given infoType.
},
],
"maxFindingsPerItem": 42, # Max number of findings that will be returned for each item scanned.
# When set within `InspectDataSourceRequest`,
# the maximum returned is 2000 regardless if this is set higher.
# When set within `InspectContentRequest`, this field is ignored.
},
"minLikelihood": "A String", # Only returns findings equal or above this threshold. The default is
# POSSIBLE.
# See https://cloud.google.com/dlp/docs/likelihood to learn more.
"customInfoTypes": [ # CustomInfoTypes provided by the user. See
# https://cloud.google.com/dlp/docs/creating-custom-infotypes to learn more.
{ # Custom information type provided by the user. Used to find domain-specific
# sensitive information configurable to the data in question.
"regex": { # Message defining a custom regular expression. # Regular expression based CustomInfoType.
"pattern": "A String", # Pattern defining the regular expression. Its syntax
# (https://github.com/google/re2/wiki/Syntax) can be found under the
# google/re2 repository on GitHub.
"groupIndexes": [ # The index of the submatch to extract as findings. When not
# specified, the entire match is returned. No more than 3 may be included.
42,
],
},
"surrogateType": { # Message for detecting output from deidentification transformations # Message for detecting output from deidentification transformations that
# support reversing.
# such as
# [`CryptoReplaceFfxFpeConfig`](/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#cryptoreplaceffxfpeconfig).
# These types of transformations are
# those that perform pseudonymization, thereby producing a "surrogate" as
# output. This should be used in conjunction with a field on the
# transformation such as `surrogate_info_type`. This CustomInfoType does
# not support the use of `detection_rules`.
},
"infoType": { # Type of information detected by the API. # CustomInfoType can either be a new infoType, or an extension of built-in
# infoType, when the name matches one of existing infoTypes and that infoType
# is specified in `InspectContent.info_types` field. Specifying the latter
# adds findings to the one detected by the system. If built-in info type is
# not specified in `InspectContent.info_types` list then the name is treated
# as a custom info type.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
"dictionary": { # Custom information type based on a dictionary of words or phrases. This can # A list of phrases to detect as a CustomInfoType.
# be used to match sensitive information specific to the data, such as a list
# of employee IDs or job titles.
#
# Dictionary words are case-insensitive and all characters other than letters
# and digits in the unicode [Basic Multilingual
# Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane)
# will be replaced with whitespace when scanning for matches, so the
# dictionary phrase "Sam Johnson" will match all three phrases "sam johnson",
# "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters
# surrounding any match must be of a different type than the adjacent
# characters within the word, so letters must be next to non-letters and
# digits next to non-digits. For example, the dictionary word "jen" will
# match the first three letters of the text "jen123" but will return no
# matches for "jennifer".
#
# Dictionary words containing a large number of characters that are not
# letters or digits may result in unexpected findings because such characters
# are treated as whitespace. The
# [limits](https://cloud.google.com/dlp/limits) page contains details about
# the size limits of dictionaries. For dictionaries that do not fit within
# these constraints, consider using `LargeCustomDictionaryConfig` in the
# `StoredInfoType` API.
"wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.
"words": [ # Words or phrases defining the dictionary. The dictionary must contain
# at least one phrase and every phrase must contain at least 2 characters
# that are letters or digits. [required]
"A String",
],
},
"cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file
# is accepted.
"path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage.
# Example: gs://[BUCKET_NAME]/dictionary.txt
},
},
"storedType": { # A reference to a StoredInfoType to use with scanning. # Load an existing `StoredInfoType` resource for use in
# `InspectDataSource`. Not currently supported in `InspectContent`.
"name": "A String", # Resource name of the requested `StoredInfoType`, for example
# `organizations/433245324/storedInfoTypes/432452342` or
# `projects/project-id/storedInfoTypes/432452342`.
"createTime": "A String", # Timestamp indicating when the version of the `StoredInfoType` used for
# inspection was created. Output-only field, populated by the system.
},
"detectionRules": [ # Set of detection rules to apply to all findings of this CustomInfoType.
# Rules are applied in order that they are specified. Not supported for the
# `surrogate_type` CustomInfoType.
{ # Deprecated; use `InspectionRuleSet` instead. Rule for modifying a
# `CustomInfoType` to alter behavior under certain circumstances, depending
# on the specific details of the rule. Not supported for the `surrogate_type`
# custom infoType.
"hotwordRule": { # The rule that adjusts the likelihood of findings within a certain # Hotword-based detection rule.
# proximity of hotwords.
"proximity": { # Message for specifying a window around a finding to apply a detection # Proximity of the finding within which the entire hotword must reside.
# The total length of the window cannot exceed 1000 characters. Note that
# the finding itself will be included in the window, so that hotwords may
# be used to match substrings of the finding itself. For example, the
# certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be
# adjusted upwards if the area code is known to be the local area code of
# a company office using the hotword regex "\(xxx\)", where "xxx"
# is the area code in question.
# rule.
"windowAfter": 42, # Number of characters after the finding to consider.
"windowBefore": 42, # Number of characters before the finding to consider.
},
"hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.
"pattern": "A String", # Pattern defining the regular expression. Its syntax
# (https://github.com/google/re2/wiki/Syntax) can be found under the
# google/re2 repository on GitHub.
"groupIndexes": [ # The index of the submatch to extract as findings. When not
# specified, the entire match is returned. No more than 3 may be included.
42,
],
},
"likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as # Likelihood adjustment to apply to all matching findings.
# part of a detection rule.
"relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of
# levels. For example, if a finding would be `POSSIBLE` without the
# detection rule and `relative_likelihood` is 1, then it is upgraded to
# `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`.
# Likelihood may never drop below `VERY_UNLIKELY` or exceed
# `VERY_LIKELY`, so applying an adjustment of 1 followed by an
# adjustment of -1 when base likelihood is `VERY_LIKELY` will result in
# a final likelihood of `LIKELY`.
"fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.
},
},
},
],
"exclusionType": "A String", # If set to EXCLUSION_TYPE_EXCLUDE this infoType will not cause a finding
# to be returned. It still can be used for rules matching.
"likelihood": "A String", # Likelihood to return for this CustomInfoType. This base value can be
# altered by a detection rule if the finding meets the criteria specified by
# the rule. Defaults to `VERY_LIKELY` if not specified.
},
],
"includeQuote": True or False, # When true, a contextual quote from the data that triggered a finding is
# included in the response; see Finding.quote.
"ruleSet": [ # Set of rules to apply to the findings for this InspectConfig.
# Exclusion rules, contained in the set are executed in the end, other
# rules are executed in the order they are specified for each info type.
{ # Rule set for modifying a set of infoTypes to alter behavior under certain
# circumstances, depending on the specific details of the rules within the set.
"rules": [ # Set of rules to be applied to infoTypes. The rules are applied in order.
{ # A single inspection rule to be applied to infoTypes, specified in
# `InspectionRuleSet`.
"hotwordRule": { # The rule that adjusts the likelihood of findings within a certain # Hotword-based detection rule.
# proximity of hotwords.
"proximity": { # Message for specifying a window around a finding to apply a detection # Proximity of the finding within which the entire hotword must reside.
# The total length of the window cannot exceed 1000 characters. Note that
# the finding itself will be included in the window, so that hotwords may
# be used to match substrings of the finding itself. For example, the
# certainty of a phone number regex "\(\d{3}\) \d{3}-\d{4}" could be
# adjusted upwards if the area code is known to be the local area code of
# a company office using the hotword regex "\(xxx\)", where "xxx"
# is the area code in question.
# rule.
"windowAfter": 42, # Number of characters after the finding to consider.
"windowBefore": 42, # Number of characters before the finding to consider.
},
"hotwordRegex": { # Message defining a custom regular expression. # Regular expression pattern defining what qualifies as a hotword.
"pattern": "A String", # Pattern defining the regular expression. Its syntax
# (https://github.com/google/re2/wiki/Syntax) can be found under the
# google/re2 repository on GitHub.
"groupIndexes": [ # The index of the submatch to extract as findings. When not
# specified, the entire match is returned. No more than 3 may be included.
42,
],
},
"likelihoodAdjustment": { # Message for specifying an adjustment to the likelihood of a finding as # Likelihood adjustment to apply to all matching findings.
# part of a detection rule.
"relativeLikelihood": 42, # Increase or decrease the likelihood by the specified number of
# levels. For example, if a finding would be `POSSIBLE` without the
# detection rule and `relative_likelihood` is 1, then it is upgraded to
# `LIKELY`, while a value of -1 would downgrade it to `UNLIKELY`.
# Likelihood may never drop below `VERY_UNLIKELY` or exceed
# `VERY_LIKELY`, so applying an adjustment of 1 followed by an
# adjustment of -1 when base likelihood is `VERY_LIKELY` will result in
# a final likelihood of `LIKELY`.
"fixedLikelihood": "A String", # Set the likelihood of a finding to a fixed value.
},
},
"exclusionRule": { # The rule that specifies conditions when findings of infoTypes specified in # Exclusion rule.
# `InspectionRuleSet` are removed from results.
"regex": { # Message defining a custom regular expression. # Regular expression which defines the rule.
"pattern": "A String", # Pattern defining the regular expression. Its syntax
# (https://github.com/google/re2/wiki/Syntax) can be found under the
# google/re2 repository on GitHub.
"groupIndexes": [ # The index of the submatch to extract as findings. When not
# specified, the entire match is returned. No more than 3 may be included.
42,
],
},
"excludeInfoTypes": { # List of exclude infoTypes. # Set of infoTypes for which findings would affect this rule.
"infoTypes": [ # InfoType list in ExclusionRule rule drops a finding when it overlaps or
# contained within with a finding of an infoType from this list. For
# example, for `InspectionRuleSet.info_types` containing "PHONE_NUMBER"` and
# `exclusion_rule` containing `exclude_info_types.info_types` with
# "EMAIL_ADDRESS" the phone number findings are dropped if they overlap
# with EMAIL_ADDRESS finding.
# That leads to "555-222-2222@example.org" to generate only a single
# finding, namely email address.
{ # Type of information detected by the API.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
],
},
"dictionary": { # Custom information type based on a dictionary of words or phrases. This can # Dictionary which defines the rule.
# be used to match sensitive information specific to the data, such as a list
# of employee IDs or job titles.
#
# Dictionary words are case-insensitive and all characters other than letters
# and digits in the unicode [Basic Multilingual
# Plane](https://en.wikipedia.org/wiki/Plane_%28Unicode%29#Basic_Multilingual_Plane)
# will be replaced with whitespace when scanning for matches, so the
# dictionary phrase "Sam Johnson" will match all three phrases "sam johnson",
# "Sam, Johnson", and "Sam (Johnson)". Additionally, the characters
# surrounding any match must be of a different type than the adjacent
# characters within the word, so letters must be next to non-letters and
# digits next to non-digits. For example, the dictionary word "jen" will
# match the first three letters of the text "jen123" but will return no
# matches for "jennifer".
#
# Dictionary words containing a large number of characters that are not
# letters or digits may result in unexpected findings because such characters
# are treated as whitespace. The
# [limits](https://cloud.google.com/dlp/limits) page contains details about
# the size limits of dictionaries. For dictionaries that do not fit within
# these constraints, consider using `LargeCustomDictionaryConfig` in the
# `StoredInfoType` API.
"wordList": { # Message defining a list of words or phrases to search for in the data. # List of words or phrases to search for.
"words": [ # Words or phrases defining the dictionary. The dictionary must contain
# at least one phrase and every phrase must contain at least 2 characters
# that are letters or digits. [required]
"A String",
],
},
"cloudStoragePath": { # Message representing a single file or path in Cloud Storage. # Newline-delimited file of words in Cloud Storage. Only a single file
# is accepted.
"path": "A String", # A url representing a file or path (no wildcards) in Cloud Storage.
# Example: gs://[BUCKET_NAME]/dictionary.txt
},
},
"matchingType": "A String", # How the rule is applied, see MatchingType documentation for details.
},
},
],
"infoTypes": [ # List of infoTypes this rule set is applied to.
{ # Type of information detected by the API.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
],
},
],
"contentOptions": [ # List of options defining data content to scan.
# If empty, text, images, and other content will be included.
"A String",
],
"infoTypes": [ # Restricts what info_types to look for. The values must correspond to
# InfoType values returned by ListInfoTypes or listed at
# https://cloud.google.com/dlp/docs/infotypes-reference.
#
# When no InfoTypes or CustomInfoTypes are specified in a request, the
# system may automatically choose what detectors to run. By default this may
# be all types, but may change over time as detectors are updated.
#
# The special InfoType name "ALL_BASIC" can be used to trigger all detectors,
# but may change over time as new InfoTypes are added. If you need precise
# control and predictability as to what detectors are run you should specify
# specific InfoTypes listed in the reference.
{ # Type of information detected by the API.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
],
},
"inspectTemplateName": "A String", # Optional template to use. Any configuration directly specified in
# `inspect_config` will override those set in the template. Singular fields
# that are set in this request will replace their corresponding fields in the
# template. Repeated fields are appended. Singular sub-messages and groups
# are recursively merged.
"item": { # Container structure for the content to inspect. # The item to re-identify. Will be treated as text.
"table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. # Structured content for inspection. See
# https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to
# learn more.
# See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to
# learn more.
"headers": [
{ # General identifier of a data field in a storage service.
"name": "A String", # Name describing the field.
},
],
"rows": [
{
"values": [
{ # Set of primitive values supported by the system.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
],
},
],
},
"byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.
"type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.
"data": "A String", # Content data to inspect or redact.
},
"value": "A String", # String data to inspect or redact.
},
}
x__xgafv: string, V1 error format.
Allowed values
1 - v1 error format
2 - v2 error format
Returns:
An object of the form:
{ # Results of re-identifying a item.
"overview": { # Overview of the modifications that occurred. # An overview of the changes that were made to the `item`.
"transformationSummaries": [ # Transformations applied to the dataset.
{ # Summary of a single transformation.
# Only one of 'transformation', 'field_transformation', or 'record_suppress'
# will be set.
"infoType": { # Type of information detected by the API. # Set if the transformation was limited to a specific InfoType.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
"recordSuppress": { # Configuration to suppress records whose suppression conditions evaluate to # The specific suppression option these stats apply to.
# true.
"condition": { # A condition for determining whether a transformation should be applied to # A condition that when it evaluates to true will result in the record being
# evaluated to be suppressed from the transformed content.
# a field.
"expressions": { # An expression, consisting or an operator and conditions. # An expression.
"conditions": { # A collection of conditions.
"conditions": [
{ # The field type of `value` and `field` do not need to match to be
# considered equal, but not all comparisons are possible.
# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
# but all other comparisons are invalid with incompatible types.
# A `value` of type:
#
# - `string` can be compared against all other types
# - `boolean` can only be compared against other booleans
# - `integer` can be compared against doubles or a string if the string value
# can be parsed as an integer.
# - `double` can be compared against integers or a string if the string can
# be parsed as a double.
# - `Timestamp` can be compared against strings in RFC 3339 date string
# format.
# - `TimeOfDay` can be compared against timestamps and strings in the format
# of 'HH:mm:ss'.
#
# If we fail to compare do to type mismatch, a warning will be given and
# the condition will evaluate to false.
"operator": "A String", # Operator used to compare the field or infoType to the value. [required]
"field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
"name": "A String", # Name describing the field.
},
"value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
# only supported value is `AND`.
},
},
},
"results": [
{ # A collection that informs the user the number of times a particular
# `TransformationResultCode` and error details occurred.
"count": "A String",
"code": "A String",
"details": "A String", # A place for warnings or errors to show up if a transformation didn't
# work as expected.
},
],
"field": { # General identifier of a data field in a storage service. # Set if the transformation was limited to a specific FieldId.
"name": "A String", # Name describing the field.
},
"fieldTransformations": [ # The field transformation that was applied.
# If multiple field transformations are requested for a single field,
# this list will contain all of them; otherwise, only one is supplied.
{ # The transformation to apply to the field.
"infoTypeTransformations": { # A type of transformation that will scan unstructured text and # Treat the contents of the field as free text, and selectively
# transform content that matches an `InfoType`.
# apply various `PrimitiveTransformation`s to each finding, where the
# transformation is applied to only values that were identified as a specific
# info_type.
"transformations": [ # Transformation for each infoType. Cannot specify more than one
# for a given infoType. [required]
{ # A transformation to apply to text that is identified as a specific
# info_type.
"primitiveTransformation": { # A rule for transforming a value. # Primitive transformation to apply to the infoType. [required]
"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
# fixed character. Masking can start from the beginning or end of the string.
# This can be used on data of any type (numbers, longs, and so on) and when
# de-identifying structured data we'll attempt to preserve the original data's
# type. (This allows you to take a long like 123 and modify it to a string like
# **3.
"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
# For example, if your string is 555-555-5555 and you ask us to skip `-` and
# mask 5 chars with * we would produce ***-*55-5555.
{ # Characters to skip when doing deidentification of a value. These will be left
# alone and skipped.
"commonCharactersToIgnore": "A String",
"charactersToSkip": "A String",
},
],
"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
# masked. Skipped characters do not count towards this tally.
"maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
# alphabetic string such as name, or "0" for a numeric string such as ZIP
# code or credit card number. String must have length 1. If not supplied, we
# will default to "*" for strings, 0 for digits.
"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
# '0', number_to_mask is 14, and `reverse_order` is false, then
# 1234-5678-9012-3456 -> 00000000000000-3456
# If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
# is true, then 12345 -> 12***
},
"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
# output would be 'My phone number is '.
},
"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
# validated against the value used during encryption. If a context was
# provided during encryption, same context must be provided during decryption
# as well.
#
# If the context is not set, plaintext would be used as is for encryption.
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 2. the field is not present when transforming a given value,
#
# plaintext would be used as is for encryption.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: ():
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
# - reverse a surrogate that does not correspond to an actual identifier
# - be unable to parse the surrogate and result in an error
#
# Therefore, choose your custom info type name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
# -, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
#
# If the bound Value type differs from the type of data
# being transformed, we will first attempt converting the type of the data to
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
# then all values less than 10 are replaced with the value “-10”. [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
# [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
},
"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
},
"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
# portion of the value.
"partToExtract": "A String",
},
"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
# Uses SHA-256.
# The key size must be either 32 or 64 bytes.
# Outputs a base64 encoded representation of the hashed output
# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
# Currently, only string and integer values can be hashed.
# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
},
"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
# results in the same shift for the same context and crypto_key.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
# [Required]
"upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
# [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
# If set, must also set method. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
# replacement values are dynamically provided by the user for custom behavior,
# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
# This can be used on
# data of type: number, long, string, timestamp.
# If the bound `Value` type differs from the type of data being transformed, we
# will first attempt converting the type of the data to be transformed to match
# the type of the bound before comparing.
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"buckets": [ # Set of buckets. Ranges must be non-overlapping.
{ # Bucket is represented as a range, along with replacement values.
"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
# the default behavior will be to hyphenate the min-max range.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
# used.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
# encoded as ASCII. For a given crypto key and context, the same identifier
# will be replaced with the same surrogate. Identifiers must be at least two
# characters long. In the case that the identifier is the empty string, it will
# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
# more.
#
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
"commonAlphabet": "A String",
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
# Number of characters must be in the range [2, 62].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
# identifier in two different contexts won't be given the same surrogate. If
# the context is not set, a default tweak will be used.
#
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 1. the field is not present when transforming a given value,
#
# a default tweak will be used.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
# Currently, the referenced field may be of value type integer or string.
#
# The tweak is constructed as a sequence of bytes in big endian byte order
# such that:
#
# - a 64 bit integer is encoded followed by a single byte of value 1
# - a string is encoded in UTF-8 format followed by a single byte of value 2
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom infoType followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: info_type_name(surrogate_character_count):surrogate
#
# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom infoType
# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
# This facilitates reversal of the surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this infoType must
# not occur naturally anywhere in your data; otherwise, inspection may
# find a surrogate that does not correspond to an actual identifier.
# Therefore, choose your custom infoType name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"replaceConfig": { # Replace each input value with a given `Value`.
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
},
"infoTypes": [ # InfoTypes to apply the transformation to. An empty list will cause
# this transformation to apply to all findings that correspond to
# infoTypes that were requested in `InspectConfig`.
{ # Type of information detected by the API.
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
],
},
],
},
"primitiveTransformation": { # A rule for transforming a value. # Apply the transformation to the entire field.
"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
# fixed character. Masking can start from the beginning or end of the string.
# This can be used on data of any type (numbers, longs, and so on) and when
# de-identifying structured data we'll attempt to preserve the original data's
# type. (This allows you to take a long like 123 and modify it to a string like
# **3.
"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
# For example, if your string is 555-555-5555 and you ask us to skip `-` and
# mask 5 chars with * we would produce ***-*55-5555.
{ # Characters to skip when doing deidentification of a value. These will be left
# alone and skipped.
"commonCharactersToIgnore": "A String",
"charactersToSkip": "A String",
},
],
"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
# masked. Skipped characters do not count towards this tally.
"maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
# alphabetic string such as name, or "0" for a numeric string such as ZIP
# code or credit card number. String must have length 1. If not supplied, we
# will default to "*" for strings, 0 for digits.
"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
# '0', number_to_mask is 14, and `reverse_order` is false, then
# 1234-5678-9012-3456 -> 00000000000000-3456
# If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
# is true, then 12345 -> 12***
},
"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
# output would be 'My phone number is '.
},
"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
# validated against the value used during encryption. If a context was
# provided during encryption, same context must be provided during decryption
# as well.
#
# If the context is not set, plaintext would be used as is for encryption.
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 2. the field is not present when transforming a given value,
#
# plaintext would be used as is for encryption.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: ():
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
# - reverse a surrogate that does not correspond to an actual identifier
# - be unable to parse the surrogate and result in an error
#
# Therefore, choose your custom info type name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
# -, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
#
# If the bound Value type differs from the type of data
# being transformed, we will first attempt converting the type of the data to
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
# then all values less than 10 are replaced with the value “-10”. [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
# [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
},
"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
},
"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
# portion of the value.
"partToExtract": "A String",
},
"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
# Uses SHA-256.
# The key size must be either 32 or 64 bytes.
# Outputs a base64 encoded representation of the hashed output
# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
# Currently, only string and integer values can be hashed.
# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
},
"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
# results in the same shift for the same context and crypto_key.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
# [Required]
"upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
# [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
# If set, must also set method. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
# replacement values are dynamically provided by the user for custom behavior,
# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
# This can be used on
# data of type: number, long, string, timestamp.
# If the bound `Value` type differs from the type of data being transformed, we
# will first attempt converting the type of the data to be transformed to match
# the type of the bound before comparing.
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"buckets": [ # Set of buckets. Ranges must be non-overlapping.
{ # Bucket is represented as a range, along with replacement values.
"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
# the default behavior will be to hyphenate the min-max range.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
# used.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
# encoded as ASCII. For a given crypto key and context, the same identifier
# will be replaced with the same surrogate. Identifiers must be at least two
# characters long. In the case that the identifier is the empty string, it will
# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
# more.
#
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
"commonAlphabet": "A String",
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
# Number of characters must be in the range [2, 62].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
# identifier in two different contexts won't be given the same surrogate. If
# the context is not set, a default tweak will be used.
#
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 1. the field is not present when transforming a given value,
#
# a default tweak will be used.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
# Currently, the referenced field may be of value type integer or string.
#
# The tweak is constructed as a sequence of bytes in big endian byte order
# such that:
#
# - a 64 bit integer is encoded followed by a single byte of value 1
# - a string is encoded in UTF-8 format followed by a single byte of value 2
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom infoType followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: info_type_name(surrogate_character_count):surrogate
#
# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom infoType
# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
# This facilitates reversal of the surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this infoType must
# not occur naturally anywhere in your data; otherwise, inspection may
# find a surrogate that does not correspond to an actual identifier.
# Therefore, choose your custom infoType name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"replaceConfig": { # Replace each input value with a given `Value`.
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
},
"condition": { # A condition for determining whether a transformation should be applied to # Only apply the transformation if the condition evaluates to true for the
# given `RecordCondition`. The conditions are allowed to reference fields
# that are not used in the actual transformation. [optional]
#
# Example Use Cases:
#
# - Apply a different bucket transformation to an age column if the zip code
# column for the same record is within a specific range.
# - Redact a field if the date of birth field is greater than 85.
# a field.
"expressions": { # An expression, consisting or an operator and conditions. # An expression.
"conditions": { # A collection of conditions.
"conditions": [
{ # The field type of `value` and `field` do not need to match to be
# considered equal, but not all comparisons are possible.
# EQUAL_TO and NOT_EQUAL_TO attempt to compare even with incompatible types,
# but all other comparisons are invalid with incompatible types.
# A `value` of type:
#
# - `string` can be compared against all other types
# - `boolean` can only be compared against other booleans
# - `integer` can be compared against doubles or a string if the string value
# can be parsed as an integer.
# - `double` can be compared against integers or a string if the string can
# be parsed as a double.
# - `Timestamp` can be compared against strings in RFC 3339 date string
# format.
# - `TimeOfDay` can be compared against timestamps and strings in the format
# of 'HH:mm:ss'.
#
# If we fail to compare do to type mismatch, a warning will be given and
# the condition will evaluate to false.
"operator": "A String", # Operator used to compare the field or infoType to the value. [required]
"field": { # General identifier of a data field in a storage service. # Field within the record this condition is evaluated against. [required]
"name": "A String", # Name describing the field.
},
"value": { # Set of primitive values supported by the system. # Value to compare against. [Required, except for `EXISTS` tests.]
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"logicalOperator": "A String", # The operator to apply to the result of conditions. Default and currently
# only supported value is `AND`.
},
},
"fields": [ # Input field(s) to apply the transformation to. [required]
{ # General identifier of a data field in a storage service.
"name": "A String", # Name describing the field.
},
],
},
],
"transformedBytes": "A String", # Total size in bytes that were transformed in some way.
"transformation": { # A rule for transforming a value. # The specific transformation these stats apply to.
"characterMaskConfig": { # Partially mask a string by replacing a given number of characters with a
# fixed character. Masking can start from the beginning or end of the string.
# This can be used on data of any type (numbers, longs, and so on) and when
# de-identifying structured data we'll attempt to preserve the original data's
# type. (This allows you to take a long like 123 and modify it to a string like
# **3.
"charactersToIgnore": [ # When masking a string, items in this list will be skipped when replacing.
# For example, if your string is 555-555-5555 and you ask us to skip `-` and
# mask 5 chars with * we would produce ***-*55-5555.
{ # Characters to skip when doing deidentification of a value. These will be left
# alone and skipped.
"commonCharactersToIgnore": "A String",
"charactersToSkip": "A String",
},
],
"numberToMask": 42, # Number of characters to mask. If not set, all matching chars will be
# masked. Skipped characters do not count towards this tally.
"maskingCharacter": "A String", # Character to mask the sensitive values—for example, "*" for an
# alphabetic string such as name, or "0" for a numeric string such as ZIP
# code or credit card number. String must have length 1. If not supplied, we
# will default to "*" for strings, 0 for digits.
"reverseOrder": True or False, # Mask characters in reverse order. For example, if `masking_character` is
# '0', number_to_mask is 14, and `reverse_order` is false, then
# 1234-5678-9012-3456 -> 00000000000000-3456
# If `masking_character` is '*', `number_to_mask` is 3, and `reverse_order`
# is true, then 12345 -> 12***
},
"redactConfig": { # Redact a given value. For example, if used with an `InfoTypeTransformation`
# transforming PHONE_NUMBER, and input 'My phone number is 206-555-0123', the
# output would be 'My phone number is '.
},
"cryptoDeterministicConfig": { # Pseudonymization method that generates deterministic encryption for the given
# input. Outputs a base64 encoded representation of the encrypted output.
# Uses AES-SIV based on the RFC https://tools.ietf.org/html/rfc5297.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"context": { # General identifier of a data field in a storage service. # Optional. A context may be used for higher security and maintaining
# referential integrity such that the same identifier in two different
# contexts will be given a distinct surrogate. The context is appended to
# plaintext value being encrypted. On decryption the provided context is
# validated against the value used during encryption. If a context was
# provided during encryption, same context must be provided during decryption
# as well.
#
# If the context is not set, plaintext would be used as is for encryption.
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 2. the field is not present when transforming a given value,
#
# plaintext would be used as is for encryption.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom info type to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom info type followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: ():
#
# For example, if the name of custom info type is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom info type 'Surrogate'. This facilitates reversal of the
# surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this info type must
# not occur naturally anywhere in your data; otherwise, inspection may either
#
# - reverse a surrogate that does not correspond to an actual identifier
# - be unable to parse the surrogate and result in an error
#
# Therefore, choose your custom info type name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"fixedSizeBucketingConfig": { # Buckets values based on fixed size ranges. The
# Bucketing transformation can provide all of this functionality,
# but requires more configuration. This message is provided as a convenience to
# the user for simple bucketing strategies.
#
# The transformed value will be a hyphenated string of
# -, i.e if lower_bound = 10 and upper_bound = 20
# all values that are within this bucket will be replaced with "10-20".
#
# This can be used on data of type: double, long.
#
# If the bound Value type differs from the type of data
# being transformed, we will first attempt converting the type of the data to
# be transformed to match the type of the bound before comparing.
#
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"lowerBound": { # Set of primitive values supported by the system. # Lower bound value of buckets. All values less than `lower_bound` are
# grouped together into a single bucket; for example if `lower_bound` = 10,
# then all values less than 10 are replaced with the value “-10”. [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"upperBound": { # Set of primitive values supported by the system. # Upper bound value of buckets. All values greater than upper_bound are
# grouped together into a single bucket; for example if `upper_bound` = 89,
# then all values greater than 89 are replaced with the value “89+”.
# [Required].
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"bucketSize": 3.14, # Size of each bucket (except for minimum and maximum buckets). So if
# `lower_bound` = 10, `upper_bound` = 89, and `bucket_size` = 10, then the
# following buckets would be used: -10, 10-20, 20-30, 30-40, 40-50, 50-60,
# 60-70, 70-80, 80-89, 89+. Precision up to 2 decimals works. [Required].
},
"replaceWithInfoTypeConfig": { # Replace each matching finding with the name of the info_type.
},
"timePartConfig": { # For use with `Date`, `Timestamp`, and `TimeOfDay`, extract or preserve a
# portion of the value.
"partToExtract": "A String",
},
"cryptoHashConfig": { # Pseudonymization method that generates surrogates via cryptographic hashing.
# Uses SHA-256.
# The key size must be either 32 or 64 bytes.
# Outputs a base64 encoded representation of the hashed output
# (for example, L7k0BHmF1ha5U3NfGykjro4xWi1MPVQPjhMAZbSV9mM=).
# Currently, only string and integer values can be hashed.
# See https://cloud.google.com/dlp/docs/pseudonymization to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the hash function.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
},
"dateShiftConfig": { # Shifts dates by random number of days, with option to be consistent for the
# same context. See https://cloud.google.com/dlp/docs/concepts-date-shifting
# to learn more.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # Causes the shift to be computed based on this key and the context. This
# results in the same shift for the same context and crypto_key.
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"lowerBoundDays": 42, # For example, -5 means shift date to at most 5 days back in the past.
# [Required]
"upperBoundDays": 42, # Range of shift in days. Actual shift will be selected at random within this
# range (inclusive ends). Negative means shift to earlier in time. Must not
# be more than 365250 days (1000 years) each direction.
#
# For example, 3 means shift date to at most 3 days into the future.
# [Required]
"context": { # General identifier of a data field in a storage service. # Points to the field that contains the context, for example, an entity id.
# If set, must also set method. If set, shift will be consistent for the
# given context.
"name": "A String", # Name describing the field.
},
},
"bucketingConfig": { # Generalization function that buckets values based on ranges. The ranges and
# replacement values are dynamically provided by the user for custom behavior,
# such as 1-30 -> LOW 31-65 -> MEDIUM 66-100 -> HIGH
# This can be used on
# data of type: number, long, string, timestamp.
# If the bound `Value` type differs from the type of data being transformed, we
# will first attempt converting the type of the data to be transformed to match
# the type of the bound before comparing.
# See https://cloud.google.com/dlp/docs/concepts-bucketing to learn more.
"buckets": [ # Set of buckets. Ranges must be non-overlapping.
{ # Bucket is represented as a range, along with replacement values.
"max": { # Set of primitive values supported by the system. # Upper bound of the range, exclusive; type must match min.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"replacementValue": { # Set of primitive values supported by the system. # Replacement value for this bucket. If not provided
# the default behavior will be to hyphenate the min-max range.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
"min": { # Set of primitive values supported by the system. # Lower bound of the range, inclusive. Type should be the same as max if
# used.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
],
},
"cryptoReplaceFfxFpeConfig": { # Replaces an identifier with a surrogate using Format Preserving Encryption
# (FPE) with the FFX mode of operation; however when used in the
# `ReidentifyContent` API method, it serves the opposite function by reversing
# the surrogate back into the original identifier. The identifier must be
# encoded as ASCII. For a given crypto key and context, the same identifier
# will be replaced with the same surrogate. Identifiers must be at least two
# characters long. In the case that the identifier is the empty string, it will
# be skipped. See https://cloud.google.com/dlp/docs/pseudonymization to learn
# more.
#
# Note: We recommend using CryptoDeterministicConfig for all use cases which
# do not require preserving the input alphabet space and size, plus warrant
# referential integrity.
"cryptoKey": { # This is a data encryption key (DEK) (as opposed to # The key used by the encryption algorithm. [required]
# a key encryption key (KEK) stored by KMS).
# When using KMS to wrap/unwrap DEKs, be sure to set an appropriate
# IAM policy on the KMS CryptoKey (KEK) to ensure an attacker cannot
# unwrap the data crypto key.
"kmsWrapped": { # Include to use an existing data crypto key wrapped by KMS.
# The wrapped key must be a 128/192/256 bit key.
# Authorization requires the following IAM permissions when sending a request
# to perform a crypto transformation using a kms-wrapped crypto key:
# dlp.kms.encrypt
"cryptoKeyName": "A String", # The resource name of the KMS CryptoKey to use for unwrapping. [required]
"wrappedKey": "A String", # The wrapped data crypto key. [required]
},
"unwrapped": { # Using raw keys is prone to security risks due to accidentally
# leaking the key. Choose another type of key if possible.
"key": "A String", # A 128/192/256 bit key. [required]
},
"transient": { # Use this to have a random data crypto key generated.
# It will be discarded after the request finishes.
"name": "A String", # Name of the key. [required]
# This is an arbitrary string used to differentiate different keys.
# A unique key is generated per name: two separate `TransientCryptoKey`
# protos share the same generated key if their names are the same.
# When the data crypto key is generated, this name is not used in any way
# (repeating the api call will result in a different key being generated).
},
},
"radix": 42, # The native way to select the alphabet. Must be in the range [2, 62].
"commonAlphabet": "A String",
"customAlphabet": "A String", # This is supported by mapping these to the alphanumeric characters
# that the FFX mode natively supports. This happens before/after
# encryption/decryption.
# Each character listed must appear only once.
# Number of characters must be in the range [2, 62].
# This must be encoded as ASCII.
# The order of characters does not matter.
"context": { # General identifier of a data field in a storage service. # The 'tweak', a context may be used for higher security since the same
# identifier in two different contexts won't be given the same surrogate. If
# the context is not set, a default tweak will be used.
#
# If the context is set but:
#
# 1. there is no record present when transforming a given value or
# 1. the field is not present when transforming a given value,
#
# a default tweak will be used.
#
# Note that case (1) is expected when an `InfoTypeTransformation` is
# applied to both structured and non-structured `ContentItem`s.
# Currently, the referenced field may be of value type integer or string.
#
# The tweak is constructed as a sequence of bytes in big endian byte order
# such that:
#
# - a 64 bit integer is encoded followed by a single byte of value 1
# - a string is encoded in UTF-8 format followed by a single byte of value 2
"name": "A String", # Name describing the field.
},
"surrogateInfoType": { # Type of information detected by the API. # The custom infoType to annotate the surrogate with.
# This annotation will be applied to the surrogate by prefixing it with
# the name of the custom infoType followed by the number of
# characters comprising the surrogate. The following scheme defines the
# format: info_type_name(surrogate_character_count):surrogate
#
# For example, if the name of custom infoType is 'MY_TOKEN_INFO_TYPE' and
# the surrogate is 'abc', the full replacement value
# will be: 'MY_TOKEN_INFO_TYPE(3):abc'
#
# This annotation identifies the surrogate when inspecting content using the
# custom infoType
# [`SurrogateType`](/dlp/docs/reference/rest/v2/InspectConfig#surrogatetype).
# This facilitates reversal of the surrogate when it occurs in free text.
#
# In order for inspection to work properly, the name of this infoType must
# not occur naturally anywhere in your data; otherwise, inspection may
# find a surrogate that does not correspond to an actual identifier.
# Therefore, choose your custom infoType name carefully after considering
# what your data looks like. One way to select a name that has a high chance
# of yielding reliable detection is to include one or more unicode characters
# that are highly improbable to exist in your data.
# For example, assuming your data is entered from a regular ASCII keyboard,
# the symbol with the hex code point 29DD might be used like so:
# ⧝MY_TOKEN_TYPE
"name": "A String", # Name of the information type. Either a name of your choosing when
# creating a CustomInfoType, or one of the names listed
# at https://cloud.google.com/dlp/docs/infotypes-reference when specifying
# a built-in type. InfoType names should conform to the pattern
# [a-zA-Z0-9_]{1,64}.
},
},
"replaceConfig": { # Replace each input value with a given `Value`.
"newValue": { # Set of primitive values supported by the system. # Value to replace it with.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
},
},
},
],
"transformedBytes": "A String", # Total size in bytes that were transformed in some way.
},
"item": { # Container structure for the content to inspect. # The re-identified item.
"table": { # Structured content to inspect. Up to 50,000 `Value`s per request allowed. # Structured content for inspection. See
# https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to
# learn more.
# See https://cloud.google.com/dlp/docs/inspecting-text#inspecting_a_table to
# learn more.
"headers": [
{ # General identifier of a data field in a storage service.
"name": "A String", # Name describing the field.
},
],
"rows": [
{
"values": [
{ # Set of primitive values supported by the system.
# Note that for the purposes of inspection or transformation, the number
# of bytes considered to comprise a 'Value' is based on its representation
# as a UTF-8 encoded string. For example, if 'integer_value' is set to
# 123456789, the number of bytes would be counted as 9, even though an
# int64 only holds up to 8 bytes of data.
"floatValue": 3.14,
"timestampValue": "A String",
"dayOfWeekValue": "A String",
"timeValue": { # Represents a time of day. The date and time zone are either not significant
# or are specified elsewhere. An API may choose to allow leap seconds. Related
# types are google.type.Date and `google.protobuf.Timestamp`.
"hours": 42, # Hours of day in 24 hour format. Should be from 0 to 23. An API may choose
# to allow the value "24:00:00" for scenarios like business closing time.
"nanos": 42, # Fractions of seconds in nanoseconds. Must be from 0 to 999,999,999.
"seconds": 42, # Seconds of minutes of the time. Must normally be from 0 to 59. An API may
# allow the value 60 if it allows leap-seconds.
"minutes": 42, # Minutes of hour of day. Must be from 0 to 59.
},
"dateValue": { # Represents a whole or partial calendar date, e.g. a birthday. The time of day
# and time zone are either specified elsewhere or are not significant. The date
# is relative to the Proleptic Gregorian Calendar. This can represent:
#
# * A full date, with non-zero year, month and day values
# * A month and day value, with a zero year, e.g. an anniversary
# * A year on its own, with zero month and day values
# * A year and month value, with a zero day, e.g. a credit card expiration date
#
# Related types are google.type.TimeOfDay and `google.protobuf.Timestamp`.
"year": 42, # Year of date. Must be from 1 to 9999, or 0 if specifying a date without
# a year.
"day": 42, # Day of month. Must be from 1 to 31 and valid for the year and month, or 0
# if specifying a year by itself or a year and month where the day is not
# significant.
"month": 42, # Month of year. Must be from 1 to 12, or 0 if specifying a year without a
# month and day.
},
"stringValue": "A String",
"booleanValue": True or False,
"integerValue": "A String",
},
],
},
],
},
"byteItem": { # Container for bytes to inspect or redact. # Content data to inspect or redact. Replaces `type` and `data`.
"type": "A String", # The type of data stored in the bytes string. Default will be TEXT_UTF8.
"data": "A String", # Content data to inspect or redact.
},
"value": "A String", # String data to inspect or redact.
},
}